#682 ✓verified
MathieuK

Update to SparkleUpdate 1.13.1 due to vulnerabilities in SparkleUpdate.

Reported by MathieuK | February 2nd, 2016 @ 04:40 PM | in 2.0.30_2016.07 (closed)

MacGPG (and its friends) uses a SparkleUpdate version ( https://github.com/GPGTools/MacGPG2/commit/50109797ce0213c066db7a1b... => https://github.com/sparkle-project/Sparkle/commits/a98a3fa ) which has some vulnerabilities: https://vulnsec.com/2016/osx-apps-vulnerabilities/ . Even though MacGPG does use a HTTPS URL as SUFeedURL it's still possible for someone who is able to manipulate the Appcast XML file to attack a client that has that unsafe version of SparkleUpdate.

SparkleUpdate has provided an update in the form of 1.13.1:
https://github.com/sparkle-project/Sparkle/commit/0fe520f95b56a44a6...

Please update MacGPG with the most recent version of SparkleUpdate.

Comments and changes to this ticket

  • steve

    steve June 2nd, 2016 @ 05:43 PM

    • State changed from “new” to “verified”
    • Assigned user set to “Mento”
    • Importance changed from “” to “Low”

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

Shared Ticket Bins

People watching this ticket

Pages