Dang, that's wonderful news, especially for those of us who are not qualified to use Linux at all, yet are muddling our way through anyhow, using Linux in protest of other options...
Here's what I've got-
What's Cool: While it "could" affect most any distro, it's mostly limited to a very unlucky few. They found it before any big releases. It's mostly for remote access stuff, so not too commonly used outside of industry, although...... It's free on the internet, there's probably a few folks with reasons. And hasn't made it (or barely made it) into some Redhat stable release stuff. Primarily the issue will be people using betas and unstable releases in a business environment. Little to no release of those versions that wasn't a "user initiated" thing.
What's Not Cool: One guy who "apparently" (not "for surely") is/was one of two people on that project, was able to get this very complicated, and apparently somewhat ingenious bit of code in there over several installments. He's been working on the project for a lot of years, allegedly, although this appars pretty recent and localized. I still can't tell if we know who he is, or if we just know his handle on the internet..... Or if it's even a "he". The usual sources seem to think it's a "he"....
Scary Stuff:
That's a small pool of people working on an open source project if you're gonna invoke "open source" as a security feature...
I'm quite surprised that while not released, this code was available publicly, for so long, and nobody caught that. It must have been well buried in there...
It got found because people were using the beta downloads to gain (legitimate) access to remote business servers. Whiskey Tango Foxtrot, why would you do that? That has got to be the biggest case yet for "DO NOT USE THE FREAKIN BETAS AND NIGHTLYS FOR ANYTHING THAT HAS CONSEQUENCES!!!! They are called unstable for a reason, and expressly NOT supported by the "security department". How can somebody clever enough to run these early releases not understand why they can't be used that way?
Anyhow... Low likelyhood of having it on a personal PC, but but a possibliity on most versions of Linux. I'll guarantee there's a few out there. If you know what to do, great. If not, you can check from the command prompt.
Command prompt-
"xz -v" seems to be the most common.
"xz -ver" is out there a bunch
"xz --version" worked for me
Or a quick google of your distro will find that version command for your Linux version.. The xz version 5.6.0 and 5.6.1 are the problem. Prior to that, no worries. As of today there are no newer versions, so as they come out, they'll be good.