"It appears that the updated Apache Portable Runtime (APR) 1.4.4 – which
was bundled with the server to correct the denial of service
vulnerability – could cause httpd workers to enter a 100% CPU utilising
hung state when calling apr_fnmatch. An update to APR, version 1.4.5,
which resolves the issue has been released by the APR developers and is
bundled with Apache HTTP Server 2.2.19. Users can upgrade to httpd 2.2.19
or, if running httpd 2.2.17 or earlier, work around the denial of service
problem by using the IgnoreClient option of the IndexOptions."