Fairly simple explanation by arstechnica: “The malicious versions [of xz], researchers said, intentionally interfere with authentication performed by SSH, a commonly used protocol for connecting remotely to systems. SSH provides robust encryption to ensure that only authorized parties connect to a remote system. The backdoor is designed to allow a malicious actor to break the authentication and, from there, gain unauthorized access to the entire system. The backdoor works by injecting code during a key phase of the login process.”
Also from the article, you should check if your distro is offering a downgrade from the affected 5.6.x packages. Right now the exploit is not fully understood. For example, openSUSE recommends a full reinstall of Tumbleweed if an SSH server was enabled, just to mitigate risk.
Just to be sure, you should check whether SSHD is enabled:
sudo systemctl status sshd.service
If you never enabled it and it’s disabled+inactive, then no need to reinstall Tumbleweed per the current guidance. Also you can double check your version of xz to make sure it’s downgraded, the downgraded version for Tumbleweed should look like this:sudo zypper search -vi xz Loading repository data... Reading installed packages... S | Name | Type | Version | Arch | Repository ---+------+---------+-----------------------+--------+------------------ i+ | xz | package | 5.6.1.revertto5.4-3.2 | x86_64 | update-tumbleweed name: xz