rsync - Sep 2007 - security bugs (?)

As a Cygwin rsync package maintainer, the following security fixes have
been brought to my attention:

http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/rsync/files/rsync-2.6.9-stats-fix.patch
http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/rsync/files/rsync-2.6.9-fname-obo.patch

And while they seem "trusted" enough to me (present in many packages
such as Gentoo, FreeBSD and other; in bug lists such as Secunia...), I
am no rsync deep code knower, and I still wonder why there's no mention
in this mailing list or the homepage? Do the actual authors of rsync
think that those bugs has never been exploitable? If that's so, please
confirm it, thanks =)

    Lapo

Lapo Luchini wrote:
> As a Cygwin rsync package maintainer, the following security fixes have
> been brought to my attention:
> 
>
http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/rsync/files/rsync-2.6.9-stats-fix.patch
>
http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/rsync/files/rsync-2.6.9-fname-obo.patch
On a closer inspection, the first one doesn't really seem to regard
security... what about the other, aka CVE-2007-4091[1] and SA26493[2]?

1. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4091
2. http://secunia.com/advisories/26493/

    Lapo