github Windscribe/Desktop-App v2.23.11

5 hours ago

Added

  • Package signing and update authenticity hardening for supported Linux packages.

Improved

  • App hardening from the Fable 5 audit, including WireGuard key validation, Control D API key log redaction, IPC exposure hardening, safer logging, installer argument redaction, and package/dependency handling fixes.
  • Windows helper IPC parameter validation to reduce local IPC attack surface.
  • Linux helper IPC/API hardening after EGL gid-check bypass review.
  • Windows IKEv2 connector stability to mitigate possible crashes.
  • macOS builds against Xcode 26.5 and enabled ARC for client-common Objective-C++ code.
  • Proxy Gateway privacy by no longer logging blocked destinations for HTTP and SOCKS gateway requests.
  • IP Stack preference wording to clarify it applies to WireGuard only.
  • Preferences title casing consistency.
  • Sign Up screen helper text styling under the Password and Email fields.
  • JSON/INI import consistency for proxy sharing and MAC spoofing settings.
  • Debug logs by removing false positives that could mislead automated log analysis on Windows.
  • Russian and Ukrainian translations in the desktop app, installer, and CLI from GitHub user WkdXeqtr.
  • Belarusian translations in the desktop app, installer, and CLI from GitHub user dubovy-achvelak.

Fixed

  • DLL planting vulnerability in the Windows bootstrapper and uninstaller.
  • Windows installer/updater staging TOCTOU allowing the privileged helper to copy from a different source path than the one it validated.
  • Local privilege escalation security vulnerability from app retaining SETGID capability after group switch on Linux.
  • Possible local privilege escalation chain involving external-link opening and OpenVPN directive validation bypass.
  • OpenVPN custom config filtering to handle embedded NULL/control characters consistently and reject unsafe directives.
  • OpenVPN custom config parsing to prevent commented-out route-nopull / route-noexec text from disabling automatic firewall handling.
  • Malformed OpenVPN inline tags bypassing custom config directive filtering.
  • AmneziaWG custom WireGuard I-values allowing newline/config injection in imported custom configs.
  • Custom OpenVPN device names that could bypass Linux DNS leak protection by using wildcard-style interface names.
  • Split tunneling service startup failures not showing the expected user-facing warning prompt on Windows.
  • A crash when clicking the menu bar icon on affected macOS 27 beta builds.
  • DNS leak protection allowing pre-VPN OS DNS resolvers when DNS traffic egressed over the VPN interface on Linux.
  • Always On+ firewall feature eventually showing the Ignore SSL errors prompt during blocked or delayed connectivity.
  • Launch on startup mechanism may fail to apply during a reboot.
  • Control D via API Key connections failing when an IPv6 bootstrap IP from Custom DNS was retained without native IPv6.
  • Ignore SSL Errors runtime bypass handling to reset wsnet failovers before retrying failed requests.
  • IP pinning fallback when an Advanced Parameters remote IP does not match the selected location.
  • Memory leak when handling CLI IPC commands.
  • Windows installer progress handling near completion when uninstalling previous components and launching the app.
  • Periodic reconnects on Windows IKEv2 connections caused by transient OS status checks.
  • Logout/session deletion leaving the Windscribe IKEv2 VPN profile in macOS System Settings.
  • Linux address selection so IPv6-capable VPN connections do not incorrectly prefer IPv4 via Windscribe gai.conf handling.
  • deb/rpm packages installing scripts or helper files with world-writable permissions.
  • Data-remaining counter showing 0 bytes after an expired/blocked account state and newly logged into account has remaining data.
  • Networks marked Unsecured being treated as Secured on launch, which could incorrectly trigger auto-connect.
  • Imported dashed MAC spoof values showing incorrectly and reporting MAC spoofing failure even though the spoof was applied.
  • IKEv2 inclusive split tunneling leaving a low-metric default tunnel route active, causing non-included traffic to route through the VPN on Windows.
  • Linux IPv6 split-tunnel routes being added without the required interface name.
  • Linux IPv6 DNS leak protection missing ip6tables rules for IPv6 DNS resolvers.
  • Linux split-tunneling process monitor skipping proc events after the first netlink read.
  • Linux split-tunneling setup failures being reported as successful.
  • Persistent Ignore SSL Errors preference behavior so TLS validation bypass is runtime-only and does not survive app restart.
  • Connected DNS Custom 0.0.0.0 breaking local ctrld resolver behavior while connected.
  • Split tunneling disabled message handling on macOS.

Updated

  • Updated wsnet to 1.5.20.

Removed

  • The Contact Humans preference from the help UI.

GUI Installer Hashes

Installer SHA-256 hash
Windows amd64 3430c28f606591b8f13c9d4d1a960b844ae217b0b6c5ebeb50bd764a3e88a33b
Windows arm64 065544d2f821aa5730db43fbdc3a71b01b18a41872bf038af6977a82ea5c7c5c
macOS universal 393a9c0650a66b4fea87716f9a47369a20cb70681cb2cc6ee0cef157f693d116
Ubuntu amd64 9b22ad0369e7539d309c21a2535f46aa7d805d9e2ad6250dbbc376de87c333ee
Ubuntu arm64 9f6bf75d4579c2e9193235b18bc2d603426b08558df31d2a4eb47fc92335d42c
Fedora amd64 f2e5299902a991067dc168120e5596739ef32e7b9c5c88c7c6251654bde2a864
Fedora arm64 cc621bd7fcf286b3fc8da34395c8bbfacb3cca7df145d2dc10d543d868d14fef
OpenSUSE amd64 4b31e4b52009a9eb6d15fc37bfb69606f815835b46aff0d94c317108f0dc5967
Arch Linux amd64 c7a1c9a140807298444bb352ac635f349f535de9b13ae0cef33954c0cb29c30f

CLI Installer Hashes

Installer SHA-256 hash
Ubuntu CLI amd64 cac917bf60b6f7fe9f9e6ac09e970ba0ffbbb52ac0d4d4afe259ae78727b0e11
Ubuntu CLI arm64 5775fd86f67d08e926a31853fb74fd1401932a8a6af88f006bbac0c3efbde7f9
Fedora CLI amd64 9ae35e6c7877f0fd4203c3c5826536f403a729bcb90a496e8a252753de929023
Fedora CLI arm64 f0522b756efd188a29b7627fb8b7594e1bfc5b13d95df54f84bcb287453525e3
OpenSUSE CLI amd64 44a2462b7c117bb2c221e1119ca41a375fde0f5ec574b67ac13f82d1b2cd0edf
Arch Linux CLI amd64 b4a338c525032dab9fa62f9fb2f282e967533c182b91467d3f13d40d7be0d658

Don't miss a new Desktop-App release

NewReleases is sending notifications on new releases.