Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update to Sparkle 1.13.1 or newer #45

Closed
t3rminus opened this issue Feb 9, 2016 · 4 comments
Closed

Update to Sparkle 1.13.1 or newer #45

t3rminus opened this issue Feb 9, 2016 · 4 comments

Comments

@t3rminus
Copy link

t3rminus commented Feb 9, 2016

A critical MITM vulnerability has been disclosed in the Sparkle framework:
http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/

A fix has been released as of version 1.13.1. KeepingYouAwake was one of the few apps on my system flagged for using an older version.
https://github.com/sparkle-project/Sparkle/releases/tag/1.13.1

I would be extremely happy to see this resolved quickly.
@newmarcel
Copy link
Owner

I already committed the new Sparkle version in master and 1.4beta1 shipped with Sparkle 1.13.1 as will 1.4.

aa0265e

Thanks for reporting, it's a serious issue 👍

I'll close this issue when I've shipped a stable release with the updated Sparkle.

@alvarnell
Copy link

Although the Sparkle.framework version is older, KeepingYouAwake uses https for it’s update, so it’ should not be vulnerable to this issue.

-Al-

On Tue, Feb 09, 2016 at 03:18 PM, Kevin S wrote:

A critical MITM vulnerability has been disclosed in the Sparkle framework:
http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/ http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/
A fix has been released as of version 1.13.1. KeepingYouAwake was one of the few apps on my system flagged for using an older version.
https://github.com/sparkle-project/Sparkle/releases/tag/1.13.1 https://github.com/sparkle-project/Sparkle/releases/tag/1.13.1
I would be extremely please to see this resolved quckly.

@alvarnell
Copy link

Sorry, I was looking at v1.22b1 which used https, but for whatever reason I see that v1.3.1 did not. So looks like I need to update to v1.4b1 immediately.

-Al-

On Wed, Feb 10, 2016 at 12:00 AM, Al Varnell wrote:

Although the Sparkle.framework version is older, KeepingYouAwake uses https for it’s update, so it’ should not be vulnerable to this issue.

-Al-

On Tue, Feb 09, 2016 at 03:18 PM, Kevin S wrote:

A critical MITM vulnerability has been disclosed in the Sparkle framework:
http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/ http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/
A fix has been released as of version 1.13.1. KeepingYouAwake was one of the few apps on my system flagged for using an older version.
https://github.com/sparkle-project/Sparkle/releases/tag/1.13.1 https://github.com/sparkle-project/Sparkle/releases/tag/1.13.1
I would be extremely please to see this resolved quckly.

@alexandreleroux
Copy link
Contributor

I suggest closing this ticket since KYA version 1.4.0 includes Sparkle 1.14.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@newmarcel @t3rminus @alexandreleroux @alvarnell