You may have noticed the over the last few weeks we have been pushing out new package versions for a large number of the Chocolatey products. This included updates to:
- Chocolatey CLI
- Chocolatey Licensed Extension
- Chocolatey GUI
- Chocolatey GUI Licensed Extension
- Chocolatey Agent
The main driving force behind all of these releases was a security vulnerability that was identified in one of the core external libraries that is used by Chocolatey, log4net. To exploit this vulnerability an attacker would need Administrator access, given how the Chocolatey install folder is secured by default. And if an attacker needed Administrator access already, they would therefore not need to exploit the vulernability!
Here at Chocolatey, we take security very seriously, so once identified, we set about updating all the Chocolatey products that use this log4net library, making sure that they all continue to work together correctly. Along the way, we were also able to squash a number of bugs, and add a number of new features.
It has been a long road, but all in all, we are really happy with what we have been able to achieve, and we are looking forward to bringing more releases of these products in future.
Package Prerequisites
Due to the nature of the changes, there have been some changes to the package depedencies. The new package dependencies are as follows:
| Package Name | chocolatey | chocolatey.extension | chocolateygui |
|---|---|---|---|
| chocolatey v0.11.1 | |||
| chocolatey.extension v2.2.0 | v0.11.0 * | ||
| chocolateygui v0.19.0 | v0.11.1 | ||
| chocolateygui.extension v0.3.0 | v0.11.1 | v0.19.0 | |
| chocolatey-agent v0.12.0 | v2.2.0 |
:choco-info: NOTE
The chocolatey.extension package was published before v0.11.1 of Chocolatey was released, that is why it doesn't take a dependency on the v0.11.1 package of Chocolatey. We recommend immediate upgrade to v0.11.1 of Chocolatey if you have v0.11.0 installed.
:choco-warning: WARNING
Due the nature of how Chocolatey package dependencies work, we can ensure that all the required package versions are installed. For example, if you were to install chocolateygui.extension then it would make sure that the following tree of packages are installed:
Package Name Version chocolateygui.extension v0.3.0 chocolateygui v0.19.0 chocolatey v0.11.1 However, there is nothing that can be done to ensure that indirect dependencies are satisfied. For example, if you currently have chocolateygui v0.18.1 installed along with chocolateygui.extension v0.2.1 and you first upgrade to chocolateygui v0.19.0, then you will see errors if you attempt to run Chocolatey GUI, since the chocolateygui.extension package also needs to be updated.
Based on the package releases, the recommended installation/upgrade order is the following:
- chocolatey-agent
- chocolateygui.extension
- chocolateygui
- chocolatey.extension
- chocolatey
This will ensure that all dependencies, both direct and indirect, are installed.
Release Notes
For more information of the features, improvements and bug fixes that have gone into these releases, please see the release notes:
- Chocolatey CLI
- Chocolatey Licensed Extension
- Chocolatey GUI
- Chocolatey GUI Licensed Extension
- Chocolatey Agent
Learn More
- Check out the documentation.
- Learn about other features available in Chocolatey for Business.
- Contact us to find out more and setup your evaluation of Chocolatey for Business today.
Popular Tags
- #news 69 Number of post with tag news
- #press release 56 Number of post with tag press release
- #chocolatey for business 44 Number of post with tag chocolatey for business
- #packaging 21 Number of post with tag packaging
- #open source 17 Number of post with tag open source
- #community 15 Number of post with tag community
- #tutorial 14 Number of post with tag tutorial
- #12 days of Chocolatey 2023 12 Number of post with tag 12 days of Chocolatey 2023
- #chocolatey community repository 12 Number of post with tag chocolatey community repository
- #podcast 11 Number of post with tag podcast
