A heap overflow exists in rsync versions 2.5.6 and below that can
be used by an attacker to run arbitrary code.  The bug only affects
rsync in server (daemon) mode and occurs *after* rsync has dropped
privileges.  By default, server will chroot(2) to the root of the
file tree being served which significantly mitigates the impact of
the bug.  Installations that disable this behavior by placing "use
chroot = no" in rsyncd.conf are vulnerable to attack.

Sites that do run rsync in server mode should update their rsync
package as soon as possible.  The rsync port has been updated in
the 3.3 and 3.4 -stable branches and a new binary package has been
built for OpenBSD 3.4/i386.  It can be downloaded from:

     ftp://ftp.openbsd.org/pub/OpenBSD/3.4/packages/i386/rsync-2.5.7.tgz

For more information on the bug, see:

     http://rsync.samba.org/

For more information on packages errata, see:

     http://www.openbsd.org/pkg-stable.htmlt>