Update: To our knowledge the malicious code which was distributed via the release tarball never made it into the Arch Linux provided binaries, as the build script was configured to only inject the bad code in Debian/Fedora based package build environments. The news item below can therefore mostly be ignored.
We are closely monitoring the situation and will update the package and news as neccesary.
TL;DR: Upgrade your systems and container images now!
The malicious code path does not exist in the arch version of sshd, as it does not link to liblzma.
However, out of an abundance of caution, we advise users to avoid the vulnerable code in their system as it is possible it could be triggered from other, un-identified vectors.
A remote attacker is able to inject WLAN frames to crash the system or execute arbitrary code on the affected host.
A remote attacker is able to inject WLAN frames to crash the system or execute arbitrary code on the affected host.
A remote attacker is able to inject WLAN frames to crash the system or execute arbitrary code on the affected host.
A remote attacker is able to inject WLAN frames to crash the system or execute arbitrary code on the affected host.
An attacker is able to perform an SQL injection via a specially crafted input.
An attacker is able to provide malicious filenames to write to arbitrary files or execute arbitrary commands on the affected host.
An attacker is able to provide malicious filenames to write to arbitrary files or execute arbitrary commands on the affected host.
A remote attacker is able to crash the application or execute arbitrary code on the affected host via a crafted tiff file.