From 2b9ed3bdfd10cc47088d26aaeaa1f34262611a04 Mon Sep 17 00:00:00 2001 From: Julian Brost Date: Fri, 9 Jan 2026 13:49:05 +0100 Subject: [PATCH 1/3] Windows: set ACLs for %ProgramData%\icinga2\var as well --- icinga-installer/icinga-installer.cpp | 1 + 1 file changed, 1 insertion(+) diff --git a/icinga-installer/icinga-installer.cpp b/icinga-installer/icinga-installer.cpp index 4dc050de6..8a87c7a3f 100644 --- a/icinga-installer/icinga-installer.cpp +++ b/icinga-installer/icinga-installer.cpp @@ -272,6 +272,7 @@ static int InstallIcinga(void) ExecuteCommand("icacls", "\"" + dataDir + "\" /grant *S-1-5-20:(oi)(ci)m"); ExecuteCommand("icacls", "\"" + dataDir + "\\etc\" /inheritance:r /grant:r *S-1-5-20:(oi)(ci)m *S-1-5-32-544:(oi)(ci)f"); + ExecuteCommand("icacls", "\"" + dataDir + "\\var\" /inheritance:r /grant:r *S-1-5-20:(oi)(ci)m *S-1-5-32-544:(oi)(ci)f"); ExecuteIcingaCommand("--scm-install daemon"); From 7048580aa7e61c529612c64432511a624813b633 Mon Sep 17 00:00:00 2001 From: Julian Brost Date: Wed, 14 Jan 2026 14:10:11 +0100 Subject: [PATCH 2/3] Add error handling for icacls calls --- icinga-installer/icinga-installer.cpp | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/icinga-installer/icinga-installer.cpp b/icinga-installer/icinga-installer.cpp index 8a87c7a3f..2095627ed 100644 --- a/icinga-installer/icinga-installer.cpp +++ b/icinga-installer/icinga-installer.cpp @@ -270,9 +270,15 @@ static int InstallIcinga(void) // TODO: In Icinga 2.14, rename features-available/mainlog.conf to mainlog.conf.deprecated // so that it's no longer listed as an available feature. - ExecuteCommand("icacls", "\"" + dataDir + "\" /grant *S-1-5-20:(oi)(ci)m"); - ExecuteCommand("icacls", "\"" + dataDir + "\\etc\" /inheritance:r /grant:r *S-1-5-20:(oi)(ci)m *S-1-5-32-544:(oi)(ci)f"); - ExecuteCommand("icacls", "\"" + dataDir + "\\var\" /inheritance:r /grant:r *S-1-5-20:(oi)(ci)m *S-1-5-32-544:(oi)(ci)f"); + if (!ExecuteCommand("icacls", "\"" + dataDir + "\" /grant *S-1-5-20:(oi)(ci)m")){ + throw std::runtime_error("failed to set ACLs for " + dataDir); + } + if (!ExecuteCommand("icacls", "\"" + dataDir + "\\etc\" /inheritance:r /grant:r *S-1-5-20:(oi)(ci)m *S-1-5-32-544:(oi)(ci)f")) { + throw std::runtime_error("failed to set ACLs for " + dataDir + "\\etc"); + } + if (!ExecuteCommand("icacls", "\"" + dataDir + "\\var\" /inheritance:r /grant:r *S-1-5-20:(oi)(ci)m *S-1-5-32-544:(oi)(ci)f")) { + throw std::runtime_error("failed to set ACLs for " + dataDir + "\\var"); + } ExecuteIcingaCommand("--scm-install daemon"); From 376da7f202978af947a4c26feb69837bcccf418a Mon Sep 17 00:00:00 2001 From: Julian Brost Date: Tue, 27 Jan 2026 15:08:53 +0100 Subject: [PATCH 3/3] Add security update to v2.13.14 changelog --- CHANGELOG.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 05f2df25f..89298d6f9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,9 +9,12 @@ Released closed milestones can be found on [GitHub](https://github.com/Icinga/ic ## 2.13.14 (2026-01-29) -This release updates the bundled OpenSSL library and includes changes to allow -building with newer toolchains. +This security release fixes a problem in the Icinga 2 Windows MSI that did not +set proper permissions for `%ProgramData%\icinga2\var`. Additionally, it +updates the bundled OpenSSL library and includes changes to allow building with +newer toolchains. +* CVE-2026-24413: Fix permissions of `%ProgramData%\icinga2\var` on Windows. * Windows: Update to OpenSSL 3.0.19. #10704 * Allow building with CMake 4. #10625