Your icecast-server upload
Hi,
I've seen that you've uploaded a new version of icecast-server
for stable. This will remove icecast-client if I understand
that.
Your changelog says:
* Several security exploits found to icecast. No simple way to patch
* old version, so upgrade to latest stable version from icecast.org
* If questions or assistance needed join #icecast on openprojects.net IRC
Do you have a documentation about said security exploits?
Is it something different than this one?
"icecast" is a server used to distribute audio streams to compatible
clients such as winamp, mpg123, xmms and many others.
Matt Messier (mmessier@prilnari.com) and John Viega (viega@list.org)
have identified several buffer overflow and format strings problems
in Icecast that could be remotely exploited.
Our latest update to this software changes the package to use an
unprivileged user ("icecast") for the daemon, so the impact of this
vulnerability is not as high. Recent distributions (CL >= 5.1) have
this package compiled with StackGuard to make it more difficult to
exploit buffer overflows.
If not, I have a patch for 1.3.9 and from a first glance the code
doesn't match, thus the stable version is *not* vulneragble to this
problem. Thus, adding new code will probably add new vulnerabilities.
Clarification appreciated.
Regards,
Joey
--
Let's call it an accidental feature. --Larry Wall
Reply to: