kali authored 3 years ago and Kali Kaneko committed 3 years ago

A vulnerability in QtIFW produces improper ACLs to be set when
installing in custom locations. This can lead to privilege escalation if
a non-privileged user overwrites the openvpn binary. Thanks to
researchers at Tenable for finding and reporting this!

Impact is considered low-medium, since an installation outside of the
suggested path is needed to trigger the issue.

Privileged execution of openvpn should be abandoned in next release, in
favor of the interactive service.

A bug upstream should be filed since other projects could be affected by
this vulnerability too.

-Resolves: #569

we've agreed that the autostart behaviour can be unexpected;
we'll expose the ability under preferences (it can be controlled via cli
right now).

- Cloases: #470