[Unstable Update] January 2025

Announcements Unstable Updates
,
1

Welcome to the new monthly unstable branch thread.

Recent News

Notable Package Changes

Known Issues

Critical rsync security release 3.4.0

2025-01-16 - Robin Candau

We’d like to raise awareness about the rsync security release version 3.4.0-1 as described in our advisory ASA-202501-1.

An attacker only requires anonymous read access to a vulnerable rsync server, such as a public mirror, to execute arbitrary code on the machine the server is running on. Additionally, attackers can take control of an affected server and read/write arbitrary files of any connected client. Sensitive data can be extracted, such as OpenPGP and SSH keys, and malicious code can be executed by overwriting files such as ~/.bashrc or ~/.popt.

We highly advise anyone who runs an rsync daemon or client prior to version 3.4.0-1 to upgrade and reboot their systems immediately. As Arch Linux mirrors are mostly synchronized using rsync, we highly advise any mirror administrator to act immediately, even though the hosted package files themselves are cryptographically signed.

All infrastructure servers and mirrors maintained by Arch Linux have already been updated.

Arch Linux - News: Critical rsync security release 3.4.0

Additional Info

Info about AUR packages

:warning: AUR (Arch User Repository) packages are neither supported by Arch nor Manjaro. Posts about them in Announcements topics are off-topic and will be flagged, moved or removed without warning.

For help with AUR packages, please create a new topic in AUR and a helpful volunteer may be able to assist you.

Get our latest daily developer images now from Github: Plasma, GNOME, XFCE. You can get the latest stable releases of Manjaro from CDN77.

Check if your mirror has already synced:

5 Likes
2

Plasma 6.2.5 was released today.

Full change log here

2 Likes
3

I switched from stable to unstable (sudo pacman-mirrors --api --set-branch unstable and sudo pacman-mirrors --fasttrack 5 && sudo pacman -Syu) and got this message:

/usr/lib/sysusers.d/nvidia-utils.conf:1: Unknown modifiers in command '!u'.

less /usr/lib/sysusers.d/nvidia-utils.conf:

!u nvidia-persistenced 143 'NVIDIA Persistence Daemon'

How can I fix the error? Many thanks in advance

1 Like
4

Not sure how to fix, but looking at other files in that directory, it looks like the !u may be a mistake and should be u!

1 Like
5

fix incoming

update solved the problem

mhwd-nvidia-565.77-5-any
nvidia-utils-565.77-5-x86_64
4 Likes
6

Had massive problems during December updates & nvidia drivers.

Now everything works smoothly, no bugs on desktop, updates work instantly.

Thanks to Manjaro Team! :wink:

3 Likes
7

3 posts were split to a new topic: I’m not sure whether i’ve a partial update

8

New security item added to Known Issues :point_up:

1 Like
9

Unless you followed any of the guides on here telling you to remove those SigLevel lines. :wink:

10

Huh? :thinking:

11

This one.

Used to suggest

SigLevel    = Optional DatabaseNever

But has since been edited to suggest

SigLevel    = Required DatabaseNever

But there are still an untold number of threads and users with the suggestion in one way or another to disable the signatures.

Such as here:

I just meant that anyone who has followed such advice or for whatever reason has lesser SigLevel options applied would be vulnerable to an exploited mirror.

For a while at least one of the most common responses to ‘Trouble syncing packages, errors about keys’ on the forums was to augment the SigLevel options to something more permissive. That always meant lesser security, but this news makes a tangible argument for why not to.

1 Like
12

Ah, I see. Thank you for providing helpful context. :+1:

13

2 posts were merged into an existing topic: [Testing Update] 2025-01-15 - Kernels, KDE Frameworks, Calamares, Cosmic, Firefox, Gambas, Steam