Ubuntu
icecast2 package

Branches for Utopic

Name Status Last Modified Last Commit
lp://qastaging/ubuntu/utopic/icecast2 2 Mature 2014-04-26 14:57:41 UTC
15. * Merge from Debian unstable. Remaini...

Author: Logan Rosen
Revision Date: 2014-04-10 14:01:47 UTC

* Merge from Debian unstable. Remaining changes:
  - 1004_fix_xmlCleanupParser_splatter.patch: Make sure that
    xmlCleanupParser() is only called once: on exit. Doing otherwise
    potentially results in Bad Things (e.g., crashes that point
    incorrectly to PulseAudio).
* Refresh patch.
lp://qastaging/ubuntu/utopic-security/icecast2 2 Mature 2015-05-24 14:27:47 UTC
16. * SECURITY UPDATE: Denial of service ...

Author: Unit 193
Revision Date: 2015-04-28 17:28:20 UTC

* SECURITY UPDATE: Denial of service vulnerability.
  - d/p/0002-crash-in-url-auth:
    This fixes a crash (NULL reference) in case URL Auth is used
    and stream_auth is trigged with no credentials passed by the client.
    Username and password is now set to empty strings and transmited to
    the backend server this way.
  - CVE-2015-3026
* SECURITY UPDATE: Potentially leaks sensitive information.
  - d/p/0001-disconnects_stdio_of_on_dis_connect_scripts:
    Include patchset 19313 (close file handles for external scripts).
  - CVE-2014-9018
* SECURITY UPDATE: Potentially allows local users to gain
  privileges via unspecified vectors.
  - d/p/0003-override-supplementary-groups:
    In case of <changeowner> only UID and GID were changed,
    supplementary groups were left in place.
    This is a potential security issue only if <changeowner> is used.
    New behaviour is to set UID, GID and set supplementary groups
    based on the UID.
    Even in case of icecast remaining in supplementary group 0
    this "only" gives it things like access to files that are owned
    by group 0 and according to their umask. This is obviously bad,
    but not as bad as UID 0 with all its other special rights.
  - CVE-2014-9091
lp://qastaging/ubuntu/utopic-updates/icecast2 2 Mature 2015-05-24 14:27:51 UTC
16. * SECURITY UPDATE: Denial of service ...

Author: Unit 193
Revision Date: 2015-04-28 17:28:20 UTC

* SECURITY UPDATE: Denial of service vulnerability.
  - d/p/0002-crash-in-url-auth:
    This fixes a crash (NULL reference) in case URL Auth is used
    and stream_auth is trigged with no credentials passed by the client.
    Username and password is now set to empty strings and transmited to
    the backend server this way.
  - CVE-2015-3026
* SECURITY UPDATE: Potentially leaks sensitive information.
  - d/p/0001-disconnects_stdio_of_on_dis_connect_scripts:
    Include patchset 19313 (close file handles for external scripts).
  - CVE-2014-9018
* SECURITY UPDATE: Potentially allows local users to gain
  privileges via unspecified vectors.
  - d/p/0003-override-supplementary-groups:
    In case of <changeowner> only UID and GID were changed,
    supplementary groups were left in place.
    This is a potential security issue only if <changeowner> is used.
    New behaviour is to set UID, GID and set supplementary groups
    based on the UID.
    Even in case of icecast remaining in supplementary group 0
    this "only" gives it things like access to files that are owned
    by group 0 and according to their umask. This is obviously bad,
    but not as bad as UID 0 with all its other special rights.
  - CVE-2014-9091
13 of 3 results FirstPreviousNextLast