This  just hit the GLSA feed. From the Full Disclosure Announcement :
| The format string bug allows a malicious remote server to execute
| arbitrary code on the machine running ez-ipupdate, if and only if daemon
| mode is on (very common) and certain service types are used. I have
| attached a trivial patch (against 3.0.11b8) that corrects this problem.
| It proved to be impossible to contact upstream, as all his e-mail
| addresses bounced. The Linux and *BSD vendors that distribute ez-ipupdate
| have been contacted, but so far only Mandrakelinux and SUSE Linux have
| published patched versions.
[SGT] Simon G. Tatham: "How to Report Bugs Effectively"
[ESR] Eric S. Raymond: "How To Ask Questions The Smart Way"