[bug] avoid installing in custom paths

A vulnerability in QtIFW produces improper ACLs to be set when installing in custom locations. This can lead to privilege escalation if a non-privileged user overwrites the openvpn binary. Thanks to researchers at Tenable for finding and reporting this! Impact is considered low-medium, since an installation outside of the suggested path is needed to trigger the issue. Privileged execution of openvpn should be abandoned in next release, in favor of the interactive service. A bug upstream should be filed since other projects could be affected by this vulnerability too. -Resolves: #569
author: kali <kali@win> 2021-12-15 19:45:11 +0100
committer: kali kaneko (leap communications) <kali@leap.se> 2021-12-15 20:02:12 +0100
commit: e694a038c7edc146b63557425b307833b11aea57 (patch)
tree: 4cef985ee8e19c040c5eedc0daf4a302a2e49bfa /CHANGELOG
parent: 7ab7b8cd822dc0e4548f9cf6795567f2eeef44e1 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/CHANGELOG b/CHANGELOG
index b50ddb2..982151f 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -13,6 +13,7 @@ development
 - Disable autostart on first run
 - Provider "message of the day"
 - primitive version check for windows, osx.
+- #569 avoid installing in custom paths to mitigate security issue in windows
 
 
 0.21.6
author	kali <kali@win>	2021-12-15 19:45:11 +0100
committer	kali kaneko (leap communications) <kali@leap.se>	2021-12-15 20:02:12 +0100
commit	e694a038c7edc146b63557425b307833b11aea57 (patch)
tree	4cef985ee8e19c040c5eedc0daf4a302a2e49bfa /CHANGELOG
parent	7ab7b8cd822dc0e4548f9cf6795567f2eeef44e1 (diff)