Skip to content

Support https:// for update.videolan.org

update.videolan.org is used by various VLC packages as a place where current version / update information is stored. Since this information is used for updates for code installed on people's machines, it should support https://, and the various installers/updaters should be updated to use https:// (instead of http://).

Specifically, the OS X build for VLC uses the Sparkle framework, and since VLC's SUFeedURL is http://update.videolan.org/vlc/sparkle/..., the update call can be MITM'd, resulting in possible remote code execution. See https://vulnsec.com/2016/osx-apps-vulnerabilities/ for more details.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

VideoLAN code repository instance