The ACL handling in rsyslog 3.12.1 to 3.20.0, 4.1.0, and 4.1.1 does not follow $AllowedSender directive, which allows remote attackers to bypass intended access restrictions and spoof log messages or create a large number of spurious messages.

More... (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5617)