Setup Matters

Usually, announcing a new release of WiX is a happy occasion, with celebrations involving cake and adult beverages. Today, not so much. We are...well, not happy, exactly, perhaps merely resigned...to announce security releases of WiX to address two security vulnerabilities, one in a WiX custom action and one in the Burn bootstrapper engine. FireGiant has fixed the vulnerabilities in new releases of WiX v3, v4, and v5. Read on for details about the vulnerabilities and how to get the latest fixes.

The second release candidate of WiX v5 is now available. It contains a small number of (also small) bug fixes -- and includes fixes for the security vulnerabilities we announced today.

Late last week we were very happy to announce that WiX v5.0.0-rc.1 had been released -- and today, we triaged a handful of issues from users who jumped on it and are helping us prove that WiX v5 is, after some fixes, at least, is going to be a great release. To look at our release plan and peek at the issues so far uncovered, read on.

WiX v5.0.0-rc.1, the first release candidate of our first annual release cadence, is now available for your packaging pleasure. Download it, use it -- it's an easy job to switch from WiX v4 -- and report any bugs you discover.

Today is the day we'd scheduled to ship WiX v5.0.0-rc.1. That's not going to happen, unfortunately, but in what is probably a coincidence (but maybe isn't?!), 2024 gives us until the 29th to still ship in February.

There is a Windows DLL redirection behavior that an attacker could use to escalate privileges using a Burn bundle. All versions of WiX are affected by this vulnerability. FireGiant has prepared mitigations for this behavior that we're releasing today in WiX v4.0.4 and WiX v3.14. We recommending upgrading to these versions as soon as possible.