group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1565744] Re: "Mutex file:${APACHE_LOCK_DIR} default" should be disabled by default on Linux because it leads to errors

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1565744@xxxxxxxxxxxxxxxxxx>
Date: Thu, 13 Aug 2020 14:16:59 -0000
Reply-to: Bug 1565744 <1565744@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package apache2 - 2.4.18-2ubuntu3.17

---------------
apache2 (2.4.18-2ubuntu3.17) xenial-security; urgency=medium

  * SECURITY UPDATE: mod_rewrite redirect issue
    - debian/patches/CVE-2020-1927-1.patch: factor out default regex flags
      in include/ap_regex.h, server/core.c, server/util_pcre.c.
    - debian/patches/CVE-2020-1927-2.patch: add AP_REG_NO_DEFAULT to allow
      opt-out of pcre defaults in include/ap_regex.h,
      modules/filters/mod_substitute.c, server/util_pcre.c,
      server/util_regex.c.
    - CVE-2020-1927
  * SECURITY UPDATE: mod_proxy_ftp uninitialized memory issue
    - debian/patches/CVE-2020-1934.patch: trap bad FTP responses in
      modules/proxy/mod_proxy_ftp.c.
    - CVE-2020-1934

 -- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx>  Wed, 12 Aug 2020
17:35:50 -0400

** Changed in: apache2 (Ubuntu Xenial)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1927

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1934

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1565744

Title:
  "Mutex file:${APACHE_LOCK_DIR} default" should be disabled by default
  on Linux because it leads to errors

Status in apache2 package in Ubuntu:
  Fix Released
Status in apache2 source package in Xenial:
  Fix Released

Bug description:
  [Impact]
  The default apache2.conf causes apache to issue streams of error
  messages about deadlocks acquiring the SSL session cache lock.

  Users are still reporting seeing this flaw in production (Xenial-based)
  hosts.

  [Test Case]
  Reproduction steps TBD.  Problem exhibits on high load systems.  Verification will need to be done by those seeing the issue in production.

  [Regression Potential]
  Since this only changes the config installed by default, it won't impact existing installations, however behaviors to watch for would be SSL-related or configuration-related oddnesses.

  [Fix]
  Backport a fix applied in bionic and newer, that modifies the makes
  Apache use pthread mutexes by default on Linux, or fctnl on other
  architectures that lack robust pthread muxexes.

  [Other Info]
  Users should be aware that if they haven't changed /etc/apache2/apache2.conf this will automatically apply the fix, but users that have customized apache2.conf may still need to add it manually.

  [Original Report]
  OS:
  Ubuntu 14.04 LTS

  Kernel:
  3.13.0-79-generic x86_64

  Apache:
  2.4.7-1ubuntu4.5

  In the default Apache 2.4 config on Ubuntu 14.04 LTS is the following
  set in /etc/apache2/apache2.conf:

  Mutex file:${APACHE_LOCK_DIR} default

  (/debian/config-dir/apache2.conf in
  http://archive.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.4.7-1ubuntu4.5.debian.tar.gz)

  which leads to the following output of "apache2ctl -t -D
  DUMP_RUN_CFG":

  Mutex default: dir="/var/lock/apache2" mechanism=fcntl

  This leads constantly to a lot of these warning/emergency messages on
  a server with 200 busy worker threads, 100 Requests/s, 300 KB/s:

  [Tue Mar 08 16:08:18.596653 2016] [ssl:warn] [pid 8339:tid
  140182179256064] (35)Resource deadlock avoided: AH02026: Failed to
  acquire SSL session cache lock

  [Wed Mar 09 07:09:31.099331 2016] [mpm_worker:emerg] [pid 26526:tid
  139668485949184] (35)Resource deadlock avoided: AH00273:
  apr_proc_mutex_lock failed. Attempting to shutdown process gracefully.

  Solution (as suggested by Yann Ylavic from Apache):
  Commenting (removing) the Mutex directive, which leads to the  following output of "apache2ctl -t -D DUMP_RUN_CFG":

  Mutex default: dir="/var/run/apache2/" mechanism=default

  Then, there are no error messages anymore.

  For the discussion, see the corresponding Apache httpd-users mailing
  list thread:

  http://httpd.markmail.org/message/c7w5aujfmy2kfazi

  (thread subject 'Lots of messages "[ssl:warn] Resource deadlock
  avoided: AH02026: Failed to acquire SSL session cache lock"' from
  2016-03-08)

  Here some more information:

  # apache2ctl -V
  Server version: Apache/2.4.7 (Ubuntu)
  Server built:   Jul 24 2015 17:25:11
  Server's Module Magic Number: 20120211:27
  Server loaded:  APR 1.5.1-dev, APR-UTIL 1.5.3
  Compiled using: APR 1.5.1-dev, APR-UTIL 1.5.3
  Architecture:   64-bit
  Server MPM:     worker
    threaded:     yes (fixed thread count)
      forked:     yes (variable process count)
  Server compiled with....
   -D APR_HAS_SENDFILE
   -D APR_HAS_MMAP
   -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
   -D APR_USE_SYSVSEM_SERIALIZE
   -D APR_USE_PTHREAD_SERIALIZE
   -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
   -D APR_HAS_OTHER_CHILD
   -D AP_HAVE_RELIABLE_PIPED_LOGS
   -D DYNAMIC_MODULE_LIMIT=256
   -D HTTPD_ROOT="/etc/apache2"
   -D SUEXEC_BIN="/usr/lib/apache2/suexec"
   -D DEFAULT_PIDLOG="/var/run/apache2.pid"
   -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
   -D DEFAULT_ERRORLOG="logs/error_log"
   -D AP_TYPES_CONFIG_FILE="mime.types"
   -D SERVER_CONFIG_FILE="apache2.conf"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1565744/+subscriptions