apt update isn't grabbing new Apache versions, the version 2.4.25 (installed during setup) has a lot of reported vulnerabilities. Is anyone else updating this some other way?
you don't say what OS you're using. it's most likely just that 2.4.25 is the latest version in the repo. I'm running ubuntu 18.04, and using the ondrej apache2 repo (add-apt-repository ppandrej/apache2) which currently installs apache 2.4.38
The OS maintainers backport important security fixes, so the apache version may show some old, but to see if the security fixes are applied you have to check the change logs for your operating system. My quess is the vulnerabilities are fixed if you have installed the updated versions for your OS.
Thanks for the comments! I'm running Debian 9.8 Thanks @Taleman for the idea, I cross checked the last few OS update changelogs against the Apache vulnerabilities list and indeed I did see the OS updates included patches for many of the vulnerabilities without updating Apache to a newer version (you were right!). I only checked the last 3 OS updates but it did show several of the vulnerabilities as being patched (I'm sure Debian fixed them all, lol), so that pretty much answers my question perfectly, also makes me feel safer