Fixes CVE-2005-0837.
The vulnerability, identified as CVE-2005-0837, allows an attacker to acces the raw XSLT template file by appending a dot “.” to the URL. Due to the way how Windows handles file names ending with a dot, it only affects Icecast versions < 2.4.3 running on Windows. Icecast on other operating systems, like Linux, wasn’t affected at any time by this issue. If you haven’t modified the default XSLT files of a Windows installation, then no information disclosure of real value could have happened. We expect that most, of the comparatively few, Windows installations have unmodified template files and thus, while technically vulnerable, only expose those unmodified templates. To be clear, no runtime information can be accessed this way.
Problems found with existing distfiles:
/pub/pkgsrc/distfiles/amp-0.7.6.tgz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-music-32000-1.0.8.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-music-48000-1.0.8.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-en-us-callie-32000-1.0.22.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-en-us-callie-48000-1.0.22.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-fr-ca-june-32000-1.0.18.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-fr-ca-june-48000-1.0.18.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-ru-RU-elena-16000-1.0.12.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-ru-RU-elena-32000-1.0.12.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-ru-RU-elena-48000-1.0.12.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-ru-RU-elena-8000-1.0.12.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-fr-ca-june-32000-1.0.18.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-fr-ca-june-48000-1.0.18.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-ru-RU-elena-32000-1.0.13.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-ru-RU-elena-48000-1.0.13.tar.gz
/pub/pkgsrc/distfiles/kid3-3.3.0.tar.gz
/pub/pkgsrc/distfiles/libdca-0.0.5.tar.bz2
/pub/pkgsrc/distfiles/mp3to.gz
/pub/pkgsrc/distfiles/squeezeboxserver-7.5.1-noCPAN.tgz
No changes made to these file.
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
changes:
-fixed 3 security issues:
-Improved HTTPS cipher handling and added support for chained certificates
-Allow the source password to be undefined
-Prevent error log injection of control characters by substituting
non-alphanumeric characters with a '.' (CVE-2011-4612)
-Bugfixes
-Sources can now be authenticated via URL, like listeners
-XSL update
pkgsrc change:
don't set the "chroot" flag in the installed sample config file -- this
configuration doesn't work without further work because the web server
misses its data files in the sandbox
approved by The Maintainer
**** New features for 2.3.0 ****
- Streaming support for ogg speex, ogg flac, ogg midi
- intro file support - per mount settable
Intro files will play when a listener first connects to a stream. This
is designed for station jingles and the like. If you don't broadcast
in ogg vorbis, you must make sure the bitrate/samplerate/number of
channels match up to your stream.
- on-demand relays, global and per-relay settable
On demand relays only connect to the relayed content when there are
listeners attached to the relay. This can save bandwidth in certain cases.
- fallback to file, extends on the intro file handling.
With this feature, you can specify a "fallback file" which will be played
in a loop and sent your currently connected listeners in the event of a
source client disconnect. This means your listeners stay connected while
you fix your disconnect problem. Same rules regarding bitrate/samplerate/
number of channels apply as with intro files.
- new mount-level settings
1. public, type/subtype, genre settings, stream description,
stream url, stream name, bitrate (override what is sent from the source
client)
2. mp3 metadata interval
3. on-[dis]connect scripts can be stated per-mount, invoked at source
start/stop and take 1 arg which is the mountpoint.
- New URL listener authenticator.
This delegates your listener authorization to an external application.
URL calls are made on listener connect/disconnect as well as source
connect/disconnect. It is meant for large broadcasters who have existing
authentication systems that need to be integrated into. Included is
an example php-based application that can be used in conjunction with
the url authenticator to manage a simple subscription-based broadcast.
- HTPasswd authenticator uses in-memory structures now.
- On demand files now can be fed through an authenticator
- Update to admin/web xslt interface
- Icecast can now be installed as a win32 service
**** Fixes for 2.3.0 ****
- real/helix works
- win32 access log correct
- stats client is stable now (curl -X STATS http://admin@host:port/)
- show mountpoints on stats that are inactive but have an active fallback
- more updates over HUP possible
- improved stability under heavy load
- moving clients will no longer sometimes deadlock the server
- avoid small writes to reduce TCP overhead.
pkg changes:
Enable theora, speex. make libxml2 dependency explicit.
****New features for 2.2 (in no particular order):****
- Theora Video support -
Icecast now supports video streaming via theora. Currently, we require the latest
(alpha 4) version of libtheora. This is an optional compile, so if you don't
have theora then icecast will safely ignore it
- Shoutcast style source client support -
Icecast now supports the connection protocol used by the Shoutcast DSP source
client. This is the same connection protocol used by their NSV encoding tools.
This means that not only can you use the Shoutcast DSP to stream to icecast, but
that you can also stream NSV via their tools.
- AAC is added as a supported streaming format -
Not too many source clients support streaming in this format, but we support it.
- Cluster password -
Now you can specify a cluster password as a <mount> option in the config. This
will allow you to cluster multiple servers/mounts into a single listing on the
stream directory. Note that this is different than "grouping" which groups together
streams coming from the same physical IP and with the same stream name. Clusters
are meant for relays of the same stream and will only be listed *once* in the stream
directory. When a listener tunes into a cluster, they will be served an m3u file
with all the clusters for that stream.
- Playlist Log -
This is an option setting that will create an audit trail of metadata that comes through
icecast. It is a single file that contains information for all mountpoints.
- Range Support for static files -
We now support seeking in files served off the icecast fserve.
- Metadata Update via Admin -
We now support metadata updates via the admin interface for both MP3 AND Ogg Vorbis
streams.
- Per mount hidden stats and YP prevention -
You many now indicate certains mounts to be excluded (i.e. hidden) from the main
status.xsl page. This is useful when using local private relays. You can also
override the YP setting (as in disable) on a per-mount basis. Also useful for
local private relays.
- Multiple example config files -
We now have multiple config files for you to use as a base. A "simple" one for
quick-start, and a more detailed "advanced" one with all the features, as well
as a "shoutcast compatable" one, which shows how you'd config for using the
shoutcast DSP.
- Relay user/pass -
You can now specify authentication used by a relay. This is for the case where
you have listener authentication enabled for a mountpoint, and want to connect
a relay to it.
Icecast 2.1 11/04/2004
-----------------------------------------------------------------------------
****New features for 2.1 (in no particular order):****
-Listener Authentication-
Icecast now supports listener authentication. This provides a mechanism for
creating/maintaining users and passwords for listeners. Currently, we only
have implemented a simple, file-based storage for users and passwords. New
authenticators are on the horizon (such as URL-based or possibly MySQL based)
New admin pages were also added for the maintenance of users/passwords. Please
check the docs for a more detailed description of this new feature.
-Multi-Level Fallbacks-
Multi-level fallbacks allow for specifications of a series of fallback mounts
that you could use, for instance, to set up a series of progressively lower
bitrate streams that would be cascaded through. For instance, a modem user
would connect to the highest bitrate stream, and then could be cascaded
down to a progressively lower stream until they reach a value they can
handle.
-Burst-On-Connect-
This is an new, optional config setting which will send a initial burst of
data to connecting listeners. This has the effect of reducing
(significantly) the startup buffer latency from the end-user perspective.
This option is enabled by default.
****New Enhancements for 2.1****
-Update to admin interface-
This interface has been cleaned up quite a bit and made a bit nicer.
-Rewrite of the YP listing code-
The icecast yp code has received a complete overhaul by karl, and it's a much
more stable and failure-resistant implementation.
-Lots and lots of bugs fixed-
Check the ChangeLog for a complete list of these...
Changes:
This patch release fixes a overflow buffer which can cause server crashes
under certain circumstances. This release contains ONLY the fix for this
issue. We are still targetting a 2.1.0 release with new features and
functionality in the near future.
- Pass --sysconfdir to configure script.
- Make the program honour that directory to search for config files.
- Remove un-needed patch (everything can be done from configure).
This release is a security update and all users are highly encouraged
to upgrade immediately!
(ChangeLog doesn't give exact details, it was updated 2000-03-01)
