Important security fix

@pornel pornel released this Feb 4, 2016 · 451 commits to master since this release

HTTP MITM vulnerability

All Sparkle versions older than 1.13.1 which fetch appcast or release notes over insecure HTTP connection are vulnerable to a man-in-the-middle attack that can lead to disclosure of local files or remote code execution.

Applications using Sparkle with HTTPS appcast feed URLs and HTTPS release notes links (if any) are safe. We strongly recommend everyone to switch to HTTPS (it's fast and certificates are free).

The vulnerability is fixed in version 1.13.1. Patches for older versions are available: a6e9c8a 70f6929

Thanks to Radoslaw Karpowicz for reporting the vulnerabilty.

OS X 10.7 or later required

Make sure you add <sparkle:minimumSystemVersion>10.7</sparkle:minimumSystemVersion> tag to <item>s in your appcast. Sparkle will crash on Snow Leopard.

If you require 10.6 support, then switching to HTTPS is the only option.

HTTPS or ATS exception required

OS X 10.11 deprecated HTTP and blocks updates unless you use HTTPS or disable App Transport Security.

The binary has been built when the vulnerability wasn't public yet, and the commit hash in the binary is unintentionally different than the tag created later on github. However, we've verified that the binary contains the fixes. Sorry for the confusion.