I noticed a report of a potential new DOS (apparently already being exploited) for all versions of Apache this morning.
http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/%3C20110...
I have installed the Option 2 workaround in /etc/apache2/apache2.conf.
I tried the Option 1 first but apache complains that RequestHeader unset require two arguments which contradicts the documentation. But then I found
http://people.apache.org/~dirkx/CVE-2011-3192.txt
another version of this same announcement. Newer? I don't know. But it says to use Option 1 only for Apache 2.2.
Ken
box-admins@lists.squeakfoundation.org