Important security fix
HTTP MITM vulnerability
All Sparkle versions older than 1.13.1 which fetch appcast or release notes over insecure HTTP connection are vulnerable to a man-in-the-middle attack that can lead to disclosure of local files or remote code execution.
Applications using Sparkle with HTTPS appcast feed URLs and HTTPS release notes links (if any) are safe. We strongly recommend everyone to switch to HTTPS (it's fast and certificates are free).
The vulnerability is fixed in version 1.13.1. Patches for older versions are available: a6e9c8a 70f6929
Thanks to Radoslaw Karpowicz for reporting the vulnerabilty.
OS X 10.7 or later required
Make sure you add <sparkle:minimumSystemVersion>10.7</sparkle:minimumSystemVersion>
tag to <item>
s in your appcast. Sparkle will crash on Snow Leopard.
If you require 10.6 support, then switching to HTTPS is the only option.
HTTPS or ATS exception required
OS X 10.11 deprecated HTTP and blocks updates unless you use HTTPS or disable App Transport Security.
The binary has been built when the vulnerability wasn't public yet, and the commit hash in the binary is unintentionally different than the tag created later on github. However, we've verified that the binary contains the fixes. Sorry for the confusion.