Really bad week for internet security. This is one of the most obsure and hard to follow security bugs I've seen. The core httpd guys at the ASF are really great though, so having followed their explanations even I have an idea what it was about by now. :-)
Following the process there were a bunch of things that would have been nice if had been different; but it's tricky when you have time pressure, a fucked up company trying to get some PR and for starters just a really bad situation. Still upgrading servers here. In the new perl.org setup it took just about no time thanks to RedHat Network and a few scripts to build and sync our custom apache installations.
update at 5.30am: Blah, not that easy. One thing took another and now the night is gone.