The patch is wrong. It only adds thread local data and does absolutely nothing to prevent id collisions.
It should not be merged here and also should not be merged upstream, but it’s beyond my capacity to send the feedback there. You need something like: - generate random nonce for each thread, then use https://prng.di.unimi.it/ Ondrej -- Ondřej Surý <ond...@sury.org> (He/Him) > On 3. 5. 2021, at 23:33, Atle Solbakken <a...@goliathdns.no> wrote: > Package: apache2 > Version: 2.4.38-3+deb10u4 > Severity: normal > Tags: patch > > Hi > > The current version has a race condition in mod_unique_id causing non-unique > IDs to be > generated (multiple threads are using a counter without any mutex). > > I've encountered the issue in a production situation myself. > > There issue has been fixed upstream. > > https://svn.apache.org/viewvc?view=revision&revision=1887244 > https://svn.apache.org/viewvc?view=revision&revision=1887245 > > I've tried to compile the patch on top of the current stable version 2.0.38 > which seems > to work. Upstream, the patch is only available from 2.0.47 and it's currently > in experimental. > > Maybe it can be applied to 2.0.38 aswell. > > Best regards > Atle Solbakken > > -- Package-specific info: > > -- System Information: > Debian Release: 10.9 > APT prefers stable-updates > APT policy: (500, 'stable-updates'), (500, 'stable') > Architecture: amd64 (x86_64) > > Kernel: Linux 4.19.0-13-amd64 (SMP w/1 CPU core) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: > LC_ALL set to en_US.UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) (ignored: > LC_ALL set to en_US.UTF-8) > Shell: /bin/sh linked to /usr/bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > Versions of packages apache2 depends on: > ii apache2-bin 2.4.38-3+deb10u4 > ii apache2-data 2.4.38-3+deb10u4 > ii apache2-utils 2.4.38-3+deb10u4 > ii dpkg 1.19.7 > ii lsb-base 10.2019051400 > ii mime-support 3.62 > ii perl 5.28.1-6+deb10u1 > ii procps 2:3.3.15-2 > > Versions of packages apache2 recommends: > ii ssl-cert 1.0.39 > > Versions of packages apache2 suggests: > pn apache2-doc <none> > pn apache2-suexec-pristine | apache2-suexec-custom <none> > pn www-browser <none> > > Versions of packages apache2-bin depends on: > ii libapr1 1.6.5-1+b1 > ii libaprutil1 1.6.1-4 > ii libaprutil1-dbd-sqlite3 1.6.1-4 > ii libaprutil1-ldap 1.6.1-4 > ii libbrotli1 1.0.7-2+deb10u1 > ii libc6 2.28-10 > ii libcurl4 7.64.0-4+deb10u2 > ii libjansson4 2.12-1 > ii libldap-2.4-2 2.4.47+dfsg-3+deb10u6 > ii liblua5.2-0 5.2.4-1.1+b2 > ii libnghttp2-14 1.36.0-2+deb10u1 > ii libpcre3 2:8.39-12 > ii libssl1.1 1.1.1d-0+deb10u6 > ii libxml2 2.9.4+dfsg1-7+deb10u1 > ii perl 5.28.1-6+deb10u1 > ii zlib1g 1:1.2.11.dfsg-1 > > Versions of packages apache2-bin suggests: > pn apache2-doc <none> > pn apache2-suexec-pristine | apache2-suexec-custom <none> > pn www-browser <none> > > Versions of packages apache2 is related to: > ii apache2 2.4.38-3+deb10u4 > ii apache2-bin 2.4.38-3+deb10u4 > > -- no debconf information
