>>226761
It did actually hit mainline Debian. Seems I fetched the vulnerable version on the 29'th of February. So personally been vulnerable for a month.
The package in Testing was as well for equally long
https://metadata.ftp-master.debian.org/changelogs//main/x/xz-utils/xz-utils_5.6.1+really5.4.5-1_changelog