Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade to 7-Zip 16.02 to overcome security vulnerabilities #812

Closed
ferventcoder opened this issue Jun 18, 2016 · 3 comments
Closed

Upgrade to 7-Zip 16.02 to overcome security vulnerabilities #812

ferventcoder opened this issue Jun 18, 2016 · 3 comments

Comments

@ferventcoder
Copy link
Member

ferventcoder commented Jun 18, 2016

@ferventcoder ferventcoder added this to the 0.9.10.1 milestone Jun 18, 2016
@ferventcoder ferventcoder self-assigned this Jun 18, 2016
@ferventcoder ferventcoder changed the title Upgrade 7-Zip to most up to date version Upgrade to 7-Zip 16.02 to overcome CVE-2016-2334/CVE-2016-2335 Jun 18, 2016
@ferventcoder ferventcoder changed the title Upgrade to 7-Zip 16.02 to overcome CVE-2016-2334/CVE-2016-2335 Upgrade to 7-Zip 16.02 to overcome security vulnerabilities Jun 18, 2016
ferventcoder added a commit that referenced this issue Jun 19, 2016
* stable:
  (version) 0.9.10.2
  (doc) update CHANGELOG/nuspec
  (GH-758) Ensure log path exists
  (GH-813) Fix double chocolatey logging folder
  (GH-813) Shorten Template default log path
  (doc) update default options help messages
  (maint) Don't log creation of folder
  (maint) formatting / add message consistency
  (GH-814) Ensure any version of choco
  (GH-811) Skip resource / licensed assemblies
  (version) 0.9.10.1
  (doc) update CHANGELOG/nuspec
  (GH-810) Install of choco sets exit code
  (GH-812) Upgrade 7zip to 16.02 to address CVEs
  (doc) Note functions Calling Set-PowerShellExitCode
  (GH-810) Fix - Cannot bind parameter exitCode
@ferventcoder
Copy link
Member Author

ferventcoder commented Jun 20, 2016

If you cannot upgrade to at least 0.9.10.1, you can manually patch your Chocolatey installation. Look in $env:ChocolateyInstall\tools and replace 7za.exe with 16.02. This can be found at https://www.7-zip.org/a/7z1602-extra.7z

In really old installs of Chocolatey (0.9.8.x and below), that path is $env:ChocolateyInstall\chocolateyInstall\tools.

@ferventcoder
Copy link
Member Author

There are some reports that the newer version of 7za.exe breaks some existing packages. Something to keep in mind. We determined it would be better to be secure and have some breakages versus the alternative.

@ferventcoder
Copy link
Member Author

We are looking to switch over to 7z.exe (full) in 0.9.10.3, which could resolve this entirely.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants