We'd like to raise awareness about the rsync security release version `3.4.0-1` as described in our advisory [ASA-202501-1](https://security.archlinux.org/ASA-202501-1).
An attacker only requires anonymous read access to a vulnerable rsync server, such as a public mirror, to execute arbitrary code on the machine the server is running on. Additionally, attackers can take control of an affected server and read/write arbitrary files of any connected client. Sensitive data can be extracted, such as OpenPGP and SSH keys, and malicious code can be executed by overwriting files such as `~/.bashrc` or `~/.popt`. We highly advise anyone who runs an rsync daemon or client prior to version `3.4.0-1` to upgrade and reboot their systems immediately. As Arch Linux mirrors are mostly synchronized using rsync, we highly advise any mirror administrator to act immediately, even though the hosted package files themselves are cryptographically signed. All infrastructure servers and mirrors maintained by Arch Linux have already been updated. URL: https://archlinux.org/news/critical-rsync-security-release-340/
