256fd3b308
Fixes CVE-2005-0837. The vulnerability, identified as CVE-2005-0837, allows an attacker to acces the raw XSLT template file by appending a dot “.” to the URL. Due to the way how Windows handles file names ending with a dot, it only affects Icecast versions < 2.4.3 running on Windows. Icecast on other operating systems, like Linux, wasn’t affected at any time by this issue. If you haven’t modified the default XSLT files of a Windows installation, then no information disclosure of real value could have happened. We expect that most, of the comparatively few, Windows installations have unmodified template files and thus, while technically vulnerable, only expose those unmodified templates. To be clear, no runtime information can be accessed this way.
47 lines
1.9 KiB
Text
47 lines
1.9 KiB
Text
$NetBSD: patch-ab,v 1.11 2016/02/09 07:02:54 adam Exp $
|
|
|
|
Allow for paths, user and group to be set via pkgsrc Makefile.
|
|
Decrease amount of logging a little bit by default.
|
|
|
|
--- conf/icecast.xml.in.orig 2015-04-08 08:06:13.000000000 +0000
|
|
+++ conf/icecast.xml.in 2015-05-12 07:19:45.000000000 +0000
|
|
@@ -191,14 +191,14 @@
|
|
|
|
<paths>
|
|
<!-- basedir is only used if chroot is enabled -->
|
|
- <basedir>@pkgdatadir@</basedir>
|
|
+ <basedir>@BASEDIR@</basedir>
|
|
|
|
<!-- Note that if <chroot> is turned on below, these paths must both
|
|
be relative to the new root, not the original root -->
|
|
- <logdir>@localstatedir@/log/@PACKAGE@</logdir>
|
|
- <webroot>@pkgdatadir@/web</webroot>
|
|
- <adminroot>@pkgdatadir@/admin</adminroot>
|
|
- <!-- <pidfile>@pkgdatadir@/icecast.pid</pidfile> -->
|
|
+ <logdir>@LOGDIR@</logdir>
|
|
+ <webroot>@WEBROOT@</webroot>
|
|
+ <adminroot>@ADMINROOT@</adminroot>
|
|
+ <pidfile>@PIDDIR@/icecast.pid</pidfile>
|
|
|
|
<!-- Aliases: treat requests for 'source' path as being for 'dest' path
|
|
May be made specific to a port or bound address using the "port"
|
|
@@ -222,7 +222,7 @@
|
|
<accesslog>access.log</accesslog>
|
|
<errorlog>error.log</errorlog>
|
|
<!-- <playlistlog>playlist.log</playlistlog> -->
|
|
- <loglevel>3</loglevel> <!-- 4 Debug, 3 Info, 2 Warn, 1 Error -->
|
|
+ <loglevel>2</loglevel> <!-- 4 Debug, 3 Info, 2 Warn, 1 Error -->
|
|
<logsize>10000</logsize> <!-- Max size of a logfile -->
|
|
<!-- If logarchive is enabled (1), then when logsize is reached
|
|
the logfile will be moved to [error|access|playlist].log.DATESTAMP,
|
|
@@ -236,8 +236,8 @@
|
|
<chroot>0</chroot>
|
|
<!--
|
|
<changeowner>
|
|
- <user>nobody</user>
|
|
- <group>nogroup</group>
|
|
+ <user>@ICECAST_USER@</user>
|
|
+ <group>@ICECAST_GROUP@</group>
|
|
</changeowner>
|
|
-->
|
|
</security>
|