Sparkle updater vulnerability...



  • Quoting from various sources, '…third-party update service Sparkle, combined with insecure network protocols and parsing, leaves some OS X apps open to person-in-the-middle exploits….'

    There's a list on github (github.com/sparkle-project/Sparkle/issues/717) of vulnerable OSX applications, and f.lux is on it.

    What's f.lux respond to this situation, and how does it plan to respond?


  • f.lux team

    Since 2009, we have delivered updates via SSL, and so we are not vulnerable.



  • @UNOwen The list you linked to is not of vulnerable applications, it specifically says:

    this [list] has nothing to do with security. Applications are listed here just because they use Sparkle and we think they're cool.

    There's a script you can run to check all your applications for vulnerability. Here's what it says about f.lux:

    ok: Flux 36.6 uses HTTPS for updates - safe


Log in to reply
 

Looks like your connection to f.lux forum was lost, please wait while we try to reconnect.