Anyone looking at the changelog should be terrified of adopting 2.2.15; I'm going to modify it thusly (please correct attributions if needed?);
*) SECURITY: CVE-2009-3555 (cve.mitre.org) mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection attack when compiled against OpenSSL version 0.9.8m or later. Introduces the 'SSLInsecureRenegotiation' directive, which allows unsafe legacy renegotiation with clients which do not yet support the secure renegotiation protocol. [Joe Orton] *) SECURITY: CVE-2009-3555 (cve.mitre.org) mod_ssl: A partial fix for the TLS renegotiation prefix injection attack for OpenSSL versions prior to 0.9.8l; reject any client-initiated renegotiations. Forcibly disable keepalive for the connection if there is any buffered data readable. Any configuration which requires renegotiation for per-directory/location access control is still vulnerable, unless using openssl 0.9.8l or later. [Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>] WDYT?