Multiple format string vulnerabilities in heartbeat 0.4.9 and earlier (claimed as buffer overflows in some sources) allow remote attackers to execute arbitrary code via certain packets to UDP port 694 (incorrectly claimed as TCP in some sources).
http://www.securityfocus.com/bid/5955
http://www.novell.com/linux/security/advisories/2002_037_heartbeat.html
http://www.iss.net/security_center/static/10357.php
http://www.debian.org/security/2002/dsa-174
http://linux-ha.org/security/sec01.txt
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000540