The remote host is missing an update to at announced via advisory DSA 102-2.
Basically, this is the same Security Advisory as DSA 102-1, except that the uploaded binary packages really fix the problem this time. Unfortunately the bugfix from DSA 102-1 wasn't propagated properly due to a packaging bug. While the file parsetime.y was fixed, and yy.tab.c should be generated from it, yy.tab.c from the original source was still used. This has been fixed now. The original advisory said: zen-parse found a bug in the current implementation of at which leads into a heap corruption vulnerability which in turn could potentially lead into an exploit of the daemon user. This has been fixed in at 3.1.8-10.2 for the stable Debian release and 3.1.8-11 for the unstable and testing release. Packages for unstable have just been uploaded into <http://incoming.debian.org/>. We recommend that you upgrade your at packages immediately since an exploit has already been published.