Last week I discovered a classical integer wrap around which leads to a heap
overflow in rsync 3.0. A source patch can be found here.
We backported the xattr feature to some of our 2.6.9 and 2.6.8 versions.
Even though the code base is different there, the vulnerability also exists.
Updated packages will soon be available.