Update to 3.4.
1, not 3.4.
0. One of the original fixes
introduced a new bug.
Also don’t panic. This vulnerability set is a huge pain to those affected. However, only a very small portion of users is exposed.
Naked, anonymous rsync servers are nowadays used primarily for content dissemination. In other cases it’s tunneled over SSH and requires authentication. Even the vulnerable instances, if run on a reasonably well configured system, are containerized.
I suspect we will see a rise in botnets size, eagerly eating unupdated mirrors. But not much more at a large scale. It’s not like the world is devastated, because of how ubiquitous rsync is.