Georgi Guninski discovered a buffer overflow bug in Apache's mod_proxy module, whereby a remote user could potentially cause arbitrary code to be executed with the privileges of an Apache httpd child process (by default, user www-data). Note that this bug is only exploitable if the mod_proxy module is in use.
Note that this bug exists in a module in the apache-common package, shared by apache, apache-ssl and apache-perl, so this update is sufficient to correct the bug for all three builds of Apache httpd. However, on systems using apache-ssl or apache-perl, httpd will not automatically be restarted.
For the current stable distribution (woody), this problem has been fixed in version 1.3.26-0woody5.
For the unstable distribution (sid), this problem has been fixed in version 1.3.31-2.
We recommend that you update your apache package.