There is a new vulnerability(CVE-2021-4034) for polkit and the exploit allows the spawn a root shell. The package has been updated yesterday on Arch. Make sure you update that one!
It’s kind of crazy to think it has been there since 2009, but only found out recently. The following article also shows the exploit in action for those interested.
It seems to be only a local exploit, so unless you have other users without sudo privileges using your computer, it does not seem to be something that you need to be worried about.
But yes, it’s a good idea to update your OS.
It does indeed feel like a local exploit. Those are often used for privilege escalation once you’ve obtained a shell through a service account. I agree most people here should not be worried about it, but might be useful for those who have servers.
This really isn’t a fair interpretation of “local exploit” in today’s world. A local exploit isn’t only a vulnerability to people who have local accounts. The most common way a local exploit is used, is in conjunction with another exploit. The first exploit gets you access and the second gets you privilege escalation.
There are tons of real-world cases where this can happen. For example, a vulnerability in almost an internet facing client, most commonly a web browser. They use that exploit to get local access and then look for other exploits to get even more. Although, frankly, in a single user workstation, you can do a lot without privileged access.
FYI, if your system is up to date, and using Polkit v 0.120-4 then you have the latest patched version from the Arch devs that addresses this and should be good now, just make sure to do a reboot after you’ve updated so you know everything works.
Sure, but it is the first exploit is what you should really be worried about.
The glowies do not need privilege escalation exploits, though. They have… ways to persuade you to give it to them.
This can also be very useful for hacking competitions (CTFs).
Like you wouldn’t do it every hour on arch system anyway. 
Well, log4j exploit is also quite recent and there could be some servers that did not update?
LOL, yeah… I already updated five times today.
Then you are safe. 
I update many times a day too hoping my issues will be fixed, but I get disappointed every time. 
We all have personal issues no update can fix, my friend. 