[ubuntu/trusty-security] icecast2 2.3.3-2ubuntu1.14.04.1 (Accepted)
marc.deslauriers at canonical.com
Wed Apr 29 12:36:38 UTC 2015
icecast2 (2.3.3-2ubuntu1.14.04.1) trusty-security; urgency=high
* SECURITY UPDATE: Denial of service vulnerability.
This fixes a crash (NULL reference) in case URL Auth is used
and stream_auth is trigged with no credentials passed by the client.
Username and password is now set to empty strings and transmited to
the backend server this way.
* SECURITY UPDATE: Potentially leaks sensitive information.
Include patchset 19313 (close file handles for external scripts).
* SECURITY UPDATE: Potentially allows local users to gain
privileges via unspecified vectors.
In case of <changeowner> only UID and GID were changed,
supplementary groups were left in place.
This is a potential security issue only if <changeowner> is used.
New behaviour is to set UID, GID and set supplementary groups
based on the UID.
Even in case of icecast remaining in supplementary group 0
this "only" gives it things like access to files that are owned
by group 0 and according to their umask. This is obviously bad,
but not as bad as UID 0 with all its other special rights.
Date: 2015-04-29 12:13:12.984212+00:00
Changed-By: Unit 193 <unit193 at gmail.com>
Signed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
-------------- next part --------------
Sorry, changesfile not available.
More information about the Trusty-changes