Hmm? It was released for two plus months? 5.6.0 and 5.6.1
I'd also say this wasn't a good example of 'linux handling it better': usually when a mess like this occurs on windows all the corps get a quiet tap on the shoulder that they need to immediately patch when MS releases it, then a few days later it hits the news. In XZ's case, the backdoor was published before the team knew about it, huge mess.
You’re right that it went noticed for a long time, just one clarification
> all the corps get a quiet tap on the shoulder that they need to immediately patch when MS releases it, then a few days later it hits the news
AFAIK, distros were notified and released a patched version of xz like a week before it hit the news, so at least a lot of machines received it via automatic updates.
Depends which news you're talking about. MS guy who discovered it found it March 29th, published to oss. It was in infosec news same day as redhat, others pushed out critical advisories. Patch didn't come til a day or two later.
You're half right - people who compiled it from source could theoretically get those releases, but no, it wasn't released in any distros. So in practice since no linux distro released it, no-one relying on linux distros was exposed to it.
Every system gets attacked, but I think your point shows that even with state-level attacks Linux handles it better than other platforms.