Best, I can tell this did start with 1.140. Downgrading to 1.139 seems to resolve this issue (at least in the limited time I have been watching this).
Checking this further, I believe the issue is in the 12_HTTP_HTTPDoS.conf file
Specifically the added lines:
SecRule REQUEST_FILENAME "@ge 0" \
"id:217310,chain,msg:'COMODO WAF: Emergency DDoS bot protection test.||%{tx.domain}|%{tx.mode}|2',phase:4,pass,log,t:none,t:length,rev:3,severity:2,tag:'CWAF',tag:'HTTPDoS'"
SecRule &IP:COOKIE_SENT "@eq 0" \
"chain,setvar:'ip.unique+%{UNIQUE_ID}'"
SecRule STREAM_OUTPUT_BODY "@rsub s/<head>/<head><script>document.cookie=\"jsddosbd=%{ip.unique};max-age=300;path=\/;\";<\/script>" \
"setvar:'ip.cookie_sent=1',expirevar:'ip.cookie_sent=300',t:none"
SecRule IP:COOKIE_SENT "@eq 1" \
"id:217311,chain,msg:'Client failed emergency DDoS bot protection test||%{tx.domain}|%{tx.mode}|2',phase:1,deny,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'HTTPDoS'"
SecRule &REQUEST_COOKIES:jsddosbd "!@eq 1"
SecRule IP:COOKIE_SENT "@eq 1" \
"id:217312,chain,msg:'Client failed emergency DDoS bot protection test||%{tx.domain}|%{tx.mode}|2',phase:1,deny,deny,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'HTTPDoS'"
SecRule REQUEST_COOKIES:jsddosbd "!@streq %{ip.unique}" \
"t:none"
(Pretty much the last 14 lines of that file)
If you comment out those lines, this seem to stop this error from flooding the error_log.
I do not know what specifically in these rules is causing this issue.