Problems found with existing distfiles:
/pub/pkgsrc/distfiles/amp-0.7.6.tgz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-music-32000-1.0.8.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-music-48000-1.0.8.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-en-us-callie-32000-1.0.22.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-en-us-callie-48000-1.0.22.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-fr-ca-june-32000-1.0.18.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-fr-ca-june-48000-1.0.18.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-ru-RU-elena-16000-1.0.12.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-ru-RU-elena-32000-1.0.12.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-ru-RU-elena-48000-1.0.12.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-ru-RU-elena-8000-1.0.12.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-fr-ca-june-32000-1.0.18.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-fr-ca-june-48000-1.0.18.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-ru-RU-elena-32000-1.0.13.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-ru-RU-elena-48000-1.0.13.tar.gz
/pub/pkgsrc/distfiles/kid3-3.3.0.tar.gz
/pub/pkgsrc/distfiles/libdca-0.0.5.tar.bz2
/pub/pkgsrc/distfiles/mp3to.gz
/pub/pkgsrc/distfiles/squeezeboxserver-7.5.1-noCPAN.tgz
No changes made to these file.
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
* This release contains a SECURITY FIX for a command injection vulnerability
that was found and reported by Alexandre Rebert:
The previous handling of metadata placeholders allowed for arbitrary shell
commands to be trivially injected and executed as the ezstream user, via
malicious media files.
* This release requires users to ADJUST their CONFIGURATION:
To protect against the injection vulnerability above, metadata is now
properly quoted and escaped from the shell. This means that any extra
quoting must be removed from configuration files.
Remove all quoting from metadata placeholders in <encode/> and <decode/>
commands, e.g. replace "@M@" with @M@, and "@T@" with @T@, etc. Without
these changes, stream metadata will look both wrong and the injection
vulnerability may be re-introduced.
Changes in 0.5.6, released on 2009-08-31:
* ezstream-file.sh:
- [NEW] Add and install ezstream-file.sh, a new convenience shell script
that generates configuration and playlist from a template and
command line, respectively. (Bourne shell and POSIX utilities
required.)
See ezstream-file.sh(1) for details.
* src/ezstream.c:
- [MISC] Be more tolerant towards faulty playlists and similar issues.
Failure to open a resource (e.g. a media file) is no longer fatal
and operation will continue until 100 subsequent errors. Based on
an idea from dhorton.
(Ticket #1585)
- [NEW] New command line option -s: Make ezstream function as a line-
based shuffling utility.
* src/playlist.c:
- [MISC] Consider no output from a playlist program to be equivalent to an
empty line, indicating that the end of the playlist is reached.
- [FIX] Do not complain when receiving an empty line from a playlist
program.
* examples/:
- [NEW] Add a real-world example playlist script with logging feature.
Changes in 0.5.5, released on 2009-08-01:
* win32/config.h:
- [FIX] Re-enable TagLib support in MSVC build. Found by Roman Donchenko.
(Ticket #1535)
* various:
- [NEW] New optional <sourceuser/> configuration option, to change the
username used in authentication with Icecast. Suggested by
Akos Veres.
- [MISC] Further improvements and minor fixes in the build system.
