Now that 2.4.3 is released and annouced I'm in the process of updating
the security page (the xml file with the known vulnerabilities) to
include the two issues that are in CHANGES.
The XSS mod_negotitation issues I think is clearly of severity level 4
(low), but I'm a bit uncertain about the mod_proxy_ajp problem.
It can be triggered by remote and leads to response mixups, so a privacy
issue (all disclosed via Bugzilla before the release, so no need to
discuss privately).
I'd go for a "Important" but would like to get more opinions. The
definitions are at:
http://httpd.apache.org/security/impact_levels.html
Regards,
Rainer