f.lux f.lux forum
    • Recent
    • Popular
    • Register
    • Login

    Sparkle updater vulnerability...

    macOS
    3
    3
    3.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      UNOwen
      last edited by

      Quoting from various sources, '…third-party update service Sparkle, combined with insecure network protocols and parsing, leaves some OS X apps open to person-in-the-middle exploits….'

      There's a list on github (github.com/sparkle-project/Sparkle/issues/717) of vulnerable OSX applications, and f.lux is on it.

      What's f.lux respond to this situation, and how does it plan to respond?

      'The past is prologue...'

      E 1 Reply Last reply Reply Quote 0
      • herfH
        herf
        last edited by

        Since 2009, we have delivered updates via SSL, and so we are not vulnerable.

        1 Reply Last reply Reply Quote 1
        • E
          Elhem Enohpi @UNOwen
          last edited by

          @UNOwen The list you linked to is not of vulnerable applications, it specifically says:

          this [list] has nothing to do with security. Applications are listed here just because they use Sparkle and we think they're cool.

          There's a script you can run to check all your applications for vulnerability. Here's what it says about f.lux:

          ok: Flux 36.6 uses HTTPS for updates - safe

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright © 2014 NodeBB Forums | Contributors