This vulnerability has been out for a while and VMware has produced many patches since this was first reported. Why have they not upgrade Apache yet?
