- CVE-2022-23943: Fix out-of-bound write in mod_sed - CVE-2022-22721: Fix integer overflow which resulted in out-of-bounds write - CVE-2022-28615: Fix read beyond bounds in ap_strcmp_match() - CVE-2022-31813: Fix possible bypass of IP based authentication - CVE-2021-26690: Fix NULL pointer dereference in mod_session - CVE-2022-22719: Fix possible process crash due to unnoticed failures in mod_lua - CVE-2022-29404: Fix possible DoS due to no default limit on possible input size in mod_lua - CVE-2022-26377: Fix possible HTTP request smuggling in mod_proxy_ajp - CVE-2023-31122: mod_macro: Fix out-of-bounds read vulnerability by using own strncmp function - CVE-2024-38474: mod_rewrite: server weakness with encoded question marks in backreferences - CVE-2024-38475: mod_rewrite: server weakness in mod_rewrite when first segment of substitution matches filesystem path - CVE-2024-38477: mod_proxy: crash resulting in Denial of Service in mod_proxy via a malicious request - CVE-2024-38476: http: server use exploitable/malicious backend application output to run local handlers via internal redirect - CVE-2024-39573: mod_rewrite: proxy handler substitution - CVE-2024-39884: modules: source code disclosure with handlers configured via AddType. Resolving regression introduced by CVE-2024-38476 fix - CVE-2024-40725: modules: source code disclosure with handlers configured via AddType. Resolving regression introduced by CVE-2024-39884 fix