The remote host is missing an update to mc announced via advisory DSA 639-1.

https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20639-1

Andrew V. Samoilov has noticed that several bugfixes which were applied to the source by upstream developers of mc, the midnight commander, a file browser and manager, were not backported to the current version of mc that Debian ships in their stable release. The Common Vulnerabilities and Exposures Project identifies the following vulnerabilities: CVE-2004-1004: Multiple format string vulnerabilities CVE-2004-1005: Multiple buffer overflows CVE-2004-1009: One infinite loop vulnerability CVE-2004-1090: Denial of service via corrupted section header CVE-2004-1091: Denial of service via null dereference CVE-2004-1092: Freeing unallocated memory CVE-2004-1093: Denial of service via use of already freed memory CVE-2004-1174: Denial of service via manipulating non-existing file handles CVE-2004-1175: Unintended program execution via insecure filename quoting CVE-2004-1176: Denial of service via a buffer underflow For the stable distribution (woody) these problems have been fixed in version 4.5.55-1.2woody5 For the unstable distribution (sid) these problems should already be fixed since they were backported from current versions. We recommend that you upgrade your mc package.