[theamk]

Agreed - the only RCE vulnerabilities that would IMHO qualify to "All GNU/Linux systems" would be in Linux kernel networking stack and maybe in openssh.

But the "(+ others)" seems to imply it's not Linux kernel.

And OpenSSH is maintained by OpenBSD folks, who take security extremely seriously. I cannot imagine them taking 3+ weeks and not having security fix, nor arguing whether "Unauthenticated RCE" has a security impact.

So I am guessing it's one of the other common packages, probably not installed on every computer and/or not normally exposed to the internet.