Debian Security Advisory DSA 525-1 (apache)

The remote host is missing an update to apache announced via advisory DSA 525-1.

Georgi Guninski discovered a buffer overflow bug in Apache's mod_proxy module, whereby a remote user could potentially cause arbitrary code to be executed with the privileges of an Apache httpd child process (by default, user www-data). Note that this bug is only exploitable if the mod_proxy module is in use. Note that this bug exists in a module in the apache-common package, shared by apache, apache-ssl and apache-perl, so this update is sufficient to correct the bug for all three builds of Apache httpd. However, on systems using apache-ssl or apache-perl, httpd will not automatically be restarted. For the current stable distribution (woody), this problem has been fixed in version 1.3.26-0woody5. For the unstable distribution (sid), this problem has been fixed in version 1.3.31-2. We recommend that you update your apache package.

https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20525-1