Some of the image i have built MAY have the affected versions installed, i am currently running a build of the base image to perform the 'Resolution' (see link) and i will then kick off builds of subsequent images.
For reference here is the ASA for Arch Linux (base os), pay attention to the 'Impact', also keep in mind unless there is code calling xz then xz will not be running and therefore the risk is reduced, however i am keen to get all images updated:-
https://security.archlinux.org/ASA-202403-1
EDIT - Further investigation into the way xz interacts with the system, it looks like in order for the exploit to be used you would need to have systemd operational (not the case with any of my images) and OpenSSH installed (not the case with any of my images), so in my opinion the risk is low here, but as I mentioned above I am keen to get all images updated, so please be patient as this can take a while and its Easter time so my time is restricted.