In some circumstances Drupal allows user-supplied data to become part of response headers. As this user-supplied data is not always properly escaped, this can be exploited by malicious users to execute HTTP response splitting attacks which may lead to a variety of issues, among them cache poisoning, cross-user defacement and injection of arbitrary code.
Install the latest version:
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.
The Drupal security team.