You may have noticed the over the last few weeks we have been pushing out new package versions for a large number of the Chocolatey products. This included updates to:

The main driving force behind all of these releases was a security vulnerability that was identified in one of the core external libraries that is used by Chocolatey, log4net. To exploit this vulnerability an attacker would need Administrator access, given how the Chocolatey install folder is secured by default. And if an attacker needed Administrator access already, they would therefore not need to exploit the vulernability!

Here at Chocolatey, we take security very seriously, so once identified, we set about updating all the Chocolatey products that use this log4net library, making sure that they all continue to work together correctly. Along the way, we were also able to squash a number of bugs, and add a number of new features.

It has been a long road, but all in all, we are really happy with what we have been able to achieve, and we are looking forward to bringing more releases of these products in future.

Package Prerequisites

Due to the nature of the changes, there have been some changes to the package depedencies. The new package dependencies are as follows:

Package Name chocolatey chocolatey.extension chocolateygui
chocolatey v0.11.1
chocolatey.extension v2.2.0 v0.11.0 *
chocolateygui v0.19.0 v0.11.1
chocolateygui.extension v0.3.0 v0.11.1 v0.19.0
chocolatey-agent v0.12.0 v2.2.0

:choco-info: NOTE

The chocolatey.extension package was published before v0.11.1 of Chocolatey was released, that is why it doesn't take a dependency on the v0.11.1 package of Chocolatey. We recommend immediate upgrade to v0.11.1 of Chocolatey if you have v0.11.0 installed.

:choco-warning: WARNING

Due the nature of how Chocolatey package dependencies work, we can ensure that all the required package versions are installed. For example, if you were to install chocolateygui.extension then it would make sure that the following tree of packages are installed:

Package Name Version
chocolateygui.extension v0.3.0
chocolateygui v0.19.0
chocolatey v0.11.1

However, there is nothing that can be done to ensure that indirect dependencies are satisfied. For example, if you currently have chocolateygui v0.18.1 installed along with chocolateygui.extension v0.2.1 and you first upgrade to chocolateygui v0.19.0, then you will see errors if you attempt to run Chocolatey GUI, since the chocolateygui.extension package also needs to be updated.

Based on the package releases, the recommended installation/upgrade order is the following:

  • chocolatey-agent
  • chocolateygui.extension
  • chocolateygui
  • chocolatey.extension
  • chocolatey

This will ensure that all dependencies, both direct and indirect, are installed.

Release Notes

For more information of the features, improvements and bug fixes that have gone into these releases, please see the release notes:

Learn More

comments powered by Disqus