This update fixes a vulnerability that allows an attacker to replace an existing signed update with another payload, which bypasses Sparkle’s (Ed)DSA signing checks (#2550). Apps that serve updates over HTTPS (most if not all apps) are not immediately impacted because the server hosting the update (or a CA) needs to first be compromised for an attacker to exploit this issue. Updating Sparkle with this fix ASAP is still strongly recommended however because an important security layer can be bypassed.
All older versions of Sparkle are affected by this bug. Patches are also available for 1.27.1 (bbe887e) and 2.2.2 (bb1e4d0). I will soon evaluate if it’s feasible to publish older versions (1.27.2 and 2.2.3) with this fix for supporting older operating system versions.
Please check the Discussions topic for this release for more details or follow up.
Overall changes in 2.6.1:
- Extract archives in a separate directory from the input archive and fixes a security vulnerability (#2550) (Zorg)
- Fix the release notes WebKit view not updating background when transitioning from light to dark mode (#2542) (Zorg)
- Add NN (Norwegian Nynorsk) locale (#2532) (Sjur N Moshagen, Zorg)
- Create tar.xz files with built-in tar and remove bzip2 fallback for creating a release distribution (#2535) (Zorg)
- Add fallback in case SULocalizedStringFromTableInBundle() fails (#2533) (Zorg)
- Remove assert on download response being available fixing rare crash (#2547) (Zorg)
- Clarify when authoriation prompt may show in SPUUserDriver documentation (#2531, #2534) (Zorg)
- Fix typos in codebase (#2537) (Viktor Szépe)