documented for Apache (without additional plugins):
* 2001-07-10: Apache Possible Directory Index Disclosure Vulnerability * 2001-06-10: MacOS X Client Apache File Protection Bypass Vulnerability * 2001-04-12: Apache Web Server HTTP Request Denial of Service Vulnerability * 2001-03-13: Apache Artificially Long Slash Path Directory Listing Vulnerability * 2000-12-06: Apache Web Server with Php 3 File Disclosure Vulnerability * 2000-09-29: Apache Rewrite Module Arbitrary File Disclosure Vulnerability * 2000-09-07: SuSE Apache WebDAV Directory Listings Vulnerability * 2000-05-31: Apache HTTP Server (win32) Root Directory Access Vulnerability * 1999-09-25: NCSA/Apache httpd ScriptAlias Source Retrieval Vulnerability * 1998-09-03: Multiple Vendor MIME Header DoS Vulnerability * 1998-01-06: Apache Web Server DoS Vulnerability * 1997-01-12: Apache mod_cookies Buffer Overflow Vulnerability * 1996-12-10: Multiple Vendor nph-test-cgi Vulnerability * 1996-04-01: Multiple Vendor test-cgi Directory Listing Vulnerability * 1996-03-20: phf Remote Command Execution Vulnerability
However, due to Apache's extensible nature (like IIS), I expect the actual number is much higher. For example, AKAIK the Code Red Worm attacked a DLL running one of the additional IIS services, not the IIS core directly.
Ashley