Looking at this further: I can't actually see any exploit path here at all in 2.0.x prefork:
PSNC folks; in your report, "PoC #3 SIGUSR1 killer #1 (Apache 2.x)" concerns the "graceful shutdown" code, which is only present in 2.2.x, not 2.0.x. The ap_reclaim_child_processes() path changed in SVN can't be an attack vector: all it does, by intent, is kill children of the parent. The implementation guarantees that it will not kill any other process: waitpid() fails with ESRCH if passed a non-child pid. reclaim_one_pid() will only kill the pid if waitpid returns zero. The only kill() call in 2.0 prefork.c itself is in reap_children(), which is dead code. joe
