Update to SparkleUpdate 1.13.1 due to vulnerabilities in SparkleUpdate.
Reported by MathieuK | February 2nd, 2016 @ 04:40 PM | in 2.0.30_2016.07 (closed)
MacGPG (and its friends) uses a SparkleUpdate version ( https://github.com/GPGTools/MacGPG2/commit/50109797ce0213c066db7a1b... => https://github.com/sparkle-project/Sparkle/commits/a98a3fa ) which has some vulnerabilities: https://vulnsec.com/2016/osx-apps-vulnerabilities/ . Even though MacGPG does use a HTTPS URL as SUFeedURL it's still possible for someone who is able to manipulate the Appcast XML file to attack a client that has that unsafe version of SparkleUpdate.
SparkleUpdate has provided an update in the form of 1.13.1:
https://github.com/sparkle-project/Sparkle/commit/0fe520f95b56a44a6...
Please update MacGPG with the most recent version of SparkleUpdate.
Comments and changes to this ticket
-
steve June 2nd, 2016 @ 05:43 PM
- State changed from “new” to “verified”
- Assigned user set to “Mento”
- Importance changed from “” to “Low”
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
Luke Le
MathieuK
steve