Skip to content

2.6.1 - Important security fix

Compare
Choose a tag to compare
@Sparkle-Bot Sparkle-Bot released this 02 May 20:29
· 57 commits to 2.x since this release

This update fixes a vulnerability that allows an attacker to replace an existing signed update with another payload, which bypasses Sparkle’s (Ed)DSA signing checks (#2550). Apps that serve updates over HTTPS (most if not all apps) are not immediately impacted because the server hosting the update (or a CA) needs to first be compromised for an attacker to exploit this issue. Updating Sparkle with this fix ASAP is still strongly recommended however because an important security layer can be bypassed.

All older versions of Sparkle are affected by this bug. This fix is back ported to 1.27.3 for Sparkle 1. For older versions of Sparkle 2, a 2.2.x branch is available which is based on 2.2.2.

Please check the Discussions topic for this release for more details or follow up.

Update: generate_appcast may not work for certain archive types (#2554) in 2.6.1. This is fixed in 2.6.2.

Overall changes in 2.6.1:

  • Extract archives in a separate directory from the input archive and fixes a security vulnerability (#2550) (Zorg)
  • Fix the release notes WebKit view not updating background when transitioning from light to dark mode (#2542) (Zorg)
  • Add NN (Norwegian Nynorsk) locale (#2532) (Sjur N Moshagen, Zorg)
  • Create tar.xz files with built-in tar and remove bzip2 fallback for creating a release distribution (#2535) (Zorg)
  • Add fallback in case SULocalizedStringFromTableInBundle() fails (#2533) (Zorg)
  • Remove assert on download response being available fixing rare crash (#2547) (Zorg)
  • Clarify when authoriation prompt may show in SPUUserDriver documentation (#2531, #2534) (Zorg)
  • Fix typos in codebase (#2537) (Viktor Szépe)