It's at ApacheWeek.com. Among the items: "
Two denial of service attacks were found in the Apache 2.0 code this week - both concerned with memory usage when sending
large requests. The first was that the server did not respect the maximum header field length, and would consume memory
indefinitely while reading a header line. A fix for this was quickly checked in. The second problem remains unconfirmed; using an
httpd.conf from an old installation of 2.0 with the current code can cause a GET request with a large body to leak memory.
Neither of these problems are known to affect Apache 1.3."