All Sparkle versions older than 1.13.1 which fetch appcast or release notes over insecure HTTP connection are vulnerable to a man-in-the-middle attack that can lead to disclosure of local files or remote code execution.
Thanks to Radoslaw Karpowicz for reporting the vulnerabilty.
OS X 10.7 or later required
Make sure you add
<sparkle:minimumSystemVersion>10.7</sparkle:minimumSystemVersion> tag to
<item>s in your appcast. Sparkle will crash on Snow Leopard.
If you require 10.6 support, then switching to HTTPS is the only option.
HTTPS or ATS exception required
OS X 10.11 deprecated HTTP and blocks updates unless you use HTTPS or disable App Transport Security.
The binary has been built when the vulnerability wasn't public yet, and the commit hash in the binary is unintentionally different than the tag created later on github. However, we've verified that the binary contains the fixes. Sorry for the confusion.