We delayed the meeting we were supposed to have on 30-Jan that was also supposed to be when we shipped WiX v5.0.0-rc.1. We did not delay the meeting because we're behind schedule on WiX v5.0.0-rc.1. Well, to clarify, we didn't delay the meeting only because we're behind schedule on WiX v5.0.0-rc.1. We also had a security issue reported against WiX and those delightful and dedicated folks at FireGiant were kind enough to sponsor Rob and me to mitigate the issue and prepare new releases. Read on for details.
WiX v4.0.4 and v3.14 security releases
An attacker could use Windows DLL redirection behavior to escalate privileges using a Burn bundle. All versions of WiX are affected and we recommending upgrading to WiX v4.0.4 or v3.14 as soon as possible. For details, see the security release blog post.
WiX v5 release plan
Because Rob and I were tied up most of last week on this issue, progress on WiX v5 naturally trended downward toward zero. Therefore, we're readjusting the WiX v5 schedule (again). Given the nature of the changes, we decided we're comfortable skipping the last scheduled release candidate and moving everything else out. That means the WiX v5 release dates are now:
- v5.0.0-rc.1 on 27-Feb-2024
- v5.0.0-rc.2 on 26-Mar-2024
- v5.0.0 on 5-Apr-2024
Issue triage
Prepare WiX v5.0.0-rc.1 documentation, from @barnson, is mostly a reminder to myself that we need to add some pages to the WiX documentation site so everyone interested can find out about all the cool new features in WiX v5.
IOException when building from file share, from @murphyjawow, reports an i/o error when building a managed-code custom action with payloads on a file share. WiX v4 added i/o retries in the core toolset to correct transient errors. Similar logic could be applied to the MakeSfxCA tool. This issue is
up for grabs.Bundle splash screen showing on removal of previous base version during upgrade, from @yuvnith, says that splash screens are showing up during bundle uninstall. They shouldn't but maybe the code that's supposed to prevent it thinks splash screens are pretty and wants to show them anyway. This issue is
up for grabs.Figure out
Overridable, from @barnson, came to mind when I was improving the error message when mixing virtual symbols. We decided that for WiX v5, we should use thevirtualaccess modifier instead of theOverridableattribute for extension authoring. That will help when people copy and pasteCustomelement authoring to reschedule custom actions from extensions. We can talk later about how best to deal with potential language changes.WixToolset.Dtf.CustomAction calling session.GetProductProperty throws an exception, from @AdvancedNotifier, reports a crash using a
Sessionmethod that maybe shouldn't be aSessionmethod in the first place. This issue isup for grabs.