4 points
They mention versions from 5.5.1 are affected.
Everywhere else I’ve read only 5.6.0 and 5.6.1 are.
Is this an abundance of caution by the Debian security team, or is Debian’s earlier version affected due to patching done by the package maintainers?
2 points
Good question. Maybe it has to do with the fact that the backdoor contributor was on the xz project for about two years.
4 points