pkglint -r --network --only "migrate"
As a side-effect of migrating the homepages, pkglint also fixed a few
indentations in unrelated lines. These and the new homepages have been
checked manually.
Icecast 2.4.4
-----------------------------------------------------------------------------
We are releasing Icecast 2.4.4, an important bugfix-only release.
We recommend upgrading for increased stability and compatibility!
## Fixes
- Fix: Fixed segfault in htpasswd auth if no filename is set
- Fix: Do not report hashed user passworts in user list.
- Fix two mistakes in the default config's comments
- Add log message for succesful streamlist requests
- Fix: update_from_master() for receiving HTTP/1.1
- Fix: Spelling, thanks to Ukikie
- Fix: Fixed a segfault when xsltApplyStylesheet() returns error
- Fix: Do not segfaul on bad Opus streams
- Fix: Corrected response and fixed TLS for 416 Request Range Not Satisfiable
responses
- Fix: TLS for ICECAST_PROTOCOL_SHOUTCAST source clients
and investigating the bug.
- Fix: global listener count could be negative under certain circumstances
Thanks a lot to Simeon Völkel (0xBD4E031CDB4043C9) for reporting
and investigating the bug.
- Fix: Send "Content-Length: 0" on 100-continue
- Fix: Do not send 100-continue in plain text over TLS sockets
- Fix: Added needed code to announce Opus streams as such to yp.
- Fix: Avoid invalid locking in signal handlers.
- Workaround: avoid libspeex printing warnings on Opus streams.
- Fix: Fixed regression introduced by r19250.
The fix checks if the source client is actually
known before printing it's IP-Address.
- Fix: do not allow unescaped strings in XML output.
## Known issues
- HTTP PUT implementation currently doesn't support chunked encoding yet.
- HTTP PUT with "Expect: 100-Continue" receives first a "100" and soon
after a "200", instead of the "200" at the end of transmission.
- Caution should be exercised when using `<on-connect>` or
`<on-disconnect>`, as there is a small chance of stream file descriptors
being mixed up with script file descriptors, if the FD numbers go above
1024. This will be further addressed in the next Icecast release.
- Don't use comments inside `<http-headers>` as it will
prevent processing of further `<header>` tags.
- Webinterface shows Login when using just `stream_auth`.
Fixes CVE-2005-0837.
The vulnerability, identified as CVE-2005-0837, allows an attacker to acces the raw XSLT template file by appending a dot “.” to the URL. Due to the way how Windows handles file names ending with a dot, it only affects Icecast versions < 2.4.3 running on Windows. Icecast on other operating systems, like Linux, wasn’t affected at any time by this issue. If you haven’t modified the default XSLT files of a Windows installation, then no information disclosure of real value could have happened. We expect that most, of the comparatively few, Windows installations have unmodified template files and thus, while technically vulnerable, only expose those unmodified templates. To be clear, no runtime information can be accessed this way.
changes:
-fixed 3 security issues:
-Improved HTTPS cipher handling and added support for chained certificates
-Allow the source password to be undefined
-Prevent error log injection of control characters by substituting
non-alphanumeric characters with a '.' (CVE-2011-4612)
-Bugfixes
-Sources can now be authenticated via URL, like listeners
-XSL update
pkgsrc change:
don't set the "chroot" flag in the installed sample config file -- this
configuration doesn't work without further work because the web server
misses its data files in the sandbox
approved by The Maintainer
the owner of all installed files is a non-root user. This change
affects most packages that require special users or groups by making
them use the specified unprivileged user and group instead.
(1) Add two new variables PKG_GROUPS_VARS and PKG_USERS_VARS to
unprivileged.mk. These two variables are lists of other bmake
variables that define package-specific users and groups. Packages
that have user-settable variables for users and groups, e.g. apache
and APACHE_{USER,GROUP}, courier-mta and COURIER_{USER,GROUP},
etc., should list these variables in PKG_USERS_VARS and PKG_GROUPS_VARS
so that unprivileged.mk can know to set them to ${UNPRIVILEGED_USER}
and ${UNPRIVILEGED_GROUP}.
(2) Modify packages to use PKG_GROUPS_VARS and PKG_USERS_VARS.
