From a security perspective compiling from source is a disastrous idea.
Usually, the package from your OS vendor will be patched for any serious CVEs. You can see the patches by looking at the changelog for the package. For example, the apache2 package in 24.04: Ubuntu – Details of package apache2 in noble-updates (Click Ubuntu Changelog in the right-hand menu)
Looking at those two CVEs, they specifically say they apply to 2.4.60. Which is not the version you should have if you’re running the OS package. You should have 2.4.58, which, as far as I can tell, is not impacted by either of those CVEs.
So, I think they’re just flagging this incorrectly. You should be able to say your version is not impacted by those CVEs and refer them to the changelog for your version so they can check off any CVEs that apply to 2.4.58.
Ubuntu doesn’t always patch for CVEs or if they do it might take a week or two, but I think most serious ones are resolved pretty quickly.
I would strongly recommend against compiling Apache from source. If you must upgrade, I recommend you learn how to build deb packages and maintain an apt repo for your custom packages (aptly is the best option for this, though it’s kinda hard to use, it’s less hard to use than any of the other ways I know of to build apt repos). You can sometimes get the most recent version of stuff by rebuilding from newer Ubuntu or Debian versions or the unstable/dev version. But, again, that’s a last resort. Check in to be sure they really insist you upgrade and won’t accept your vendors patched version. Compiling your own package is still a bad idea, because now you have to babysit the Apache package forever…you need to be on security mailing lists, and drop everything to push an update every time a bug arrives. It’s exhausting. I’ve done that, I used to do it for our custom build of Apache for RHEL-based systems, and it was miserable. Hated it.
For what it’s worth, in my experience, big corps are more comfortable with RHEL (primarily because Red Hat employs a lot more developers and tend to be more responsive to security issues). If you plan to have a lot of big corporate customers, or if this one client is big enough to justify it, you might want to start deploying those customers on a RHEL system instead of Ubuntu.