Even if you’re using debian 12 bookworm and are fully up to date, you’re still running [5.4.1].
The only debian version actually shipping the vulnerable version of the package was sid, and being a canary for this kind of thing is what sid is for, which it’s users know perfectly well.
There was a comment on Mastodon or Lemmy saying that the bad actor had been working with the project for two years so earlier versions may have malicious code as well already.
Even if you’re using debian 12 bookworm and are fully up to date, you’re still running [5.4.1].
The only debian version actually shipping the vulnerable version of the package was sid, and being a canary for this kind of thing is what sid is for, which it’s users know perfectly well.
There was a comment on Mastodon or Lemmy saying that the bad actor had been working with the project for two years so earlier versions may have malicious code as well already.
They did but the malware wasn’t fully implemented yet. They spent quite a while implementing it, I guess to try and make it less obvious.
Distros like gentoo reverted to 5.4.2 for that reason. If debian stable is on 5.4.1 that should be ok.
Needless to say all his work ever will already be being reviewed.