Fixes CVE-2005-0837.
The vulnerability, identified as CVE-2005-0837, allows an attacker to acces the raw XSLT template file by appending a dot “.” to the URL. Due to the way how Windows handles file names ending with a dot, it only affects Icecast versions < 2.4.3 running on Windows. Icecast on other operating systems, like Linux, wasn’t affected at any time by this issue. If you haven’t modified the default XSLT files of a Windows installation, then no information disclosure of real value could have happened. We expect that most, of the comparatively few, Windows installations have unmodified template files and thus, while technically vulnerable, only expose those unmodified templates. To be clear, no runtime information can be accessed this way.
changes:
-fixed 3 security issues:
-Improved HTTPS cipher handling and added support for chained certificates
-Allow the source password to be undefined
-Prevent error log injection of control characters by substituting
non-alphanumeric characters with a '.' (CVE-2011-4612)
-Bugfixes
-Sources can now be authenticated via URL, like listeners
-XSL update
pkgsrc change:
don't set the "chroot" flag in the installed sample config file -- this
configuration doesn't work without further work because the web server
misses its data files in the sandbox
approved by The Maintainer
**** New features for 2.3.0 ****
- Streaming support for ogg speex, ogg flac, ogg midi
- intro file support - per mount settable
Intro files will play when a listener first connects to a stream. This
is designed for station jingles and the like. If you don't broadcast
in ogg vorbis, you must make sure the bitrate/samplerate/number of
channels match up to your stream.
- on-demand relays, global and per-relay settable
On demand relays only connect to the relayed content when there are
listeners attached to the relay. This can save bandwidth in certain cases.
- fallback to file, extends on the intro file handling.
With this feature, you can specify a "fallback file" which will be played
in a loop and sent your currently connected listeners in the event of a
source client disconnect. This means your listeners stay connected while
you fix your disconnect problem. Same rules regarding bitrate/samplerate/
number of channels apply as with intro files.
- new mount-level settings
1. public, type/subtype, genre settings, stream description,
stream url, stream name, bitrate (override what is sent from the source
client)
2. mp3 metadata interval
3. on-[dis]connect scripts can be stated per-mount, invoked at source
start/stop and take 1 arg which is the mountpoint.
- New URL listener authenticator.
This delegates your listener authorization to an external application.
URL calls are made on listener connect/disconnect as well as source
connect/disconnect. It is meant for large broadcasters who have existing
authentication systems that need to be integrated into. Included is
an example php-based application that can be used in conjunction with
the url authenticator to manage a simple subscription-based broadcast.
- HTPasswd authenticator uses in-memory structures now.
- On demand files now can be fed through an authenticator
- Update to admin/web xslt interface
- Icecast can now be installed as a win32 service
**** Fixes for 2.3.0 ****
- real/helix works
- win32 access log correct
- stats client is stable now (curl -X STATS http://admin@host:port/)
- show mountpoints on stats that are inactive but have an active fallback
- more updates over HUP possible
- improved stability under heavy load
- moving clients will no longer sometimes deadlock the server
- avoid small writes to reduce TCP overhead.
pkg changes:
Enable theora, speex. make libxml2 dependency explicit.
****New features for 2.2 (in no particular order):****
- Theora Video support -
Icecast now supports video streaming via theora. Currently, we require the latest
(alpha 4) version of libtheora. This is an optional compile, so if you don't
have theora then icecast will safely ignore it
- Shoutcast style source client support -
Icecast now supports the connection protocol used by the Shoutcast DSP source
client. This is the same connection protocol used by their NSV encoding tools.
This means that not only can you use the Shoutcast DSP to stream to icecast, but
that you can also stream NSV via their tools.
- AAC is added as a supported streaming format -
Not too many source clients support streaming in this format, but we support it.
- Cluster password -
Now you can specify a cluster password as a <mount> option in the config. This
will allow you to cluster multiple servers/mounts into a single listing on the
stream directory. Note that this is different than "grouping" which groups together
streams coming from the same physical IP and with the same stream name. Clusters
are meant for relays of the same stream and will only be listed *once* in the stream
directory. When a listener tunes into a cluster, they will be served an m3u file
with all the clusters for that stream.
- Playlist Log -
This is an option setting that will create an audit trail of metadata that comes through
icecast. It is a single file that contains information for all mountpoints.
- Range Support for static files -
We now support seeking in files served off the icecast fserve.
- Metadata Update via Admin -
We now support metadata updates via the admin interface for both MP3 AND Ogg Vorbis
streams.
- Per mount hidden stats and YP prevention -
You many now indicate certains mounts to be excluded (i.e. hidden) from the main
status.xsl page. This is useful when using local private relays. You can also
override the YP setting (as in disable) on a per-mount basis. Also useful for
local private relays.
- Multiple example config files -
We now have multiple config files for you to use as a base. A "simple" one for
quick-start, and a more detailed "advanced" one with all the features, as well
as a "shoutcast compatable" one, which shows how you'd config for using the
shoutcast DSP.
- Relay user/pass -
You can now specify authentication used by a relay. This is for the case where
you have listener authentication enabled for a mountpoint, and want to connect
a relay to it.
- Pass --sysconfdir to configure script.
- Make the program honour that directory to search for config files.
- Remove un-needed patch (everything can be done from configure).
This release is a security update and all users are highly encouraged
to upgrade immediately!
(ChangeLog doesn't give exact details, it was updated 2000-03-01)
Icecast is an Internet based broadcasting system based on the Mpeg
Layer III streaming technology. It is, however, not limited to
streaming mp3 files. It was originally inspired by Nullsoft's
Shoutcast and also mp3serv by Scott Man ley.