Arch Linux informed their users about a security issue in rsync:
" We’d like to raise awareness about the rsync security release version 3.4.0-1
as described in our advisory ASA-202501-1.
An attacker only requires anonymous read access to a vulnerable rsync server, such as a public mirror, to execute arbitrary code on the machine the server is running on. Additionally, attackers can take control of an affected server and read/write arbitrary files of any connected client. Sensitive data can be extracted, such as OpenPGP and SSH keys, and malicious code can be executed by overwriting files such as ~/.bashrc
or ~/.popt
.
We highly advise anyone who runs an rsync daemon or client prior to version 3.4.0-1
to upgrade and reboot their systems immediately. As Arch Linux mirrors are mostly synchronized using rsync, we highly advise any mirror administrator to act immediately, even though the hosted package files themselves are cryptographically signed.
All infrastructure servers and mirrors maintained by Arch Linux have already been updated."
source: Arch Linux - News: Critical rsync security release 3.4.0
see also: Over 660,000 Rsync servers exposed to code execution attacks
Seems like version 3.4.0 (that should fix the issues) of rsync is not yet available in the tumbleweed repositories.
I thought that information might be interesting for some of the forum members, that’s why i posted it here.