Forum Thread: Secunia PSI does not know about new version of 7-zip

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as locked.
AnnOn Secunia PSI does not know about new version of 7-zip
Member 14th May, 2016 18:15
Ranking: 0
Posts: 2
User Since: 14th May, 2016
System Score: N/A
Location: CA
hi,
I use the free Secunia PSI but when doing a scan 2016/05/14 the program listed the 7-zip program as up to date because 7-zip was version 9. However there has been a recent hacker exploit that has been fixed so the most recent version of 7-zip is 16.0.
I went to www.7-zip.org and got the most recent Windows msi installer and installed it. I am concerned that if I am relying on Secuna to watch the versions, how often do you check for versions and how did this change slip by? 7-zip is very very common and this issue was mentioned in many tech sites and security sites.

Maurice Joyce RE: Secunia PSI does not know about new version of 7-zip
Handling Contributor 14th May, 2016 18:40
Score: 12325
Posts: 9,575
User Since: 4th Jan 2009
System Score: N/A
Location: UK
There is no evidence on the 7 zip change log to suggest that the latest version has been released to fix a vulnerability - http://www.7-zip.org/history.txt

PSI only tracks the latest secure version which according to the 7 zip log is version 9.20. Any version released after that appears to be in ALPHA or BETA or has been released to fix a bug or for cosmetic reasons which PSI does not track.

Where did you find details of the vulnerability in a stable version after 9.20?

If no vulnerability exists and you want PSi to show the latest version you must suggest it to Flexera Secunia using the tool provided in PSI.

--
Maurice

Microsoft Surface 4 Intel i7 64Bit
Windows 10 Pro version 1809 Build 17763.404
16 GB RAM
IE & Edge Only
Was this reply relevant?
+0
-0
AnnOn RE: Secunia PSI does not know about new version of 7-zip
Member 14th May, 2016 19:01
Score: 0
Posts: 2
User Since: 14th May 2016
System Score: N/A
Location: CA
The SANS Institute <NewsBites@sans.org> sends out regular newsletters about security issues. Yesterday's newsletter included items that happened over the past few days and included this:
--7-Zip Vulnerabilities
May 11, 2016
A number of security media sites are posting articles based on security
vulnerabilities in 7-Zip discovered and reported by Marcin Noga of Cisco
Talos. 7-Zip is a popular compression tool that also supports AES-256
encryption. It has been incorporated into other programs, websites and
appliances so some users may not realize they are using it.
http://www.theregister.co.uk/2016/05/12/popular_zi...
http://www.networkworld.com/article/3069937/securi...
[Editor's Note (Northcutt): This is more serious than the DLL Hijack
problem of last year, the Cisco Talos blog post is here:
http://blog.talosintel.com/2016/05/multiple-7-zip-...
http://www.cvedetails.com/vendor/9220/7-zip.html
https://packetstormsecurity.com/files/134742/7-Zip...
(Murray): Almost everyone uses it at some time or another. The
mitigation continues to be not to open compressed files from untrusted
sources.]

Please be much more specific as to how suggestions for updates are to be sent?
Was this reply relevant?
+0
-0
Maurice Joyce RE: Secunia PSI does not know about new version of 7-zip
Handling Contributor 15th May, 2016 00:28
Score: 12325
Posts: 9,575
User Since: 4th Jan 2009
System Score: N/A
Location: UK
You have not stated which version of PSI you are using so I will assume version 3.

Open the programme>click on show programs>top right under Secunia you will see Add program>click on that and fill out the details required>click Send data

If you fill out the optional detail Flexera will respond by email.



--
Maurice

Microsoft Surface 4 Intel i7 64Bit
Windows 10 Pro version 1809 Build 17763.404
16 GB RAM
IE & Edge Only
Was this reply relevant?
+0
-0
Anthony Wells RE: Secunia PSI does not know about new version of 7-zip
Expert Contributor 15th May, 2016 19:18
Score: 2542
Posts: 3,402
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Hi ,

As I read it , 7-Zip only seem to mention bug fixes in version 16.0 whilst other reporting seems to assume/imply that the security flaws as reported by Cisco are fixed .

My PSI (2.0.0.3003) reports version 9.20 as secure as stand alone and in various software :eg: CyberLink software .

I have downloaded 7-Zip version 16.0 and it is also displayed "correctly??" as secure by the PSI .

Whichever way , there certainly seems to be a serious security flaw at loose .

Hopefully some clarity concerning the affected .dlls will be forthcoming ASAP .

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
Maurice Joyce RE: Secunia PSI does not know about new version of 7-zip
Handling Contributor 20th May, 2016 18:17
Score: 12325
Posts: 9,575
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 22nd May, 2016 09:24
The latest version is now 16.01 released yesterday - read about it here: https://sourceforge.net/p/sevenzip/discussion/4579...

The download link is here:
http://www.7-zip.org/

Version 16 did clear the vulnerability - read about it here (about half way down as an answer to a query):

https://sourceforge.net/p/sevenzip/discussion/4579...

EDIT: Latest version 16.02 - a bug fix release - details here https://sourceforge.net/p/sevenzip/discussion/4579...

--
Maurice

Microsoft Surface 4 Intel i7 64Bit
Windows 10 Pro version 1809 Build 17763.404
16 GB RAM
IE & Edge Only
Was this reply relevant?
+0
-0

This thread has been marked as locked.