From c78d7dd03a95698f318f05e0852cf65d85e53b2d Mon Sep 17 00:00:00 2001 From: Julian Brost Date: Fri, 9 Jan 2026 13:49:05 +0100 Subject: [PATCH 1/3] Windows: set ACLs for %ProgramData%\icinga2\var as well --- icinga-installer/icinga-installer.cpp | 1 + 1 file changed, 1 insertion(+) diff --git a/icinga-installer/icinga-installer.cpp b/icinga-installer/icinga-installer.cpp index 4dc050de6..8a87c7a3f 100644 --- a/icinga-installer/icinga-installer.cpp +++ b/icinga-installer/icinga-installer.cpp @@ -272,6 +272,7 @@ static int InstallIcinga(void) ExecuteCommand("icacls", "\"" + dataDir + "\" /grant *S-1-5-20:(oi)(ci)m"); ExecuteCommand("icacls", "\"" + dataDir + "\\etc\" /inheritance:r /grant:r *S-1-5-20:(oi)(ci)m *S-1-5-32-544:(oi)(ci)f"); + ExecuteCommand("icacls", "\"" + dataDir + "\\var\" /inheritance:r /grant:r *S-1-5-20:(oi)(ci)m *S-1-5-32-544:(oi)(ci)f"); ExecuteIcingaCommand("--scm-install daemon"); From 14292398c0aebed95c067c62011786eb1044bd3a Mon Sep 17 00:00:00 2001 From: Julian Brost Date: Wed, 14 Jan 2026 14:10:11 +0100 Subject: [PATCH 2/3] Add error handling for icacls calls --- icinga-installer/icinga-installer.cpp | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/icinga-installer/icinga-installer.cpp b/icinga-installer/icinga-installer.cpp index 8a87c7a3f..2095627ed 100644 --- a/icinga-installer/icinga-installer.cpp +++ b/icinga-installer/icinga-installer.cpp @@ -270,9 +270,15 @@ static int InstallIcinga(void) // TODO: In Icinga 2.14, rename features-available/mainlog.conf to mainlog.conf.deprecated // so that it's no longer listed as an available feature. - ExecuteCommand("icacls", "\"" + dataDir + "\" /grant *S-1-5-20:(oi)(ci)m"); - ExecuteCommand("icacls", "\"" + dataDir + "\\etc\" /inheritance:r /grant:r *S-1-5-20:(oi)(ci)m *S-1-5-32-544:(oi)(ci)f"); - ExecuteCommand("icacls", "\"" + dataDir + "\\var\" /inheritance:r /grant:r *S-1-5-20:(oi)(ci)m *S-1-5-32-544:(oi)(ci)f"); + if (!ExecuteCommand("icacls", "\"" + dataDir + "\" /grant *S-1-5-20:(oi)(ci)m")){ + throw std::runtime_error("failed to set ACLs for " + dataDir); + } + if (!ExecuteCommand("icacls", "\"" + dataDir + "\\etc\" /inheritance:r /grant:r *S-1-5-20:(oi)(ci)m *S-1-5-32-544:(oi)(ci)f")) { + throw std::runtime_error("failed to set ACLs for " + dataDir + "\\etc"); + } + if (!ExecuteCommand("icacls", "\"" + dataDir + "\\var\" /inheritance:r /grant:r *S-1-5-20:(oi)(ci)m *S-1-5-32-544:(oi)(ci)f")) { + throw std::runtime_error("failed to set ACLs for " + dataDir + "\\var"); + } ExecuteIcingaCommand("--scm-install daemon"); From 77ad67a0eae9cd8dd95d6e80da9d22ea848bc5d8 Mon Sep 17 00:00:00 2001 From: Johannes Schmidt Date: Thu, 29 Jan 2026 11:44:39 +0100 Subject: [PATCH 3/3] Add security update to v2.14.8 changelog --- CHANGELOG.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fe0b0c7ed..6dd685b79 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,9 +9,12 @@ Released closed milestones can be found on [GitHub](https://github.com/Icinga/ic ## 2.14.8 (2026-01-29) -This release updates the bundled OpenSSL library and includes changes to allow -building with newer toolchains. +This security release fixes a problem in the Icinga 2 Windows MSI that did not +set proper permissions for `%ProgramData%\icinga2\var`. Additionally, it +updates the bundled OpenSSL library and includes changes to allow building with +newer toolchains. +* CVE-2026-24413: Fix permissions of `%ProgramData%\icinga2\var` on Windows. * Windows: Update to OpenSSL 3.0.19. #10705 * Bump Boost shipped for Windows to v1.87. #10651 * Allow building with CMake 4. #10624