Apache avoids most security woes
A study of Apache security advisories dating back to Apache 1.0 shows the server's last serious problem (one where remote attackers could run arbitrary code on the server) was announced in January 1997. This problem was a buffer overflow in Apache's cookie module that was fixed in Apache 1.1.3.
The link for this article located at ZDNet eWeek is no longer available.