Icecast 2.4.4
-----------------------------------------------------------------------------
We are releasing Icecast 2.4.4, an important bugfix-only release.
We recommend upgrading for increased stability and compatibility!
## Fixes
- Fix: Fixed segfault in htpasswd auth if no filename is set
- Fix: Do not report hashed user passworts in user list.
- Fix two mistakes in the default config's comments
- Add log message for succesful streamlist requests
- Fix: update_from_master() for receiving HTTP/1.1
- Fix: Spelling, thanks to Ukikie
- Fix: Fixed a segfault when xsltApplyStylesheet() returns error
- Fix: Do not segfaul on bad Opus streams
- Fix: Corrected response and fixed TLS for 416 Request Range Not Satisfiable
responses
- Fix: TLS for ICECAST_PROTOCOL_SHOUTCAST source clients
and investigating the bug.
- Fix: global listener count could be negative under certain circumstances
Thanks a lot to Simeon Völkel (0xBD4E031CDB4043C9) for reporting
and investigating the bug.
- Fix: Send "Content-Length: 0" on 100-continue
- Fix: Do not send 100-continue in plain text over TLS sockets
- Fix: Added needed code to announce Opus streams as such to yp.
- Fix: Avoid invalid locking in signal handlers.
- Workaround: avoid libspeex printing warnings on Opus streams.
- Fix: Fixed regression introduced by r19250.
The fix checks if the source client is actually
known before printing it's IP-Address.
- Fix: do not allow unescaped strings in XML output.
## Known issues
- HTTP PUT implementation currently doesn't support chunked encoding yet.
- HTTP PUT with "Expect: 100-Continue" receives first a "100" and soon
after a "200", instead of the "200" at the end of transmission.
- Caution should be exercised when using `<on-connect>` or
`<on-disconnect>`, as there is a small chance of stream file descriptors
being mixed up with script file descriptors, if the FD numbers go above
1024. This will be further addressed in the next Icecast release.
- Don't use comments inside `<http-headers>` as it will
prevent processing of further `<header>` tags.
- Webinterface shows Login when using just `stream_auth`.
Fixes CVE-2005-0837.
The vulnerability, identified as CVE-2005-0837, allows an attacker to acces the raw XSLT template file by appending a dot “.” to the URL. Due to the way how Windows handles file names ending with a dot, it only affects Icecast versions < 2.4.3 running on Windows. Icecast on other operating systems, like Linux, wasn’t affected at any time by this issue. If you haven’t modified the default XSLT files of a Windows installation, then no information disclosure of real value could have happened. We expect that most, of the comparatively few, Windows installations have unmodified template files and thus, while technically vulnerable, only expose those unmodified templates. To be clear, no runtime information can be accessed this way.
Problems found with existing distfiles:
/pub/pkgsrc/distfiles/amp-0.7.6.tgz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-music-32000-1.0.8.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-music-48000-1.0.8.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-en-us-callie-32000-1.0.22.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-en-us-callie-48000-1.0.22.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-fr-ca-june-32000-1.0.18.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-fr-ca-june-48000-1.0.18.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-ru-RU-elena-16000-1.0.12.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-ru-RU-elena-32000-1.0.12.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-ru-RU-elena-48000-1.0.12.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-ru-RU-elena-8000-1.0.12.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-fr-ca-june-32000-1.0.18.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-fr-ca-june-48000-1.0.18.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-ru-RU-elena-32000-1.0.13.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-ru-RU-elena-48000-1.0.13.tar.gz
/pub/pkgsrc/distfiles/kid3-3.3.0.tar.gz
/pub/pkgsrc/distfiles/libdca-0.0.5.tar.bz2
/pub/pkgsrc/distfiles/mp3to.gz
/pub/pkgsrc/distfiles/squeezeboxserver-7.5.1-noCPAN.tgz
No changes made to these file.
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
changes:
-fixed 3 security issues:
-Improved HTTPS cipher handling and added support for chained certificates
-Allow the source password to be undefined
-Prevent error log injection of control characters by substituting
non-alphanumeric characters with a '.' (CVE-2011-4612)
-Bugfixes
-Sources can now be authenticated via URL, like listeners
-XSL update
pkgsrc change:
don't set the "chroot" flag in the installed sample config file -- this
configuration doesn't work without further work because the web server
misses its data files in the sandbox
approved by The Maintainer
the owner of all installed files is a non-root user. This change
affects most packages that require special users or groups by making
them use the specified unprivileged user and group instead.
(1) Add two new variables PKG_GROUPS_VARS and PKG_USERS_VARS to
unprivileged.mk. These two variables are lists of other bmake
variables that define package-specific users and groups. Packages
that have user-settable variables for users and groups, e.g. apache
and APACHE_{USER,GROUP}, courier-mta and COURIER_{USER,GROUP},
etc., should list these variables in PKG_USERS_VARS and PKG_GROUPS_VARS
so that unprivileged.mk can know to set them to ${UNPRIVILEGED_USER}
and ${UNPRIVILEGED_GROUP}.
(2) Modify packages to use PKG_GROUPS_VARS and PKG_USERS_VARS.
**** New features for 2.3.0 ****
- Streaming support for ogg speex, ogg flac, ogg midi
- intro file support - per mount settable
Intro files will play when a listener first connects to a stream. This
is designed for station jingles and the like. If you don't broadcast
in ogg vorbis, you must make sure the bitrate/samplerate/number of
channels match up to your stream.
- on-demand relays, global and per-relay settable
On demand relays only connect to the relayed content when there are
listeners attached to the relay. This can save bandwidth in certain cases.
- fallback to file, extends on the intro file handling.
With this feature, you can specify a "fallback file" which will be played
in a loop and sent your currently connected listeners in the event of a
source client disconnect. This means your listeners stay connected while
you fix your disconnect problem. Same rules regarding bitrate/samplerate/
number of channels apply as with intro files.
- new mount-level settings
1. public, type/subtype, genre settings, stream description,
stream url, stream name, bitrate (override what is sent from the source
client)
2. mp3 metadata interval
3. on-[dis]connect scripts can be stated per-mount, invoked at source
start/stop and take 1 arg which is the mountpoint.
- New URL listener authenticator.
This delegates your listener authorization to an external application.
URL calls are made on listener connect/disconnect as well as source
connect/disconnect. It is meant for large broadcasters who have existing
authentication systems that need to be integrated into. Included is
an example php-based application that can be used in conjunction with
the url authenticator to manage a simple subscription-based broadcast.
- HTPasswd authenticator uses in-memory structures now.
- On demand files now can be fed through an authenticator
- Update to admin/web xslt interface
- Icecast can now be installed as a win32 service
**** Fixes for 2.3.0 ****
- real/helix works
- win32 access log correct
- stats client is stable now (curl -X STATS http://admin@host:port/)
- show mountpoints on stats that are inactive but have an active fallback
- more updates over HUP possible
- improved stability under heavy load
- moving clients will no longer sometimes deadlock the server
- avoid small writes to reduce TCP overhead.
pkg changes:
Enable theora, speex. make libxml2 dependency explicit.
backslashes anymore. A single backslash is enough. Changed the
definition in all affected packages. For those that are not caught, an
additional check is placed into bsd.pkginstall.mk.
And always is defined as share/examples/rc.d
which was the default before.
This rc.d scripts are not automatically added to PLISTs now also.
So add to each corresponding PLIST as required.
This was discussed on tech-pkg in late January and late April.
Todo: remove the RCD_SCRIPTS_EXAMPLEDIR uses in MESSAGES and elsewhere
and remove the RCD_SCRIPTS_EXAMPLEDIR itself.
****New features for 2.2 (in no particular order):****
- Theora Video support -
Icecast now supports video streaming via theora. Currently, we require the latest
(alpha 4) version of libtheora. This is an optional compile, so if you don't
have theora then icecast will safely ignore it
- Shoutcast style source client support -
Icecast now supports the connection protocol used by the Shoutcast DSP source
client. This is the same connection protocol used by their NSV encoding tools.
This means that not only can you use the Shoutcast DSP to stream to icecast, but
that you can also stream NSV via their tools.
- AAC is added as a supported streaming format -
Not too many source clients support streaming in this format, but we support it.
- Cluster password -
Now you can specify a cluster password as a <mount> option in the config. This
will allow you to cluster multiple servers/mounts into a single listing on the
stream directory. Note that this is different than "grouping" which groups together
streams coming from the same physical IP and with the same stream name. Clusters
are meant for relays of the same stream and will only be listed *once* in the stream
directory. When a listener tunes into a cluster, they will be served an m3u file
with all the clusters for that stream.
- Playlist Log -
This is an option setting that will create an audit trail of metadata that comes through
icecast. It is a single file that contains information for all mountpoints.
- Range Support for static files -
We now support seeking in files served off the icecast fserve.
- Metadata Update via Admin -
We now support metadata updates via the admin interface for both MP3 AND Ogg Vorbis
streams.
- Per mount hidden stats and YP prevention -
You many now indicate certains mounts to be excluded (i.e. hidden) from the main
status.xsl page. This is useful when using local private relays. You can also
override the YP setting (as in disable) on a per-mount basis. Also useful for
local private relays.
- Multiple example config files -
We now have multiple config files for you to use as a base. A "simple" one for
quick-start, and a more detailed "advanced" one with all the features, as well
as a "shoutcast compatable" one, which shows how you'd config for using the
shoutcast DSP.
- Relay user/pass -
You can now specify authentication used by a relay. This is for the case where
you have listener authentication enabled for a mountpoint, and want to connect
a relay to it.
under share/examples/rc.d. The variable name already was named
RCD_SCRIPTS_EXAMPLEDIR.
This is from ideas from Greg Woods and others.
Also bumped PKGREVISION for all packages using RCD_SCRIPTS mechanism
(as requested by wiz).
