Fedora 39 and 40 (which is still in beta) uses xz 5.4. Fedora 41/rawhide (essentially the development branch) was affected it seems: access.redhat.com/security/cve/CVE-2024-3094. CentOS Stream and RHEL have way more outdated packages than that, so they were never vulnerable to this backdoor.