Bug#770222: icecast2: on-connect scripts: icecast can leak output to attentive sources
Sven Herzberg
sven.herzberg at cluepunk.com
Wed Nov 19 20:15:10 UTC 2014
Package: icecast2
Version: 2.4.0-1~bpo70+1
Severity: critical
Tags: security upstream
Justification: root security hole
Icecast can leak the output of on-connect scripts to source clients by
sending their output via HTTP.
This information-disclosure can contain confidential information if the
administrator of the icecast server did not explicitly check the output
of their scripts. Information contained can include passwords or script
interna helping to possibly exploit weak scripts.
This bug has been reported upstream [1] which fixed it quickly in the bugfix
release 2.4.1 [2]. Please consider upgrading to the latest upstream
version.
[1] https://trac.xiph.org/ticket/2089
[2] http://icecast.org/news/icecast-release-2_4_1/
-- System Information:
Debian Release: 7.7
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.41-042stab094.7 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages icecast2 depends on:
ii adduser 3.113+nmu3
ii debconf [debconf-2.0] 1.5.49
ii libc6 2.13-38+deb7u6
ii libcurl3-gnutls 7.26.0-1+wheezy11
ii libogg0 1.3.0-4
ii libspeex1 1.2~rc1-7
ii libtheora0 1.1.1+dfsg.1-3.1
ii libvorbis0a 1.3.2-1.3
ii libxml2 2.8.0+dfsg1-7+wheezy2
ii libxslt1.1 1.1.26-14.1
icecast2 recommends no packages.
Versions of packages icecast2 suggests:
pn ices2 <none>
-- Configuration Files:
/etc/default/icecast2 changed [not included]
/etc/icecast2/icecast.xml [Errno 13] Keine Berechtigung: u'/etc/icecast2/icecast.xml'
-- debconf information excluded
More information about the pkg-multimedia-maintainers
mailing list