We'd like to raise awareness about a rsync security release version 3.4.0-1 as described in our advisory [ASA-202501-1](https://security.archlinux.org/ASA-202501-1).
In the most severe CVE, an attacker only requires anonymous read access to a rsync server, such as a public mirror, to execute arbitrary code on the machine the server is running on. Additionally, attackers can take control of a malicious server and read/write arbitrary files of any connected client. Sensitive data, such as OpenPGP and SSH keys, can be extracted, and malicious code can be executed by overwriting files such as `~/.bashrc` or `~/.popt`. We highly advise anyone who runs an rsync daemon or client prior to 3.3.1-1 to upgrade and reboot their systems immediately. As Arch Linux mirrors are mostly synchronized using rsync, we highly advise any mirror administrator to act immediately, even though the packages themselves are cryptographically signed. On Arch Linux infrastructure side we have secured all our affected servers and mirrors.
