I found the bug report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=730372
The report was filed after this mailing list discussion: https://lists.debian.org/debian-devel/2012/04/msg00301.html
Summary: Site admins usually place sites in /var/www/site.com and there may be sensitive data in /var/www that should not be made available via a web server. All web servers on Debian have been updated to use /var/www/html as default instead of /var/www.