From e694a038c7edc146b63557425b307833b11aea57 Mon Sep 17 00:00:00 2001
From: kali <kali@win>
Date: Wed, 15 Dec 2021 19:45:11 +0100
Subject: [bug] avoid installing in custom paths

A vulnerability in QtIFW produces improper ACLs to be set when
installing in custom locations. This can lead to privilege escalation if
a non-privileged user overwrites the openvpn binary. Thanks to
researchers at Tenable for finding and reporting this!

Impact is considered low-medium, since an installation outside of the
suggested path is needed to trigger the issue.

Privileged execution of openvpn should be abandoned in next release, in
favor of the interactive service.

A bug upstream should be filed since other projects could be affected by
this vulnerability too.

-Resolves: #569
---
 CHANGELOG | 1 +
 1 file changed, 1 insertion(+)

(limited to 'CHANGELOG')

diff --git a/CHANGELOG b/CHANGELOG
index b50ddb2..982151f 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -13,6 +13,7 @@ development
 - Disable autostart on first run
 - Provider "message of the day"
 - primitive version check for windows, osx.
+- #569 avoid installing in custom paths to mitigate security issue in windows
 
 
 0.21.6
-- 
cgit v1.2.3