Ubuntu
varnish package

varnishlog should not run as root

Bug #461593 reported by Tv
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
varnish (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: varnish

varnish 2.0.3-2 in ubuntu 9.04 runs varnishlog as root. This is unnecessary and just makes the whole system vulnerable to bugs in varnishlogs parsing of e.g. HTTP header fields. varnish.deb should create a system user and run varnishlog under this user account.

Related branches

lp:debian/varnish
Revision history for this message
Stig Sandbeck Mathisen (ssm) wrote :

Thanks,

I agree it should not run as root. I'll add an unprivileged user for varnishlog.

Revision history for this message
Stig Sandbeck Mathisen (ssm) wrote :

Varnish 2.1.3-2 has been uploaded to Debian, and contains a fix for this issue.
http://packages.qa.debian.org/v/varnish/news/20100729T222002Z.html

Chances are, it'll be available for Ubuntu quite soon.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package varnish - 2.1.3-2

---------------
varnish (2.1.3-2) unstable; urgency=low

  * Install all the needed library symlinks (Closes: #585128) (LP:
    #488258)
  * Use a different user for the varnish log daemons (LP: #461593)
  * Do not start automatically when installed (LP: #569060)
  * Clean up rules file, use debhelper v7

varnish (2.1.3-1) unstable; urgency=low

  * New upstream version
 -- Clint Byrum <email address hidden> Thu, 29 Jul 2010 23:36:35 +0200

Changed in varnish (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.