Comment by kees99
> you are safe if your rsync is only via secure connections
Not quite. If server has "command=rsync ..." in ~/.ssh/authorized_keys file, for some ssh key (to allow rsync access, but deny shell access), this vulnerability will allow attacker in possession of that ssh key to go around that restriction, and get shell nonetheless.
He said where untrusted parties aren't able to run rsync.
If I was running an rsync daemon facing the public, it would be in a chroot with dropped privileges.