Choco: Chocolatey is shipped with a vulnerable 7zip

@Skons you understand responsible security reporting right?

Just because Chocolatey is open source, you should probably let us know privately so we can fix the issue - especially since it was just announced like yesterday.

https://chocolatey.org/security for next time. Please follow proper procedures for something like this.

I'm totally sorry for this, i thought i was doing this the right way.

No worries - security issues are sensitive. That's why that article had dates listed for when they found the vulnerability, let the vendor know and all of that before it became public.

https://landave.io/2018/05/7-zip-from-uninitialized-memory-to-remote-code-execution/#timeline-of-disclosure :

Timeline of Disclosure
2018-03-06 - Discovery
2018-03-06 - Report
2018-04-14 - MITRE assigned CVE-2018-10115
2018-04-30 - 7-Zip 18.05 released, fixing CVE-2018-10115 and enabling ASLR on the executables.

@Skons it's no worries, and it did point out a gap in issue reporting process. Now we have it in the issue template to help folks down the right path.

We'll get this fixed and pushed out soon.

"This" being fixing the vulnerability.

Duplicate of #1557

I know this sounds weird to have a duplicate in a newer issue, but @gep13 must have thought this was on the chocolatey.org repo and created the new issue to point to as part of his pull request. 😄

@ferventcoder yeah, I had a bit of a noob moment, where I forgot about this issue when I was working through the process of doing the actual update. I had already created the commit, and referenced the new issue, so I thought I would leave it and hope nobody noticed 🎉

When doing the paperwork, it always comes up ;)