From c3cb6bffb4bb53e21067687f3c9e8f7fdee95bca Mon Sep 17 00:00:00 2001 From: Julian Brost Date: Fri, 9 Jan 2026 13:49:05 +0100 Subject: [PATCH 1/3] Windows: set ACLs for %ProgramData%\icinga2\var as well --- icinga-installer/icinga-installer.cpp | 1 + 1 file changed, 1 insertion(+) diff --git a/icinga-installer/icinga-installer.cpp b/icinga-installer/icinga-installer.cpp index 4dc050de6d2..8a87c7a3f0c 100644 --- a/icinga-installer/icinga-installer.cpp +++ b/icinga-installer/icinga-installer.cpp @@ -272,6 +272,7 @@ static int InstallIcinga(void) ExecuteCommand("icacls", "\"" + dataDir + "\" /grant *S-1-5-20:(oi)(ci)m"); ExecuteCommand("icacls", "\"" + dataDir + "\\etc\" /inheritance:r /grant:r *S-1-5-20:(oi)(ci)m *S-1-5-32-544:(oi)(ci)f"); + ExecuteCommand("icacls", "\"" + dataDir + "\\var\" /inheritance:r /grant:r *S-1-5-20:(oi)(ci)m *S-1-5-32-544:(oi)(ci)f"); ExecuteIcingaCommand("--scm-install daemon"); From f30e82c53e1a1d0c6714053987e2dee3020e38e7 Mon Sep 17 00:00:00 2001 From: Julian Brost Date: Wed, 14 Jan 2026 14:10:11 +0100 Subject: [PATCH 2/3] Add error handling for icacls calls --- icinga-installer/icinga-installer.cpp | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/icinga-installer/icinga-installer.cpp b/icinga-installer/icinga-installer.cpp index 8a87c7a3f0c..2095627ed9f 100644 --- a/icinga-installer/icinga-installer.cpp +++ b/icinga-installer/icinga-installer.cpp @@ -270,9 +270,15 @@ static int InstallIcinga(void) // TODO: In Icinga 2.14, rename features-available/mainlog.conf to mainlog.conf.deprecated // so that it's no longer listed as an available feature. - ExecuteCommand("icacls", "\"" + dataDir + "\" /grant *S-1-5-20:(oi)(ci)m"); - ExecuteCommand("icacls", "\"" + dataDir + "\\etc\" /inheritance:r /grant:r *S-1-5-20:(oi)(ci)m *S-1-5-32-544:(oi)(ci)f"); - ExecuteCommand("icacls", "\"" + dataDir + "\\var\" /inheritance:r /grant:r *S-1-5-20:(oi)(ci)m *S-1-5-32-544:(oi)(ci)f"); + if (!ExecuteCommand("icacls", "\"" + dataDir + "\" /grant *S-1-5-20:(oi)(ci)m")){ + throw std::runtime_error("failed to set ACLs for " + dataDir); + } + if (!ExecuteCommand("icacls", "\"" + dataDir + "\\etc\" /inheritance:r /grant:r *S-1-5-20:(oi)(ci)m *S-1-5-32-544:(oi)(ci)f")) { + throw std::runtime_error("failed to set ACLs for " + dataDir + "\\etc"); + } + if (!ExecuteCommand("icacls", "\"" + dataDir + "\\var\" /inheritance:r /grant:r *S-1-5-20:(oi)(ci)m *S-1-5-32-544:(oi)(ci)f")) { + throw std::runtime_error("failed to set ACLs for " + dataDir + "\\var"); + } ExecuteIcingaCommand("--scm-install daemon"); From ef406f48cea4a1bf206f1ad4bdae8f06bc74629d Mon Sep 17 00:00:00 2001 From: Yonas Habteab Date: Thu, 29 Jan 2026 11:50:33 +0100 Subject: [PATCH 3/3] Add security update to changelog for `v2.15.2` --- CHANGELOG.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 00187f950fd..15f1c849834 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,8 +9,12 @@ Released closed milestones can be found on [GitHub](https://github.com/Icinga/ic ## 2.15.2 (2026-01-29) -Additionally, it includes two minor bug fixes regarding SELinux policies and the OpenSSL version shipped on Windows. +This security release fixes a problem in the Icinga 2 Windows MSI that did not +set proper permissions for `%ProgramData%\icinga2\var`. Additionally, it includes +two minor bug fixes regarding our SELinux policy and updates the OpenSSL version +shipped on Windows. +* CVE-2026-24413: Fix permissions of `%ProgramData%\icinga2\var` on Windows. * Windows: Update to OpenSSL 3.0.19. #10706 * SELinux: Fix policy to allow `logrotate` to execute the `icinga2` binary in order to send `SIGUSR1` for log rotation. #10643 * SELinux: Fix policy to allow `icinga2` to send `SIGTERM` to nagios plugins processes on timeout. #10694