The ASF HTTPD project did not mention security vulnerabilities fixed in
the initial changelog 2.4.39.
To be 100% accurate, the ASF HTTP Server project had not announced the
release of 2.4.39. It had concluded a vote, but only the RM's announcement
triggers the release. There is a delay for the RM to stage the artifacts so they
can be downloaded by anyone from our entire array of mirror sites. And in
that time, the RM could even pull the release owing to a serious packaging
glitch, if they should need to (this happened not so long ago at httpd.)
You jumped the gun by pre-announcing your package as a "release", ahead
of the RM's announce and ahead of downloads from the ASF, which is poor
form to say the least.
Security issues are embargoed until that announcement is broadcast by
the RM to the entire public at once. The project will not mention security
vulnerabilities fixed until that moment.
This isn't to say you shouldn't assemble your release of version x.y.z based
on the vote candidate; in fact any change to that source package will always
trigger version x.y.z+1, so there is no risk that your build varies from the final
announced package. Be ahead of the game preparing your binary package,
but defer any publicity until after the actual announcement.