Sparkle Security Fix?

Got a problem with Viscosity or need help? Ask here!

sporkman

Posts: 5
Joined: Thu Aug 07, 2014 7:20 am

Post by sporkman » Wed Feb 10, 2016 10:42 am
It appears Viscosity uses Sparkle, and a version that's vulnerable to MITM attacks:
Code: Select all
frankentosh:~ spork$ find /Applications -path '*Autoupdate.app/Contents/Info.plist' -exec echo {} \; -exec grep -A1 CFBundleShortVersionString '{}' \; | grep -v CFBundleShortVersionString
[...]
/Applications/Viscosity.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Info.plist
	<string>1.11.0</string>
[...]	
	
You're not alone by a long shot, but considering this is security-related software, an update would be great.

https://vulnsec.com/2016/osx-apps-vulnerabilities/
https://github.com/sparkle-project/Sparkle/issues/717

James

User avatar
Posts: 2102
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Wed Feb 10, 2016 12:57 pm
Hi sporkman,

I need to stress that Viscosity is NOT vulnerable. For information please see:
https://www.sparklabs.com/forum/viewtop ... 2001#p5759

Cheers,
James
James Bekkema
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

sporkman

Posts: 5
Joined: Thu Aug 07, 2014 7:20 am

Post by sporkman » Wed Feb 10, 2016 1:20 pm
Thanks, not sure how I missed that thread. When will the beta version with a fully-fixed Sparkle version be released (roughly)?
3 posts Page 1 of 1