fix for a race condition in mod_status known as CVE-2014-0226 can lead
to information disclosure; mod_status is not active by default, and is
normally only open for connects from localhost.
fix for bug known as CVE-2014-0098 that can crash the apache process if
a specially designed cookie is sent to the server (log_cookie.c)
fix for crash bug in mod_dav known as CVE-2013-6438
fix for a problem with non-responsive CGI scripts that would otherwise
cause the server to stall and deny service. CVE-2014-0231, new
configuration parameter CGIDScriptTimeout defaults to 60s.
apache2-mod_security2:
specially drafted chunked http requests allow an attacker to bypass
filters configured in mod_security2. This vulnerability is known as
CVE-2013-5705.