-
Notifications
You must be signed in to change notification settings - Fork 219
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update to Sparkle 1.13.1 or newer #45
Comments
I already committed the new Sparkle version in master and 1.4beta1 shipped with Sparkle 1.13.1 as will 1.4. Thanks for reporting, it's a serious issue 👍 I'll close this issue when I've shipped a stable release with the updated Sparkle. |
Although the Sparkle.framework version is older, KeepingYouAwake uses https for it’s update, so it’ should not be vulnerable to this issue. -Al- On Tue, Feb 09, 2016 at 03:18 PM, Kevin S wrote:
|
Sorry, I was looking at v1.22b1 which used https, but for whatever reason I see that v1.3.1 did not. So looks like I need to update to v1.4b1 immediately. -Al- On Wed, Feb 10, 2016 at 12:00 AM, Al Varnell wrote:
|
I suggest closing this ticket since KYA version 1.4.0 includes Sparkle 1.14.0 |
A critical MITM vulnerability has been disclosed in the Sparkle framework:
http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/
A fix has been released as of version 1.13.1. KeepingYouAwake was one of the few apps on my system flagged for using an older version.
https://github.com/sparkle-project/Sparkle/releases/tag/1.13.1
I would be extremely happy to see this resolved quickly.
The text was updated successfully, but these errors were encountered: