New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade to 7-Zip 16.02 to overcome security vulnerabilities #812

Closed
ferventcoder opened this Issue Jun 18, 2016 · 3 comments

Comments

Projects
None yet
1 participant

@ferventcoder ferventcoder added this to the 0.9.10.1 milestone Jun 18, 2016

@ferventcoder ferventcoder self-assigned this Jun 18, 2016

@ferventcoder ferventcoder changed the title from Upgrade 7-Zip to most up to date version to Upgrade to 7-Zip 16.02 to overcome CVE-2016-2334/CVE-2016-2335 Jun 18, 2016

@ferventcoder ferventcoder changed the title from Upgrade to 7-Zip 16.02 to overcome CVE-2016-2334/CVE-2016-2335 to Upgrade to 7-Zip 16.02 to overcome security vulnerabilities Jun 18, 2016

ferventcoder added a commit that referenced this issue Jun 19, 2016

Merge branch 'stable'
* stable:
  (version) 0.9.10.2
  (doc) update CHANGELOG/nuspec
  (GH-758) Ensure log path exists
  (GH-813) Fix double chocolatey logging folder
  (GH-813) Shorten Template default log path
  (doc) update default options help messages
  (maint) Don't log creation of folder
  (maint) formatting / add message consistency
  (GH-814) Ensure any version of choco
  (GH-811) Skip resource / licensed assemblies
  (version) 0.9.10.1
  (doc) update CHANGELOG/nuspec
  (GH-810) Install of choco sets exit code
  (GH-812) Upgrade 7zip to 16.02 to address CVEs
  (doc) Note functions Calling Set-PowerShellExitCode
  (GH-810) Fix - Cannot bind parameter exitCode
@ferventcoder

This comment has been minimized.

Member

ferventcoder commented Jun 20, 2016

If you cannot upgrade to at least 0.9.10.1, you can manually patch your Chocolatey installation. Look in $env:ChocolateyInstall\tools and replace 7za.exe with 16.02. This can be found at https://www.7-zip.org/a/7z1602-extra.7z

In really old installs of Chocolatey (0.9.8.x and below), that path is $env:ChocolateyInstall\chocolateyInstall\tools.

@ferventcoder

This comment has been minimized.

Member

ferventcoder commented Jun 21, 2016

There are some reports that the newer version of 7za.exe breaks some existing packages. Something to keep in mind. We determined it would be better to be secure and have some breakages versus the alternative.

@ferventcoder

This comment has been minimized.

Member

ferventcoder commented Jun 21, 2016

We are looking to switch over to 7z.exe (full) in 0.9.10.3, which could resolve this entirely.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment