c1cfba1567
* This release contains a SECURITY FIX for a command injection vulnerability that was found and reported by Alexandre Rebert: The previous handling of metadata placeholders allowed for arbitrary shell commands to be trivially injected and executed as the ezstream user, via malicious media files. * This release requires users to ADJUST their CONFIGURATION: To protect against the injection vulnerability above, metadata is now properly quoted and escaped from the shell. This means that any extra quoting must be removed from configuration files. Remove all quoting from metadata placeholders in <encode/> and <decode/> commands, e.g. replace "@M@" with @M@, and "@T@" with @T@, etc. Without these changes, stream metadata will look both wrong and the injection vulnerability may be re-introduced. |
||
---|---|---|
.. | ||
DESCR | ||
distinfo | ||
Makefile | ||
PLIST |