Sophos is aware of these issues. We constantly monitor all of our 3rd party dependencies for newly discovered vulnerabilities, triage them in the context of our products and services, and schedule updates accordingly. Severity (and therefore urgency) is calculated based on CVSS, which assumes a vulnerable configuration.
In this case, two of the non-critical issues potentially affect Sophos, but the severities in the context of Sophos are at most medium. Therefore, the updates that fix all of the CVEs will be part of the next releases for each supported major version of the products and services that use Apache. There are no plans, where applicable, to publish hotfixes to address these issues
Quote