Right, the systemd notification framework is very simple and I've used it in my projects. I didn't even know that libsystemd provided an implementation.

My Arch system was not vulnerable because openssh was not linked to xz.

IMO every single commit from JiaT75 should be reviewed and maybe even rolled back, as they have obliterated their trust.

edit:

https://github.com/google/oss-fuzz/pull/10667

Even this might be nefarious.