Package: libapache2-mod-security2
Version: 2.9.3-1+deb10u1
Severity: normal

Dear Maintainer,

We are using Apache2 mpm_event and under high load we see a lot of error 
messages from modsecurity that look like this:
ModSecurity: collections_remove_stale: Failed deleting collection (name "ip", 
key "1.2.3.4_3d0740369120b3ec6f500b2539b7d0aa268882b8"): Internal error 
(specific information not available)
and also hundreds of apache threads that are stuck in the "Logging" state. This 
bug was fixed upstream: https://github.com/SpiderLabs/ModSecurity/issues/576
In order to activate the fix one has to add --enable-collection-global-lock to 
the configure options.
We already built our own package package from the deb-src with this option 
added and can confirm that it works, without the need to change any other 
configuration.
It would be nice to have this option added in future releases of the package.

Best Regards
Robin Koch

-- System Information:
Debian Release: 10.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-17-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libapache2-mod-security2 depends on:
ii  apache2-bin [apache2-api-20120211]  2.4.38-3+deb10u6
ii  libapr1                             1.6.5-1+b1
ii  libaprutil1                         1.6.1-4
ii  libc6                               2.28-10
ii  libcurl3-gnutls                     7.64.0-4+deb10u2
ii  liblua5.1-0                         5.1.5-8.1+b2
ii  libpcre3                            2:8.39-12
ii  libxml2                             2.9.4+dfsg1-7+deb10u2
ii  libyajl2                            2.1.0-3

Versions of packages libapache2-mod-security2 recommends:
hi  modsecurity-crs  3.1.0-1+deb10u2

libapache2-mod-security2 suggests no packages.

-- Configuration Files:
/etc/apache2/mods-available/security2.conf changed [not included]
/etc/apache2/mods-available/security2.load changed [not included]

-- no debconf information

Reply via email to