Update NEWS in preparation for 2.4.4

NEWS

@@ -1,3 +1,235 @@
+Icecast 2.4.4
+-----------------------------------------------------------------------------
+We are releasing Icecast 2.4.4, an important bugfix-only release.
+We recommend upgrading for increased stability and compatibility!
+A summary of the changes is listed below, for details please refer
+to the ChangeLog
+
+## Downloads
+
+- Source http://downloads.xiph.org/releases/icecast/icecast-2.4.4.tar.gz
+- Windows http://downloads.xiph.org/releases/icecast/icecast_win32_2.4.4.exe
+
+## Fixes
+
+- Fix: Fixed segfault in htpasswd auth if no filename is set
+- Fix: Do not report hashed user passworts in user list.
+- Fix two mistakes in the default config's comments
+- Add log message for succesful streamlist requests
+- Fix: update_from_master() for receiving HTTP/1.1
+- Fix: Spelling, thanks to Ukikie
+- Fix: Fixed a segfault when xsltApplyStylesheet() returns error
+- Fix: Do not segfaul on bad Opus streams
+- Fix: Corrected response and fixed TLS for 416 Request Range Not Satisfiable 
+  responses
+- Fix: TLS for ICECAST_PROTOCOL_SHOUTCAST source clients
+  and investigating the bug.
+
+## Known issues
+
+-   HTTP PUT implementation currently doesn't support chunked encoding yet.
+-   HTTP PUT with "Expect: 100-Continue" receives first a "100" and soon
+    after a "200", instead of the "200" at the end of transmission.
+-   Caution should be exercised when using `<on-connect>` or
+    `<on-disconnect>`, as there is a small chance of stream file descriptors
+    being mixed up with script file descriptors, if the FD numbers go above
+    1024. This will be further addressed in the next Icecast release.
+-   Don't use comments inside `<http-headers>` as it will
+    prevent processing of further `<header>` tags.
+-   Webinterface shows Login when using just `stream_auth`.
+
+Icecast 2.4.3
+-----------------------------------------------------------------------------
+We released a new version of Icecast last week. 
+It is a Windows only release and addresses a security issue recently brought
+to our attention.
+
+As it, embarrassingly, turns out this issue was previously raised on a
+security mailing list in 2005 and assigned CVE 2005-0837.
+A ticket (#635) was even created, once this posting was noticed
+by an Icecast project member, at that time. Sadly the original report was
+terse, the issue couldn't be readily reproduced and subsequently the ticket
+was closed.
+
+We were recently contacted about this issue and this time provided with
+details about the environment it occurred in. This allowed us to identify
+this as a Windows only issue.
+
+The vulnerability, identified as CVE-2005-0837, allows an attacker to acces
+the raw XSLT template file by appending a dot “.” to the URL. Due to the
+way how Windows handles file names ending with a dot, it only affects
+Icecast versions < 2.4.3 running on Windows. Icecast on other operating
+systems, like Linux, wasn't affected at any time by this issue. If you
+haven't modified the default XSLT files of a Windows installation,
+then no information disclosure of real value could have happened.
+We expect that most, of the comparatively few, Windows installations have
+unmodified template files and thus, while technically vulnerable,
+only expose those unmodified templates. To be clear, no runtime information
+can be accessed this way.
+
+In case you modified the templates and they contain sensitive information,
+it should be assumed that a third party could have accessed them.
+We're sorry, that this issue went unresolved for a long time.
+
+
+## Downloads
+
+- Source: http://downloads.xiph.org/releases/icecast/icecast-2.4.3.tar.gz
+- Windows http://downloads.xiph.org/releases/icecast/icecast_win32_2.4.3.exe
+
+#635 https://trac.xiph.org/ticket/635
+
+
+Icecast 2.4.2
+-----------------------------------------------------------------------------
+We are releasing Icecast 2.4.2, an important bugfix-only release.
+Upgrading to it is recommended due to security fixes.
+A summary of the changes is listed below, for details please refer
+to the ChangeLog
+
+## Downloads
+
+- Source: http://downloads.xiph.org/releases/icecast/icecast-2.4.2.tar.gz
+- Windows http://downloads.xiph.org/releases/icecast/icecast_win32_2.4.2.exe
+
+## Fixes
+
+-   Fix a crash related to URL Auth end empty credentials,
+    [CVE-2015-3026]. [#2191]
+
+## Known issues
+
+-   HTTP PUT implementation currently doesn't support chunked encoding yet.
+-   HTTP PUT with "Expect: 100-Continue" receives first a "100" and soon
+    after a "200", instead of the "200" at the end of transmission.
+-   Caution should be exercised when using `<on-connect>` or
+    `<on-disconnect>`, as there is a small chance of stream file descriptors
+    being mixed up with script file descriptors, if the FD numbers go above
+    1024. This will be further addressed in the next Icecast release.
+-   Don't use comments inside `<http-headers>` as it will
+    prevent processing of further `<header>` tags.
+-   Webinterface shows Login when using just `stream_auth`.
+
+#2191 https://trac.xiph.org/ticket/2191
+CVE-2015-3026 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3026
+
+
+Icecast 2.4.1
+-----------------------------------------------------------------------------
+We are pleased to announce release 2.4.1 of Icecast.
+This is a pure bugfix-only release. Upgrading to it is recommended
+due to security fixes.
+A summary of the changes is listed below, for details please
+refer to the ChangeLog
+
+## Downloads
+
+-  Source: http://downloads.xiph.org/releases/icecast/icecast-2.4.1.tar.gz
+-  Windows http://downloads.xiph.org/releases/icecast/icecast_win32_2.4.1.exe
+
+## Fixes
+
+-   Fix autogen.sh to work properly on OS X
+-   Removed threadpool from the example config (it is long gone and unused)
+-   More detailed logging:
+    - Add source IP adress to source start/stop logging
+    - Add mountpoints to some log lines
+-   Fix logging to send errors to STDERR prior to opening log files
+-   Fix `<auth>` in default mounts (`<mount type="default">`)
+    to work properly
+-   Fix the JSON status API (`status-json.xsl`), which could return invalid
+    JSON in some cases
+-   SSL Security improvements:
+    - Disable SSLv3
+    - Disable SSL compression
+    - Updated the default ciphers to be more secure
+-   Handle empty strings in config file better
+-   Fix logging of client connection duration time on Windows
+-   Fix possibly broken XML on Windows
+-   Require `Content-Type` header for PUT requests
+-   Fix on-connect and on-disconnect script STDIN/STDOUT/STDERR corruption
+    due to shared file descriptors. (CVE-2014-9018)
+-   Fix JSON access by adding support for global and mount specific
+    custom HTTP headers
+
+## Known issues
+
+-   HTTP PUT implementation currently doesn't support chunked encoding yet.
+-   HTTP PUT with "Expect: 100-Continue" receives first a "100" and soon
+    after a "200", instead of the "200" at the end of transmission.
+-   Caution should be exercised when using `<on-connect>` or
+    `<on-disconnect>`, as there is a small chance of stream
+    file descriptors being mixed up with script file descriptors, if
+    the FD numbers go above 1024. This will be further addressed
+    in the next Icecast release.
+-   Don't use comments inside `<http-headers>` as it will prevent
+    processing of further `<header>` tags.
+-   Webinterface shows Login when using just `stream_auth`.
+
+
+Icecast 2.4.0
+-----------------------------------------------------------------------------
+We are pleased to announce release 2.4.0 of Icecast.
+A summary of the changes is listed below, for details please
+refer to the ChangeLog
+
+## Downloads
+
+-  Source: http://downloads.xiph.org/releases/icecast/icecast-2.4.0.tar.gz
+-  Windows http://downloads.xiph.org/releases/icecast/icecast_win32_2.4.0.zip
+
+## New features
+
+-	Support for Ogg Opus streams
+-	Support for WebM streams
+-	HTTP 1.1 PUT support for source connections. Deprecates SOURCE method.
+	
+-	_Default mount_  
+	This allows you to define a global set of defaults for _all_ mounts.
+	This way you can use e.g. url-auth for sources and or listeners also
+	for dynamically generated mounts.
+-	_Web interface redone_
+	*	Web output properly redone, credit to ePirat.
+	*	Added `<audio>` element for supported audio streams.
+	*	Now validates completely as XHTML1.0 strict.
+	*	Improves rendering on mobile devices.
+-	Added basic JSON API (`/status-json.xsl`) based on a xml2json template
+	by Doeke Zanstra (see `xml2json.xslt`).
+	Output is roughly limited to data also visible through `status.xsl`.
+-	Send charset in HTTP headers for everything, excluding file-serv
+	and streams.
+-	Allow (standard `strftime(3)`) `%x` codes in `<dump-file>`.
+	Disabled for win32.
+-	Added stream_start_iso8601, server_start_iso8601 to statitics.
+	ISO8601 compliant timestamps for statistics.
+	Should make usage in e.g. JSON much easier. Added as new variables
+	to avoid breaking backwards compatibility.
+-	Now compiles for win32 using mingw
+-	Added options `headers` and `header_prefix` to URL based listener auth.
+-	Updated listener_remove handler, added `ip=` and `agent=`
+-	Allow full URLs to be returned by the master server.
+
+## Fixes
+
+-	Security Fix: Override supplementary groups if `<changeowner>` is used
+-	Fixes for some race conditions
+-	Dropped debian packaging directory as debian use their own.
+-	Send proper HTTP headers in responses to clients.
+-	Corrected `Content-Length` header in admin (raw) requests.
+	Thanks to paluh for reporting.
+-	Escape log entries in access log
+-	Fixed a memory leak. Lost headers of stream because of wrong
+	ref counter in associated refbuf objects.
+-	Avoid memory leak in `_parse_mount()` when `type`-attribute is set
+-	Updated web interface to be XHTML compliant.
+-	Removed `status2.xsl` from release.
+	It was only a broken example file anyway.
+
+## Known issues
+
+-	Will crash if certain config tags are left empty.
+-	Webinterface shows Login when using just `stream_auth`.
+
 Icecast 2.4 beta1
 -----------------------------------------------------------------------------
 Note: While WebM and Opus are production grade, there are other pending fixes.