[REFER to post update below, Arch is most likely not affected] Mine, on #ArchLinux is certainly affected lol (people kept saying it most likely only affects #Ubuntu and #Fedora based distros):
❯ xz --version
xz (XZ Utils) 5.6.0
liblzma 5.6.0
Libraries installed on my system requiring xz (i.e. just about everything lol):
:: removing xz breaks dependency 'xz' required by base
:: removing xz breaks dependency 'xz' required by bind
:: removing xz breaks dependency 'xz' required by ffmpeg
:: removing xz breaks dependency 'xz' required by ffmpeg4.4
:: removing xz breaks dependency 'xz' required by file
:: removing xz breaks dependency 'xz' required by fsarchiver
:: removing xz breaks dependency 'xz' required by gdb
:: removing xz breaks dependency 'xz' required by grub
:: removing xz breaks dependency 'xz' required by imagemagick
:: removing xz breaks dependency 'xz' required by imlib2
:: removing xz breaks dependency 'xz' required by kmod
:: removing xz breaks dependency 'xz' required by lib32-xz
:: removing xz breaks dependency 'xz' required by libarchive
:: removing xz breaks dependency 'xz' required by libelf
:: removing xz breaks dependency 'liblzma.so=5-64' required by libelf
:: removing xz breaks dependency 'xz' required by libtiff
:: removing xz breaks dependency 'xz' required by libunwind
:: removing xz breaks dependency 'xz' required by libxml2
:: removing xz breaks dependency 'xz' required by libxmlb
:: removing xz breaks dependency 'xz' required by libxslt
:: removing xz breaks dependency 'xz' required by ostree
:: removing xz breaks dependency 'liblzma.so=5-64' required by ostree
:: removing xz breaks dependency 'xz' required by raptor
:: removing xz breaks dependency 'xz' required by systemd
:: removing xz breaks dependency 'xz' required by systemd-libs
:: removing xz breaks dependency 'xz' required by wxwidgets-common
:: removing xz breaks dependency 'xz' required by zstd
Let go and let God, I say. Free for all SSH open house.
UPDATE:
Saw some reports informing that this vulnerability was only bundled in the release tarballs, not in the #Git source itself - hence, Arch Linux should be safe since Arch builds/installs packages directly from source.
The backdoor also appears to to only run when built by the Debian build system or as an RPM package.