Also, PSA for people who are immediately triggered by the word "systemd", partially blaming it for the issue:
No.
Some distros patch OpenSSH to link to libsystemd to call https://www.freedesktop.org/software/systemd/man/latest/sd_notify.html to notify systemd about startup completion.
libsystemd then links to the backdoored lzma for other things.
But OpenSSH could've implemented the notification on its own. It's literally "send a line into a socket", only a few lines of code, even in C.
https://chaos.social/@smrqdt/112180465514002100
https://news.ycombinator.com/item?id=39866076