2.6.3 - Important security fix

[zorgiepoo]

2.6.2 fixes a vulnerability that allows an attacker to replace an existing signed update with another payload, which bypasses Sparkle’s (Ed)DSA signing checks (#2550). Apps that serve updates over HTTPS (most if not all apps) are not immediately impacted because the server hosting the update (or a CA) needs to first be compromised for an attacker to exploit this issue. Updating Sparkle with this fix ASAP is still strongly recommended however because an important security layer can be bypassed.

All older versions of Sparkle are affected by this bug. This fix is back ported to 1.27.3 for Sparkle 1. For older versions of Sparkle 2, a 2.2.x branch is available with the fix which is based on 2.2.2 (Note I do not think I will publish an official 2.2.3 release).

I discovered this issue while working on #2550 and re-visiting the unarchiver logic which has been functioning this way for a very long time.

Other changes/fixes this contained in this release are noted in the releases page including a WebKit light/dark mode fix.

[zorgiepoo]

Alright, I got around properly putting out a 1.27.3 backport release for Sparkle 1 (including publishing to CocoaPods which was a pain). For older versions of Sparkle 2, a 2.2.x branch based on 2.2.2 is available.

I also updated the security and reliability changes page.

[zorgiepoo]

cc @jkbullard since I think you've cared about security related changes in the past.