Here's the partial answer to my question: How to patch Apache 2.4.18 on Ubuntu 16.04 LTS? and here: Will Ubuntu 16.04.6 updates ever include a version of Apache newer than 2.4.18?
My Apache version info:
apache2 -v
Server version: Apache/2.4.18 (Ubuntu)
Server built: 2023-03-20T21:41:20
Here is the latest updates for Apache 2.4
2.4.18-2ubuntu3.17+esm10
I checked Ubuntu website at https://changelogs.ubuntu.com/changelogs/pool/main/a/apache2/apache2_2.4.18-2ubuntu3.17/changelog and compare it with https://httpd.apache.org/security/vulnerabilities_24.html
Fixed in Apache HTTP Server 2.4.42
low: mod_rewrite CWE-601 open redirect (CVE-2020-1927)
https://httpd.apache.org/security/vulnerabilities_24.html
and
apache2 (2.4.18-2ubuntu3.17) xenial-security; urgency=medium
* SECURITY UPDATE: mod_rewrite redirect issue
- debian/patches/CVE-2020-1927-1.patch: factor out default regex flags
in include/ap_regex.h, server/core.c, server/util_pcre.c.
- debian/patches/CVE-2020-1927-2.patch: add AP_REG_NO_DEFAULT to allow
opt-out of pcre defaults in include/ap_regex.h,
modules/filters/mod_substitute.c, server/util_pcre.c,
server/util_regex.c.
- CVE-2020-1927
* SECURITY UPDATE: mod_proxy_ftp uninitialized memory issue
- debian/patches/CVE-2020-1934.patch: trap bad FTP responses in
modules/proxy/mod_proxy_ftp.c.
- CVE-2020-1934
https://changelogs.ubuntu.com/changelogs/pool/main/a/apache2/apache2_2.4.18-2ubuntu3.17/changelog
It is not clear if other security issues up to CVE-2023-25690 fixed. Can I trust Ubuntu that all security issues for Apache version 2.4.56 in the latest 2.4.18-2ubuntu3.17+esm10 ? How do I check what is included in esm10 updates?