Package: libapache2-mod-security2 Version: 2.9.3-1+deb10u1 Severity: normal
Dear Maintainer, We are using Apache2 mpm_event and under high load we see a lot of error messages from modsecurity that look like this: ModSecurity: collections_remove_stale: Failed deleting collection (name "ip", key "1.2.3.4_3d0740369120b3ec6f500b2539b7d0aa268882b8"): Internal error (specific information not available) and also hundreds of apache threads that are stuck in the "Logging" state. This bug was fixed upstream: https://github.com/SpiderLabs/ModSecurity/issues/576 In order to activate the fix one has to add --enable-collection-global-lock to the configure options. We already built our own package package from the deb-src with this option added and can confirm that it works, without the need to change any other configuration. It would be nice to have this option added in future releases of the package. Best Regards Robin Koch -- System Information: Debian Release: 10.11 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-17-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libapache2-mod-security2 depends on: ii apache2-bin [apache2-api-20120211] 2.4.38-3+deb10u6 ii libapr1 1.6.5-1+b1 ii libaprutil1 1.6.1-4 ii libc6 2.28-10 ii libcurl3-gnutls 7.64.0-4+deb10u2 ii liblua5.1-0 5.1.5-8.1+b2 ii libpcre3 2:8.39-12 ii libxml2 2.9.4+dfsg1-7+deb10u2 ii libyajl2 2.1.0-3 Versions of packages libapache2-mod-security2 recommends: hi modsecurity-crs 3.1.0-1+deb10u2 libapache2-mod-security2 suggests no packages. -- Configuration Files: /etc/apache2/mods-available/security2.conf changed [not included] /etc/apache2/mods-available/security2.load changed [not included] -- no debconf information

