on second thoughts, if you are as impatient as i was to check wassup with LO, you can take it off arch. beware this is only intended for LO package which “i think” is fairly isolated enough to supplant from arch without other dependencies wrecking it. any such practices on other packages can put your system in a “partial upgrade” situation. you are forewarned.
Yes, it is a manual task. Depending what packages are included in the sync, we may need to update or rebuild some of our overlays and/or our own packages.
Due to this even unstable branch is still affected by the last glibc vulnerability CVE-2023-6246 (Local Privilege Escalation, from any unprivileged user to full root): https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt
I’ve rolled out Arch’s fixed packages 2.38-8 on my systems last week (2024-02-02) but they’ve moved on to 2.39-1 since.
Manjaro is is still affected across all branches with version 2.38-7.
+1. from what i remember moving to 2.38-8 only required *gcc-libs* rebuilt package in my case. however moving to 2.39-1 effectively requires rebuilt packages of everything from kernels on it, so stopped short f it.
We are in an unstable channel so I guess it can be mentioned.
While Manjaro is behind, and Arch is extra steps ahead, you can make use of downgrade to grab 2.38-8 from the ALA. ( this is mostly acceptable due to the minor version, and recognizing that Manjaro ships the Arch package [Packager : Frederik Schwan <freswa@archlinux.org>] )
sudo downgrade glibc lib32-glibc
EDIT.
Well then theres today
:: Starting full system upgrade...
resolving dependencies...
looking for conflicting packages...
Packages (2) glibc-2.38-8.1 lib32-glibc-2.38-8.1
Total Download Size: 18.21 MiB
Total Installed Size: 65.33 MiB
Net Upgrade Size: 0.06 MiB