A security problem exists in all versions of rsync prior to 2.6.1 that affects anyone running a read/write daemon without using a chrooted environment.
a3255b5967118be2f68ba9a3e9714d06eb078a92b26a2dc88d8b214621db6d18
<p>
<a name="security_apr04"></a>
</p><h4>April 2004 Security Advisory</h4>
<p>There is a security problem in all versions prior to 2.6.1 that affects only
people running a read/write daemon WITHOUT using chroot. If the user privs
that such an rsync daemon is using is anything above "nobody", you are at risk
of someone crafting an attack that could write a file outside of the module's
"path" setting (where all its files should be stored). Please either enable
chroot or upgrade to 2.6.1. People not running a daemon, running a read-only
daemon, or running a chrooted daemon are totally unaffected.