Freeciv

https://nvd.nist.gov/vuln/detail/CVE-2024-3094
Malicious code was discovered in the upstream tarballs of xz/liblzma, starting with version 5.6.0. (released Feb 24th, i.e. before Freeciv 3.1.0). The compromised maintainer has been making commits since early 2023 at least, so even older versions might already contain backdoors. We should assess whether compromised versions might have been linked into distributed Freeciv binaries, and what to do about it.