Apache httpd -- Multiple vulnerabilities

The Apache httpd project reports:

DoS by Null pointer in websocket over HTTP/2 (CVE-2024-36387) (Low).
Serving WebSocket protocol upgrades over a HTTP/2 connection could
result in a Null Pointer dereference, leading to a crash of the server
process, degrading performance.
Proxy encoding problem (CVE-2024-38473) (Moderate).
Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier
allows request URLs with incorrect encoding to be sent to backend
services, potentially bypassing authentication via crafted requests.
Weakness with encoded question marks in backreferences
(CVE-2024-38474) (Important). Substitution encoding issue in
mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker
to execute scripts in directories permitted by the configuration but
not directly reachable by any URL or source disclosure of scripts
meant to only to be executed as CGI.
Weakness in mod_rewrite when first segment of substitution matches
filesystem path (CVE-2024-38475) (Important). Improper escaping of
output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows
an attacker to map URLs to filesystem locations that are permitted to
be served by the server but are not intentionally/directly reachable
by any URL, resulting in code execution or source code disclosure.
Substitutions in server context that use a backreferences or variables
as the first segment of the substitution are affected. Some unsafe
RewiteRules will be broken by this change and the rewrite flag
“UnsafePrefixStat” can be used to opt back in once ensuring the
substitution is appropriately constrained.
may use exploitable/malicious backend application output to run local
handlers via internal redirect (CVE-2024-38476) (Important).
Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are
vulnerable to information disclosure, SSRF or local script execution
via backend applications whose response headers are malicious or
exploitable.
Crash resulting in Denial of Service in mod_proxy via a malicious
request (CVE-2024-38477) (Important). Null pointer dereference in
mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker
to crash the server via a malicious request.
mod_rewrite proxy handler substitution (CVE-2024-39573) (Moderate).
Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier
allows an attacker to cause unsafe RewriteRules to unexpectedly setup
URL’s to be handled by mod_proxy.