[ubuntu/trusty-security] icecast2 2.3.3-2ubuntu1.14.04.1 (Accepted)

[Marc Deslauriers]

icecast2 (2.3.3-2ubuntu1.14.04.1) trusty-security; urgency=high

  * SECURITY UPDATE: Denial of service vulnerability.
    - d/p/0002-crash-in-url-auth:
      This fixes a crash (NULL reference) in case URL Auth is used
      and stream_auth is trigged with no credentials passed by the client.
      Username and password is now set to empty strings and transmited to
      the backend server this way.
    - CVE-2015-3026
  * SECURITY UPDATE: Potentially leaks sensitive information.
    - d/p/0001-disconnects_stdio_of_on_dis_connect_scripts:
      Include patchset 19313 (close file handles for external scripts).
    - CVE-2014-9018
  * SECURITY UPDATE: Potentially allows local users to gain
    privileges via unspecified vectors.
    - d/p/0003-override-supplementary-groups:
      In case of <changeowner> only UID and GID were changed,
      supplementary groups were left in place.
      This is a potential security issue only if <changeowner> is used.
      New behaviour is to set UID, GID and set supplementary groups
      based on the UID.
      Even in case of icecast remaining in supplementary group 0
      this "only" gives it things like access to files that are owned
      by group 0 and according to their umask. This is obviously bad,
      but not as bad as UID 0 with all its other special rights.
    - CVE-2014-9091

Date: 2015-04-29 12:13:12.984212+00:00
Changed-By: Unit 193 <unit193 at gmail.com>
Signed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/icecast2/2.3.3-2ubuntu1.14.04.1
-------------- next part --------------
Sorry, changesfile not available.