As a user, ln -s /root/.rhosts /tmp/SERVER and wait for the admin to run Xconfigurator --pick (which happens when the system is upgraded, right?) After it's been run, root ends up with a .rhosts containing "XFree86 480", which theoretically could be used for doing some nasty things (assuming the person also runs rlogin for some reason, I tried to misconfigure sshd to accept the .rhosts file but failed) The code does check for the existance of the file using access() and removes the file if it exists, but since it's a symlink to a non-existing file the symlink doesn't get removed like it should. Replacing the access() with a stat() or something should do the trick. Ok, that's all pretty theoretical so I didn't even classify this as a security problem, but things like this are worth checking for in other things that get run during upgrades :)
this code was old and unused. However, when it was active, it was only used at installation time, so the security risk was ~nil. Still, the code was cruft and I have removed it in 4.6.9 and later.