There is a path-sanitizing bug that affects daemon mode in all recent rsync versions (including 2.6.2) but only if chroot is disabled. It does NOT affect the normal send/receive filenames that specify what files should be transferred (this is because these names happen to get sanitized twice, and thus the second call removes any lingering leading slash(es) that the first call left behind). It does affect certain option paths that cause auxilliary files to be read or written. More information here http://samba.org/rsync/#security_aug04
updates for fedora core 1 and 2 have been pushed that address this vulnerability.
http://www.redhat.com/archives/fedora-announce-list/2004-August/msg00023.html http://www.redhat.com/archives/fedora-announce-list/2004-August/msg00024.html