As reported by me on oss-security at $URL, varnish, at least on gentoo, has a world-redable
# ls -la /var/log/varnish/
drwxr-xr-x 2 root root 4096 Feb 22 13:48 .
drwxr-xr-x 8 root root 4096 Feb 22 13:50 ..
-rw-r--r-- 1 root root 0 Feb 22 13:48 access.log
This should be fixed in varnish-4.0.0-r1.
Is the vulnerability present in 3.0.X? Or is it only 4.0.X?
If it is 3.0.X we will need to stabilize.
varnish 3.0.3 uses world-readable permissions for the /var/log/varnish/
directory and the log files in the directory, which allows local users to
obtain sensitive information by reading the files. NOTE: some of these
details are obtained from third party information.
It is already fixed, it seems (in our tree too). Added to existing glsa draft.
Please re-verify that this is indeed fixed, I'm seeing -rw-r--r-- 1 root root 5 Jun 29 13:17 access.log still doing a fresh install of www-servers/varnish-3.0.5-r3 in a VM.
(In reply to Christian Ruppert (idl0r) from comment #1)
> This should be fixed in varnish-4.0.0-r1.
This issue was resolved and addressed in
GLSA 201412-30 at http://security.gentoo.org/glsa/glsa-201412-30.xml
by GLSA coordinator Mikle Kolyada (Zlogene).