As explained on http://www.apache.org/dist/CHANGES_1.3 there was a dangerous interacion between the pre-1.3.18 mod_negotiation and mod_dir/mod_autoindex that could make the Apache server to show the listing of a directory instead of the negociated index.html if a very long path was used (one could be created using slashes and dot artificially) taking that all three modules are enabled on default on RedHat all what is needed is that someone enables the MultiView option (as on /icons) to become vulnerable.
forgot to mention mod_negotiation on subject
The currently-released errata incorporates these fixes.