Debian maintainers changed sshd to notify systemd when it is ready. This notification is only a few lines of code, but it's even _fewer_ lines if you call the sd_notify() convenience function in libsystemd.so
So now you're linking to libsystemd.so. What's also in libsystemd.so? Logging functionality, for programs that need to read systemd logs. That could be in a separate library, but this is systemd, so of course it's not. Everything's in one library. To read compressed systemd logs, libsystemd.so requires a bunch of compression libraries, including liblzma.so.
Anyone linking to libsystemd.so, e.g. to notify at startup, ends up loading liblzma.so, the backdoored version of which abuses glibc ifunc functionality to replace functions in libssl.so in order to take over sshd.
Debian maintainers changed sshd to notify systemd when it is ready. This notification is only a few lines of code, but it's even _fewer_ lines if you call the sd_notify() convenience function in libsystemd.so
So now you're linking to libsystemd.so. What's also in libsystemd.so? Logging functionality, for programs that need to read systemd logs. That could be in a separate library, but this is systemd, so of course it's not. Everything's in one library. To read compressed systemd logs, libsystemd.so requires a bunch of compression libraries, including liblzma.so.
Anyone linking to libsystemd.so, e.g. to notify at startup, ends up loading liblzma.so, the backdoored version of which abuses glibc ifunc functionality to replace functions in libssl.so in order to take over sshd.