Changelog
icecast2 (2.3.3-2ubuntu1.14.04.1) trusty-security; urgency=high
* SECURITY UPDATE: Denial of service vulnerability.
- d/p/0002-crash-in-url-auth:
This fixes a crash (NULL reference) in case URL Auth is used
and stream_auth is trigged with no credentials passed by the client.
Username and password is now set to empty strings and transmited to
the backend server this way.
- CVE-2015-3026
* SECURITY UPDATE: Potentially leaks sensitive information.
- d/p/0001-disconnects_stdio_of_on_dis_connect_scripts:
Include patchset 19313 (close file handles for external scripts).
- CVE-2014-9018
* SECURITY UPDATE: Potentially allows local users to gain
privileges via unspecified vectors.
- d/p/0003-override-supplementary-groups:
In case of <changeowner> only UID and GID were changed,
supplementary groups were left in place.
This is a potential security issue only if <changeowner> is used.
New behaviour is to set UID, GID and set supplementary groups
based on the UID.
Even in case of icecast remaining in supplementary group 0
this "only" gives it things like access to files that are owned
by group 0 and according to their umask. This is obviously bad,
but not as bad as UID 0 with all its other special rights.
- CVE-2014-9091
-- Unit 193 <email address hidden> Tue, 28 Apr 2015 17:28:20 -0400
