Full backups every Friday (over the weekend). We will move choco clients to a default of not installing any package that doesn't include a checksum if it comes from a remote source, but provide configurable overrides (for those that need the functionality).Ĭopyright © 2016 RealDimensions Software, LLC, All rights reserved.We backup all our servers to tape. This event may move up the timeline on that requirement. We have been moving towards requiring checksums on all packages that download binaries, especially packages that use http instead of https for downloads. If you are running ` choco upgrade all`, please ensure you pin any packages in the list above so they are not upgraded to possibly malicious binaries.Ĭhecksum Requirement on Roadmap for Community Packages
Possible Action Necessary, Especially for Pro Users Please do not ignore checksums for the following packages as it could cause disastrous results. Packages with checksums will verify the binary and not allow the install during detection. This represents an entire list of all packages, including those with checksums. (all older versions starting from 26.2.2 back)Ĭomplete List - packages downloading from FOSSHub.Do not install or upgrade any of the following: These are packages that should be avoided at all costs. choco config set virusCheckMinimumPositives 1Īvoid - Packages downloading from FOSSHub without checksums.choco config set virusScannerType VirusTotal.For that reason you may wish to turn down the number of positives to 1 until this is resolved. See for details. Even with VirusTotal checks turned on, it appears that most scanners will not detect it. If you are using the community repository for packages (), please ensure that you have VirusTotal turned on as an added measure of protection. Since we do not know the extent of the compromise yet, we are sharing all packages that could potentially be affected (even though the hacker has only claimed a few). This issue appears to be one that is recoverable.
This will create issues for computers when they reboot. We just learned of a major compromise of FOSSHub, where a hacker was able to replace downloads with malicious binaries that overwrite your MBR (Master Boot Record). Chocolatey Advisory - FOSSHub Downloads Compromised - Possible Action for Community Repository Users Customer Advisory - FOSSHub Downloads Compromised
0 kommentar(er)
