FYI, Gentoo have released security advisories regarding an exploitable heap overflow in rsync 2.5.6 and the compromise of "one of Gentoo's rsync rotation servers" (in combination with the Linux brk vulnerability that was mentioned in a Debian-ish thread on this list).