https://www.openwall.com/lists/oss-security/2025/01/14/3
Two independent groups of researchers have identified a total of 6
vulnerabilities in rsync. In the most severe CVE, an attacker only requires anonymous read access to a rsync server, such as a public mirror, to execute arbitrary code on the machine the server is running on.Upstream has prepared patches for these CVEs. These fixes will be included in rsync 3.4.0 which is to be released shortly.
rsync 3.4.0 is released already, make sure to update if you are using it!