This is already mentioned in a different comment here[1], but for ease of reference, Arch Linux did ship a vulnerable version and released the fix on 2 February[2].

[1] https://news.ycombinator.com/item?id=34713862

[2] https://github.com/archlinux/svntogit-packages/commit/796878...