As reported by me on oss-security at $URL, varnish, at least on gentoo, has a world-redable log/logdir: # ls -la /var/log/varnish/ total 8 drwxr-xr-x 2 root root 4096 Feb 22 13:48 . drwxr-xr-x 8 root root 4096 Feb 22 13:50 .. -rw-r--r-- 1 root root 0 Feb 22 13:48 access.log
This should be fixed in varnish-4.0.0-r1.
Is the vulnerability present in 3.0.X? Or is it only 4.0.X? If it is 3.0.X we will need to stabilize.
CVE-2013-0345 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0345): varnish 3.0.3 uses world-readable permissions for the /var/log/varnish/ directory and the log files in the directory, which allows local users to obtain sensitive information by reading the files. NOTE: some of these details are obtained from third party information.
It is already fixed, it seems (in our tree too). Added to existing glsa draft.
Please re-verify that this is indeed fixed, I'm seeing -rw-r--r-- 1 root root 5 Jun 29 13:17 access.log still doing a fresh install of www-servers/varnish-3.0.5-r3 in a VM.
(In reply to Christian Ruppert (idl0r) from comment #1) > This should be fixed in varnish-4.0.0-r1.
This issue was resolved and addressed in GLSA 201412-30 at http://security.gentoo.org/glsa/glsa-201412-30.xml by GLSA coordinator Mikle Kolyada (Zlogene).