diff options
| author | Linus Färnstrand <linus@mullvad.net> | 2020-06-09 15:10:20 +0200 |
|---|---|---|
| committer | Linus Färnstrand <linus@mullvad.net> | 2020-06-16 16:46:04 +0200 |
| commit | ab683c70e7bdd41f1099cd91532d98dfbc591b5e (patch) | |
| tree | b406ec052e8058d77512836a28d41a79db685198 | |
| parent | 0d1e149e4e065ab7f2de0cada3f4aa1392a350f6 (diff) | |
| download | mullvadvpn-ab683c70e7bdd41f1099cd91532d98dfbc591b5e.tar.xz mullvadvpn-ab683c70e7bdd41f1099cd91532d98dfbc591b5e.zip | |
Add/change security related changelog entries related to audit findings
| -rw-r--r-- | CHANGELOG.md | 31 |
1 files changed, 24 insertions, 7 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index e722b69f5f..7ee5ff84af 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -33,16 +33,13 @@ Line wrap the file at 100 chars. Th timeouts. #### macOS -- Use `SCNetworkReachability` to help determine connectivity of host. +- Use `SCNetworkReachability` to help determine connectivity of host. Helps bring the app online + faster when the computer wakes up from sleep. #### Android - Show the remaining account time in the Settings screen in days if it's less than 3 months. - Prevent commands to connect or disconnect to be sent when the device is locked. - Make all screens scrollable to better handle small screens and split-screen mode. -- Ignore touch events when another view is shown on top of the app in order to prevent tapjacking - attacks. -- Prevent screens showing potentially sensitive data from being recorded. - ### Fixed - Show both WireGuard and OpenVPN servers in location list when protocol is set to automatic on @@ -68,11 +65,31 @@ Line wrap the file at 100 chars. Th #### Windows - Fix race in network adapter monitor that could result in data corruption and crashes. -- Upgrade `miow` dependency to stop daemon from crashing when the named pipes - were accessed with `accesschk.exe`. +- Upgrade `miow` dependency to stop daemon from crashing when the management interface named pipes + were accessed with `accesschk.exe` and some web browsers. - Fix race that may rarely occur during install when obtaining the GUID of a newly created TAP adapter. +### Security +- Tighten the firewall rules that were allowing traffic to the relay server over the physical + network interface. On Linux and macOS now only processes running under root are allowed to send + traffic to this port and IP. On Windows only the Mullvad VPN binaries are allowed to send. + This fixes audit ticket `MUL-02-002`. + +#### Windows +- Tighten the firewall rule allowing traffic on port 53 to the relay server IP on the physical + interfaces if the VPN tunnel is established on port 53 to only allow UDP. This fixes + audit ticket `MUL-02-004`. +- Deny access to the management interface named pipe for the `NT AUTHORITY\NETWORK` group. + This makes the named pipe no longer accessible under the `IPC$` network share. + This fixes audit ticket `MUL-02-007`. + +#### Android +- Ignore touch events when another view is shown on top of the app in order to prevent tapjacking + attacks. Fixes audit ticket `MUL-02-003`. +- Prevent screens showing potentially sensitive data from being recorded. Fixes audit + ticket `MUL-02-003`. + ## [2020.5-beta1] - 2020-05-18 ### Added |