File: changes.html

package info (click to toggle)
icecast2 2.4.4-1
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, buster, sid
  • size: 5,712 kB
  • sloc: ansic: 18,819; sh: 4,369; makefile: 250
file content (203 lines) | stat: -rw-r--r-- 10,125 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
<!DOCTYPE html>
<html lang="en">
<head>
	<title>Icecast Docs Docs &mdash; Changes</title>
	<meta charset="utf-8" />
  <meta name="viewport" content="width=device-width, initial-scale=1.0" />

  <link rel="stylesheet" type="text/css" href="assets/css/style.css" media="screen, print" />
</head>

  <body>

    <div class="header">
      <h1><a href="#" title="Home page">Icecast</a> <span>documentation</span></h1>
    </div>

    <div class="section">
      
      <h2>Icecast 2.4.4 Docs &mdash; Changes</h2>
      
<div id="v2.4.4" class="article">
  <h3 id="version-244">Version 2.4.4</h3>

  <h4 id="fixes-4">Fixes</h4>

  <ul>
    <li><strong>Security fix</strong>: Buffer overflow in URL-auth <br />
       <ul>
          <li>A malicious client can send long HTTP headers, leading to a buffer overflow and potential remote code execution.</li>
          <li>The issue has been assigned CVE-2018-18820.</li>
	  <li>An Icecast server (version &lt;2.4.4) is only vulnerable if a &lt;mount&gt; definition exists that enables URL authentication.</li>
          <li>The problematic code exists since version 2.4.0 and was now brought to our attention by Nick Rolfe of <a href="https://lgtm.com/security">Semmle Security Research Team</a></li>
       </ul>
    <li>Fixed segfault in htpasswd auth, if no filename was set</li>
    <li>Do not report hashed user passwords in user list</li>
    <li>Fix two mistakes in the default config's comments</li>
    <li>Add log message for succesful streamlist requests</li>
    <li>Fix update_from_master() for receiving HTTP/1.1</li>
    <li>Spelling fix, thanks to Ukikie</li>
    <li>Fixed a segfault when xsltApplyStylesheet() returns error</li>
    <li>Fixed segfault on bad Opus streams</li>
    <li>Corrected response and fixed TLS for 416 Request Range Not Satisfiable responses</li>
  </ul>

  <h4 id="known-issues-3">Known issues</h4>

  <ul>
    <li>See <a href="#known-issues">2.4.1</a></li>
  </ul>

</div>
<div id="v2.4.3" class="article">
  <h3 id="version-243">Version 2.4.3</h3>

  <h4 id="fixes-3">Fixes</h4>

  <ul>
    <li><strong>Security fix</strong>: Windows - remove trailing dots in URI. <br /> A quirk in the Windows API made it possible to request the raw stylesheet file from webroot. Only XSLT files are affected, no internal state data is available this way. <br /> This addresses CVE-2005-0837 (sic!), which was sadly ignored after the initial ticket got closed erroneously.</li>
    <li><strong>Expected impact is low</strong>: most installations run with default XSLT files and there is nothing new to be learned in such a case. Also a majority of production Icecast servers don't run on Windows to start with.</li>
    <li><strong>Linux/Unix installations were never affected, this is a Windows only release!</strong></li>
    </li>
  </ul>

  <h4 id="known-issues-3">Known issues</h4>

  <ul>
    <li>See <a href="#known-issues">2.4.1</a></li>
  </ul>

</div>
<div id="v2.4.2" class="article">
  <h3 id="version-242">Version 2.4.2</h3>

  <h4 id="fixes-2">Fixes</h4>

  <ul>
    <li><strong>Security fix</strong>: Do not crash if URL Auth is used with stream_auth.</li>
  </ul>

  <h4 id="known-issues-2">Known issues</h4>

  <ul>
    <li>See <a href="#known-issues">2.4.1</a></li>
  </ul>

</div>
<div id="v2.4.1" class="article">
  <h3 id="version-241">Version 2.4.1</h3>

  <h4 id="fixes">Fixes</h4>

  <ul>
    <li>Fixed cross-corruption of file descriptors by on-connect/on-disconnect scripts, specifically STDIN, STDOUT and STDERRR vs TCP connections.
      <ul>
        <li>We actually close not just 0, 1 and 2, but the first 1024 FDs, which seems common trade-off practice, but still not ideal. A more thorough fix will need platform specific logic and significant work.</li>
        <li>The STDIN/OUT/ERR problem is fixed reliably, but other problems could occur if both the script and the server use FDs &gt;1024 at the same time</li>
        <li>This is now reasonably safe, but care should be exercised nevertheless. </li>
      </ul>
    </li>
    <li>Disabled SSLv3 and SSL compression explicitly to improve security</li>
    <li>Updated the default ciphers to be more secure</li>
    <li>Fixed JSON status API problems
      <ul>
        <li>Put the XSLT last item check into every filtered tag.</li>
        <li>This way we shouldn’t run into problems of this type anymore.</li>
        <li>Also it should be easier to customize the XSLT this way, if someone wants to filter differently.</li>
      </ul>
    </li>
    <li>Fixed <code>&lt;auth&gt;</code> in <code>&lt;mount type="default"&gt;</code> to work properly.</li>
    <li>Fixed listener connection duration logging in access.log. Regression was introduced for only some platforms by an earlier security fix.</li>
    <li>Fixed time zone reporting in _iso8601 fields on Windows.</li>
    <li>added warnings on empty and default values of <code>&lt;fileserve&gt;</code>, <code>&lt;hostname&gt;</code>, <code>&lt;location&gt;</code>, <code>&lt;admin&gt;</code> and <code>&lt;server-id&gt;</code></li>
    <li>send errorlog (loglevel WARN) to stderr prior to opening logfiles.</li>
    <li>Fixed handling of empty strings in config file. Now empty strings are handled in: accesslog, errorlog, logdir, webroot, adminroot and hopefully all kinds of port.</li>
    <li>Be more verbose in case of fileserve off. People disable fileserve and then wonder why the web interface CSS breaks.</li>
    <li>More details in log messages
      <ul>
        <li>Add source IP adress to startup and source exit logging</li>
        <li>Add mountpoint to some log lines</li>
      </ul>
    </li>
    <li>Updated the config file to avoid common pitfalls and make some things more obvious.</li>
    <li>Fixed some compiler warnings</li>
    <li>Fixed autogen.sh to work properly on Mac OS</li>
    <li>Fixed JSON access by adding support for global and mount specific custom HTTP headers.
      <ul>
        <li>The purpose is to fix JSON access from browsers, by supporting basic CORS use cases. This is both important for some HTML5 <code>&lt;audio&gt;</code> or <code>&lt;video&gt;</code> use cases and accessing the JSON status API.</li>
        <li>The default icecast config contains the very permissive global header: &lt;header name="Access-Control-Allow-Origin" value="*" /&gt;</li>
      </ul>
    </li>
  </ul>

  <h4 id="known-issues">Known issues</h4>

  <ul>
    <li>HTTP PUT implementation currently doesn’t support chunked encoding yet.</li>
    <li>HTTP PUT with “Expect: 100-Continue” receives first a “100” and soon after a “200”, instead of the “200” at the end of transmission.</li>
    <li>Caution should be exercised when using <code>&lt;on-connect&gt;</code> or <code>&lt;on-disconnect&gt;</code>, as there is a small chance of stream file descriptors being mixed up with script file descriptors, if the FD numbers go above 1024. This will be further addressed in the next Icecast release.</li>
    <li>Don’t use comments inside <code>&lt;http-headers&gt;</code> as it will prevent processing of further <code>&lt;header&gt;</code> tags.</li>
  </ul>
</div>

<div id="v2.4.0" class="article">
  <h3 id="version-240">Version 2.4.0</h3>

  <h4 id="new-features">New Features</h4>

  <ul>
    <li>Support for Ogg Opus streams</li>
    <li>Support for WebM streams</li>
    <li>HTTP 1.1 PUT support for source connections. Deprecating SOURCE method</li>
    <li><em>Default mount</em><br />
This allows you to define a global set of defaults for ALL mounts. This way you can use e.g. url-auth for sources and or listeners also for dynamically generated mounts.</li>
    <li><em>Web interface redone</em>
      <ul>
        <li>Web output properly redone, credit to ePirat</li>
        <li>Added <code>&lt;audio&gt;</code> element for supported audio streams</li>
        <li>Now validates completely as XHTML1.0 strict</li>
        <li>Also improves rendering on mobile devices</li>
      </ul>
    </li>
    <li>Added basic JSON API (<code>/status-json.xsl</code>) based on a xml2json template by Doeke Zanstra (see <code>xml2json.xslt</code>). Output is roughly limited to data also visible through <code>status.xsl</code></li>
    <li>Send charset in HTTP headers for everything, excluding file-serv and streams</li>
    <li>Allow (standard strftime(3)) <code>%x</code> codes in <code>&lt;dump-file&gt;</code>. Disabled for Win32</li>
    <li>Added <code>stream_start_iso8601</code>, <code>server_start_iso8601</code> to statitics. ISO8601 compliante timestamps for statistics. Should make usage in e.g. JSON much easier. Added as new variables to avoid breaking backwards compatibility</li>
    <li>Now compiles for Win32 using mingw</li>
    <li>Added options <code>headers</code> and <code>header_prefix</code> to URL based listener auth</li>
    <li>Updated <code>listener_remove</code> handler, added <code>ip=</code> and <code>agent=</code></li>
    <li>Allow full URLs to be returned by the master server</li>
  </ul>

  <h4 id="fixes-1">Fixes</h4>

  <ul>
    <li><strong>Security fix</strong>: Override supplementary groups if is used</li>
    <li>Fixes for some race conditions</li>
    <li>Dropped debian packaging directory as debian use their own.</li>
    <li>Send proper HTTP headers in responses to clients.</li>
    <li>Corrected Content-Length: header in admin (raw) requests. Thanks to paluh for reporting.</li>
    <li>Escape log entries in access log</li>
    <li>Fixed a memory leak. Lost headers of stream because of wrong ref counter in associated refbuf objects.</li>
    <li>Avoid memory leak in <code>_parse_mount()</code> when <code>type</code>-attribute is set</li>
    <li>Updated web interface to be XHTML compliant.</li>
    <li>Removed <code>status2.xsl</code> from release. It was only a broken example file anyway.</li>
  </ul>

  <h4 id="known-issues-1">Known issues</h4>

  <ul>
    <li>Will crash if certain config tags are left empty</li>
  </ul>

</div>


    </div>

    <div class="footer">
      <p>Support icecast development at <a href="http://icecast.org">icecast.org</a></p>
    </div>

  </body>
</html>