I do regular automated updates. For anything requiring human intervention like the xz thing I trust Lemmy and YouTube to keep me updated. No dedicated news source because if I were to freak out about every new vulnerability found I wouldn't be able to sleep at night.
If you had it on a computer that is accessible via SSH from the internet you should proceed under the assumption that it was compromised. Which means you should reinstall from a safe medium and change your keys and passwords.
My distribution (archlinux) notifies of critical vulnerabilities that require user action. There's a news mailing list.
After that I rely on social network (Mastodon mostly) or lemmy for news, as vulnerabilities often get some conversation. Apart from that, software i'm really interested in I also follow through RSS so I get news when they update for their vulnerabilities -that is when the vulnerabilities are not self inflicted as the xz case-.
I rely on notifications from glsa-check or my distro's package manager. I was notified about a problem with xz-utils on Thursday evening, but didn't see anyone post about it until Friday morning.
glsa-check is a command-line tool included with the gentoolkit package in Gentoo Linux. Its primary function is to scan your system for installed packages that are vulnerable according to Gentoo Linux Security Advisories (GLSAs). GLSAs are official notifications from the Gentoo security team about security vulnerabilities that affect packages in the Gentoo repository.
NIST used to have an rss feed for CVEs but deprecated it recently. They still have other ways you can follow it though
https://nvd.nist.gov/vuln/data-feeds
Or if you just want to follow CVEs for certain applications you can host/subscribe to something like https://www.opencve.io/welcome which allows you to filter CVEs from NIST’s National Vulnerability Database (NVD)
i subscribed for fedora mailist a few days ago and their talk awas helpful for me to notice that i was one of the affected, just subscribe to your distro blog/mail/etc
You can track this kind of stuff on Mastodon also, join into a security instance (like https://infosec.exchange/explore) or start following them from another instance.
Found out about the xz one on Lemmy.
Years ago I was briefly subscribed to Bugtraq but that was too much.
Now I'm subscribed to a few OS specific security announcement mailing lists.
I don't. I run software whose maintainers I trust to provide regular security updates.
Of course there's some software I have installed that doesn't fit that criteria. But I also minimize my attack surface by exposing the bare minimum and enabling extra security features where I can.
Lucky I only have to worry about ones from Cisco or FortiNet and both have RSS feeds that I have linked into Slack at work to tell us when a new patch is out or a new psirt is released.
I actually have automated security updates on all my servers. Also in general i run greenbone at home that does daily scans of all the VLANS/networks I have at home.