UPDATE as of 04/06/2024
KVM guest deployed via manjaro-kde-23.1.4-240406-linux66.iso and upgraded to Manjaro Testing
is still affected by CVE-2024-3094.
See also the threads :-
https://www.reddit.com/r/archlinux/comments/1bqx81e/arch_lin...
https://forum.manjaro.org/t/xz-package-contains-a-vulnerabil...
Running https://github.com/cyclone-github/scripts/blob/main/xz_cve-2... on Manjaro Testing :-
$ hostnamectl ✔ Static hostname: boris-kde0406
Icon name: computer-vm
Chassis: vm 🖴
Machine ID: 7cc6ab841db44eb8a8cc9b95bff724fc
Boot ID: 44d7407b6a124ea2aa59909ac0c32d1e
Virtualization: kvm
Operating System: Manjaro Linux Kernel: Linux 6.8.4-1-MANJARO
Architecture: x86-64
Hardware Vendor: QEMU
Hardware Model: Standard PC _Q35 + ICH9, 2009_
Firmware Version: 1.16.3-1.fc39
Firmware Date: Tue 2014-04-01
Firmware Age: 10y 6d
$ ~/test01.sh ✔ Checking system for CVE-2024-3094 Vulnerability... https://nvd.nist.gov/vuln/detail/CVE-2024-3094
Checking for function signature in liblzma... Function signature in liblzma: OK
Checking xz version using pacman package manager...
Note: Arch Linux detected
(1) CVE-2024-3094 does not target Arch Linux sshd service
(2) Manually check your installed xz version and make sure it is not vulnerable
(3) Detected xz version: 5.4.6-1
(4) Check for most recent xz release: https://archlinux.org/packages/core/x86_64/xz/
END UPDATE
UPDATE as of 04/04/24
Manjaro KDE Testing moved to KDE Plasma 6.0.3
Regarding CVE-2024-3094 , after downgrade to 5.4.3 xz, lib32-xz , which doesn't look as problem solving,
I am experiensing following issue :-
$ sudo pacman -S xz lib32-xz ✔
[sudo] password for boris:
:: xz is in IgnorePkg/IgnoreGroup. Install anyway? [Y/n] Y
:: lib32-xz is in IgnorePkg/IgnoreGroup. Install anyway? [Y/n] Y
resolving dependencies... looking for conflicting packages...
Packages (2) lib32-xz-5.6.1-3 xz-5.6.1-3 (?)
Total Download Size: 0.74 MiB
Total Installed Size: 2.69 MiB
Net Upgrade Size: 0.16 MiB
:: Proceed with installation? [Y/n] n
END UPDATE
UPDATE as of 03/25/2024
KDE Plasma 6.0.2 may be ported to Manjaro 23.1 by commands
$ sudo pacman-mirrors --api --set-branch testing
$ sudo pacman -Scc
$ sudo pacman-mirrors --fasttrack 5 && sudo pacman -Syu
Per advise of oioi@https://forum.manjaro.org/t/i-tested-kde-6-oh-my-oh-my-you-will-be-sorry-here-come-some-discoveries/158436/24 I issued `sudo pacman -S qt6-imageformats` :-
- webp :
qt5-imageformats
→ qt6-imageformats
- gimp :
kimageformats5
→ kimageformats
What actually is going on when this install happens on CachyOS 2024.3
$ sudo pacman -S qt6-imageformats
[sudo] password for boris:
resolving dependencies...
looking for conflicting packages...
Package (2) New Version Net Change Download Size
cachyos-extra-v3/libmng 2.0.3-3.1 0.75 MiB 0.21 MiB
cachyos-extra-v3/qt6-imageformats 6.6.2-1.1 0.30 MiB 0.06 MiB
Total Download Size: 0.27 MiB
Total Installed Size: 1.05 MiB
:: Proceed with installation? [Y/n] Y
It fixes the problem on Manjaro testing all the way around
END UPDATE
UPDATE as of 03/23/24
I may confirm the issue mentioned in https://forum.manjaro.org/t/i-tested-kde-6-oh-my-oh-my-you-will-be-sorry-here-come-some-discoveries/158436
<<So after update (pacman -Syyu) you have no webp thumbnails in Dolphin and Gwenview cannot display those photos (webp). What will a typical user do? >>
I also tested OK opening *.webp files via Dolphin on the most recent fedora 40 KDE nightly build
UPDATE as of 03/21/24
I was able to find workaround and keep manjaro's testing repos to install KDE Plasma 6.0.2 after switching to libvirt's default network for particular KVM guest. Placing VM on linux bridge ( Linux bridging vs NAT ) seems to be the core issue for myself either it is/was just a matter of luck.
Just several hours later I noticed that my local mirror was removed from testing list, then I issued and succeeded
$ sudo pacman-mirrors --api --set-branch testing
$ sudo pacman-mirrors --fasttrack 5 && sudo pacman -Syyu
per What is the different between pacman -Syu, -Syyu and -Syuu?
Brief extract from link above :-
As for -yy
, it is generally not recommended.
Use it only if you're having problems with your mirror. Unless your
mirror is acting up and you want to switch mirrors, there is no reason
to re-download every package DB file in its entirety every time you want
to do an upgrade. You might want to use it when switching mirrors so
that all your package DB files are consistent.
From my standpoint the last `sudo pacman -Syyu` provides direct access to Arch Stable Repos and Manjaro devs have nothing to do with that.
END UPDATE
As of now `sudo pacman -Syu` installs KDE Plasma 6.0.2 on Manjaro Testing branch
Final report on bare metal Manjaro KDE (testing branch)
KVM Guest status