Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: modsecurity VS16 handle leak :: fix |
|
Author |
|
jonezk
Joined: 20 Dec 2021 Posts: 2 Location: Finland
|
Posted: Tue 21 Dec '21 12:40 Post subject: modsecurity VS16 handle leak :: fix |
|
|
Handle fix in APR download, see below
I'm using Apache 2.4.51 with modsecurity 2.9.3 in Windows environment. This combination is leaking at least one handle on every request and Apache will finally crash after leaking millions of handles.
After some googling I found this:
https://github.com/SpiderLabs/ModSecurity/issues/2181
and I believe this is (some way) the root cause for the handle leak in my environment which is very basic one, using default settings in most places.
Apache's log shows this at startup, see APR version:
[Mon Dec 20 10:38:23.240075 2021] [:notice] [pid 4528:tid 656] ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/) configured.
[Mon Dec 20 10:38:23.241121 2021] [:notice] [pid 4528:tid 656] ModSecurity: APR compiled version="1.7.0"; loaded version="1.7.0"
From the issue 2181 above I found this (see the commit date):
https://github.com/apache/apr/commit/71d0990074e0ef4de584ae95fad7f84aceb4ca64
I also found this:
http://svn.apache.org/viewvc/apr/apr/branches/1.7.x/CHANGES?view=markup
See the changes for APR 1.7.1:
*) Fix handle leak in the Win32 apr_uid_current implementation.
PR 61165. [Ivan Zhakov]
I'm not 100% sure about this whole picture, but to me this looks like the actual issue has been fixed already 2,5 years ago and would be available in APR 1.7.1, but Apache is still using 1.7.0.
It is also possible that this requires new modsecurity v2.9.5 build. |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3094 Location: Hilversum, NL, EU
|
Posted: Wed 22 Dec '21 10:44 Post subject: |
|
|
Yep, CPU deadlock under load.
It is not fixed in 2.9.4/5. The fix, mentioned in issue 2181, was not not backported to 1.7.0. I made sure that the fix r1860057 is now backported (thanks to Ruediger) for the next release, no date known yet.
Already for now applied the APR fix to 1.7.0 :
Fix APR now included in the download since 2.4.54 02-November-2022
Please copy and replace to your bin folder.
Last edited by Steffen on Sat 01 Jan '22 13:20; edited 4 times in total |
|
Back to top |
|
jonezk
Joined: 20 Dec 2021 Posts: 2 Location: Finland
|
Posted: Wed 22 Dec '21 13:12 Post subject: |
|
|
I tried this new libapr-1.dll and it has resolved my problem. No more leaking handles and everything else works fine, too. Thanks a lot. |
|
Back to top |
|
radboud.asselman
Joined: 28 Apr 2021 Posts: 3 Location: Netherlands
|
Posted: Tue 18 Jan '22 15:07 Post subject: |
|
|
I also tried this new libapr-1.dll and it has resolved my problem too! The leaking handles disappeared.
Thanks you for offering this hotfix. It is very much appreciated! |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3094 Location: Hilversum, NL, EU
|
Posted: Sat 05 Nov '22 14:10 Post subject: |
|
|
Fix APR now included in the download since 2.4.54 02-November-2022 |
|
Back to top |
|
|
|
|
|
|