mirror of
https://gitlab.xiph.org/xiph/icecast-server.git
synced 2024-09-22 04:15:54 -04:00
Update NEWS in preparation for 2.4.4
This commit is contained in:
parent
ce0ae70845
commit
18594bbd8d
232
NEWS
232
NEWS
@ -1,3 +1,235 @@
|
|||||||
|
Icecast 2.4.4
|
||||||
|
-----------------------------------------------------------------------------
|
||||||
|
We are releasing Icecast 2.4.4, an important bugfix-only release.
|
||||||
|
We recommend upgrading for increased stability and compatibility!
|
||||||
|
A summary of the changes is listed below, for details please refer
|
||||||
|
to the ChangeLog
|
||||||
|
|
||||||
|
## Downloads
|
||||||
|
|
||||||
|
- Source http://downloads.xiph.org/releases/icecast/icecast-2.4.4.tar.gz
|
||||||
|
- Windows http://downloads.xiph.org/releases/icecast/icecast_win32_2.4.4.exe
|
||||||
|
|
||||||
|
## Fixes
|
||||||
|
|
||||||
|
- Fix: Fixed segfault in htpasswd auth if no filename is set
|
||||||
|
- Fix: Do not report hashed user passworts in user list.
|
||||||
|
- Fix two mistakes in the default config's comments
|
||||||
|
- Add log message for succesful streamlist requests
|
||||||
|
- Fix: update_from_master() for receiving HTTP/1.1
|
||||||
|
- Fix: Spelling, thanks to Ukikie
|
||||||
|
- Fix: Fixed a segfault when xsltApplyStylesheet() returns error
|
||||||
|
- Fix: Do not segfaul on bad Opus streams
|
||||||
|
- Fix: Corrected response and fixed TLS for 416 Request Range Not Satisfiable
|
||||||
|
responses
|
||||||
|
- Fix: TLS for ICECAST_PROTOCOL_SHOUTCAST source clients
|
||||||
|
and investigating the bug.
|
||||||
|
|
||||||
|
## Known issues
|
||||||
|
|
||||||
|
- HTTP PUT implementation currently doesn't support chunked encoding yet.
|
||||||
|
- HTTP PUT with "Expect: 100-Continue" receives first a "100" and soon
|
||||||
|
after a "200", instead of the "200" at the end of transmission.
|
||||||
|
- Caution should be exercised when using `<on-connect>` or
|
||||||
|
`<on-disconnect>`, as there is a small chance of stream file descriptors
|
||||||
|
being mixed up with script file descriptors, if the FD numbers go above
|
||||||
|
1024. This will be further addressed in the next Icecast release.
|
||||||
|
- Don't use comments inside `<http-headers>` as it will
|
||||||
|
prevent processing of further `<header>` tags.
|
||||||
|
- Webinterface shows Login when using just `stream_auth`.
|
||||||
|
|
||||||
|
Icecast 2.4.3
|
||||||
|
-----------------------------------------------------------------------------
|
||||||
|
We released a new version of Icecast last week.
|
||||||
|
It is a Windows only release and addresses a security issue recently brought
|
||||||
|
to our attention.
|
||||||
|
|
||||||
|
As it, embarrassingly, turns out this issue was previously raised on a
|
||||||
|
security mailing list in 2005 and assigned CVE 2005-0837.
|
||||||
|
A ticket (#635) was even created, once this posting was noticed
|
||||||
|
by an Icecast project member, at that time. Sadly the original report was
|
||||||
|
terse, the issue couldn't be readily reproduced and subsequently the ticket
|
||||||
|
was closed.
|
||||||
|
|
||||||
|
We were recently contacted about this issue and this time provided with
|
||||||
|
details about the environment it occurred in. This allowed us to identify
|
||||||
|
this as a Windows only issue.
|
||||||
|
|
||||||
|
The vulnerability, identified as CVE-2005-0837, allows an attacker to acces
|
||||||
|
the raw XSLT template file by appending a dot “.” to the URL. Due to the
|
||||||
|
way how Windows handles file names ending with a dot, it only affects
|
||||||
|
Icecast versions < 2.4.3 running on Windows. Icecast on other operating
|
||||||
|
systems, like Linux, wasn't affected at any time by this issue. If you
|
||||||
|
haven't modified the default XSLT files of a Windows installation,
|
||||||
|
then no information disclosure of real value could have happened.
|
||||||
|
We expect that most, of the comparatively few, Windows installations have
|
||||||
|
unmodified template files and thus, while technically vulnerable,
|
||||||
|
only expose those unmodified templates. To be clear, no runtime information
|
||||||
|
can be accessed this way.
|
||||||
|
|
||||||
|
In case you modified the templates and they contain sensitive information,
|
||||||
|
it should be assumed that a third party could have accessed them.
|
||||||
|
We're sorry, that this issue went unresolved for a long time.
|
||||||
|
|
||||||
|
|
||||||
|
## Downloads
|
||||||
|
|
||||||
|
- Source: http://downloads.xiph.org/releases/icecast/icecast-2.4.3.tar.gz
|
||||||
|
- Windows http://downloads.xiph.org/releases/icecast/icecast_win32_2.4.3.exe
|
||||||
|
|
||||||
|
#635 https://trac.xiph.org/ticket/635
|
||||||
|
|
||||||
|
|
||||||
|
Icecast 2.4.2
|
||||||
|
-----------------------------------------------------------------------------
|
||||||
|
We are releasing Icecast 2.4.2, an important bugfix-only release.
|
||||||
|
Upgrading to it is recommended due to security fixes.
|
||||||
|
A summary of the changes is listed below, for details please refer
|
||||||
|
to the ChangeLog
|
||||||
|
|
||||||
|
## Downloads
|
||||||
|
|
||||||
|
- Source: http://downloads.xiph.org/releases/icecast/icecast-2.4.2.tar.gz
|
||||||
|
- Windows http://downloads.xiph.org/releases/icecast/icecast_win32_2.4.2.exe
|
||||||
|
|
||||||
|
## Fixes
|
||||||
|
|
||||||
|
- Fix a crash related to URL Auth end empty credentials,
|
||||||
|
[CVE-2015-3026]. [#2191]
|
||||||
|
|
||||||
|
## Known issues
|
||||||
|
|
||||||
|
- HTTP PUT implementation currently doesn't support chunked encoding yet.
|
||||||
|
- HTTP PUT with "Expect: 100-Continue" receives first a "100" and soon
|
||||||
|
after a "200", instead of the "200" at the end of transmission.
|
||||||
|
- Caution should be exercised when using `<on-connect>` or
|
||||||
|
`<on-disconnect>`, as there is a small chance of stream file descriptors
|
||||||
|
being mixed up with script file descriptors, if the FD numbers go above
|
||||||
|
1024. This will be further addressed in the next Icecast release.
|
||||||
|
- Don't use comments inside `<http-headers>` as it will
|
||||||
|
prevent processing of further `<header>` tags.
|
||||||
|
- Webinterface shows Login when using just `stream_auth`.
|
||||||
|
|
||||||
|
#2191 https://trac.xiph.org/ticket/2191
|
||||||
|
CVE-2015-3026 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3026
|
||||||
|
|
||||||
|
|
||||||
|
Icecast 2.4.1
|
||||||
|
-----------------------------------------------------------------------------
|
||||||
|
We are pleased to announce release 2.4.1 of Icecast.
|
||||||
|
This is a pure bugfix-only release. Upgrading to it is recommended
|
||||||
|
due to security fixes.
|
||||||
|
A summary of the changes is listed below, for details please
|
||||||
|
refer to the ChangeLog
|
||||||
|
|
||||||
|
## Downloads
|
||||||
|
|
||||||
|
- Source: http://downloads.xiph.org/releases/icecast/icecast-2.4.1.tar.gz
|
||||||
|
- Windows http://downloads.xiph.org/releases/icecast/icecast_win32_2.4.1.exe
|
||||||
|
|
||||||
|
## Fixes
|
||||||
|
|
||||||
|
- Fix autogen.sh to work properly on OS X
|
||||||
|
- Removed threadpool from the example config (it is long gone and unused)
|
||||||
|
- More detailed logging:
|
||||||
|
- Add source IP adress to source start/stop logging
|
||||||
|
- Add mountpoints to some log lines
|
||||||
|
- Fix logging to send errors to STDERR prior to opening log files
|
||||||
|
- Fix `<auth>` in default mounts (`<mount type="default">`)
|
||||||
|
to work properly
|
||||||
|
- Fix the JSON status API (`status-json.xsl`), which could return invalid
|
||||||
|
JSON in some cases
|
||||||
|
- SSL Security improvements:
|
||||||
|
- Disable SSLv3
|
||||||
|
- Disable SSL compression
|
||||||
|
- Updated the default ciphers to be more secure
|
||||||
|
- Handle empty strings in config file better
|
||||||
|
- Fix logging of client connection duration time on Windows
|
||||||
|
- Fix possibly broken XML on Windows
|
||||||
|
- Require `Content-Type` header for PUT requests
|
||||||
|
- Fix on-connect and on-disconnect script STDIN/STDOUT/STDERR corruption
|
||||||
|
due to shared file descriptors. (CVE-2014-9018)
|
||||||
|
- Fix JSON access by adding support for global and mount specific
|
||||||
|
custom HTTP headers
|
||||||
|
|
||||||
|
## Known issues
|
||||||
|
|
||||||
|
- HTTP PUT implementation currently doesn't support chunked encoding yet.
|
||||||
|
- HTTP PUT with "Expect: 100-Continue" receives first a "100" and soon
|
||||||
|
after a "200", instead of the "200" at the end of transmission.
|
||||||
|
- Caution should be exercised when using `<on-connect>` or
|
||||||
|
`<on-disconnect>`, as there is a small chance of stream
|
||||||
|
file descriptors being mixed up with script file descriptors, if
|
||||||
|
the FD numbers go above 1024. This will be further addressed
|
||||||
|
in the next Icecast release.
|
||||||
|
- Don't use comments inside `<http-headers>` as it will prevent
|
||||||
|
processing of further `<header>` tags.
|
||||||
|
- Webinterface shows Login when using just `stream_auth`.
|
||||||
|
|
||||||
|
|
||||||
|
Icecast 2.4.0
|
||||||
|
-----------------------------------------------------------------------------
|
||||||
|
We are pleased to announce release 2.4.0 of Icecast.
|
||||||
|
A summary of the changes is listed below, for details please
|
||||||
|
refer to the ChangeLog
|
||||||
|
|
||||||
|
## Downloads
|
||||||
|
|
||||||
|
- Source: http://downloads.xiph.org/releases/icecast/icecast-2.4.0.tar.gz
|
||||||
|
- Windows http://downloads.xiph.org/releases/icecast/icecast_win32_2.4.0.zip
|
||||||
|
|
||||||
|
## New features
|
||||||
|
|
||||||
|
- Support for Ogg Opus streams
|
||||||
|
- Support for WebM streams
|
||||||
|
- HTTP 1.1 PUT support for source connections. Deprecates SOURCE method.
|
||||||
|
|
||||||
|
- _Default mount_
|
||||||
|
This allows you to define a global set of defaults for _all_ mounts.
|
||||||
|
This way you can use e.g. url-auth for sources and or listeners also
|
||||||
|
for dynamically generated mounts.
|
||||||
|
- _Web interface redone_
|
||||||
|
* Web output properly redone, credit to ePirat.
|
||||||
|
* Added `<audio>` element for supported audio streams.
|
||||||
|
* Now validates completely as XHTML1.0 strict.
|
||||||
|
* Improves rendering on mobile devices.
|
||||||
|
- Added basic JSON API (`/status-json.xsl`) based on a xml2json template
|
||||||
|
by Doeke Zanstra (see `xml2json.xslt`).
|
||||||
|
Output is roughly limited to data also visible through `status.xsl`.
|
||||||
|
- Send charset in HTTP headers for everything, excluding file-serv
|
||||||
|
and streams.
|
||||||
|
- Allow (standard `strftime(3)`) `%x` codes in `<dump-file>`.
|
||||||
|
Disabled for win32.
|
||||||
|
- Added stream_start_iso8601, server_start_iso8601 to statitics.
|
||||||
|
ISO8601 compliant timestamps for statistics.
|
||||||
|
Should make usage in e.g. JSON much easier. Added as new variables
|
||||||
|
to avoid breaking backwards compatibility.
|
||||||
|
- Now compiles for win32 using mingw
|
||||||
|
- Added options `headers` and `header_prefix` to URL based listener auth.
|
||||||
|
- Updated listener_remove handler, added `ip=` and `agent=`
|
||||||
|
- Allow full URLs to be returned by the master server.
|
||||||
|
|
||||||
|
## Fixes
|
||||||
|
|
||||||
|
- Security Fix: Override supplementary groups if `<changeowner>` is used
|
||||||
|
- Fixes for some race conditions
|
||||||
|
- Dropped debian packaging directory as debian use their own.
|
||||||
|
- Send proper HTTP headers in responses to clients.
|
||||||
|
- Corrected `Content-Length` header in admin (raw) requests.
|
||||||
|
Thanks to paluh for reporting.
|
||||||
|
- Escape log entries in access log
|
||||||
|
- Fixed a memory leak. Lost headers of stream because of wrong
|
||||||
|
ref counter in associated refbuf objects.
|
||||||
|
- Avoid memory leak in `_parse_mount()` when `type`-attribute is set
|
||||||
|
- Updated web interface to be XHTML compliant.
|
||||||
|
- Removed `status2.xsl` from release.
|
||||||
|
It was only a broken example file anyway.
|
||||||
|
|
||||||
|
## Known issues
|
||||||
|
|
||||||
|
- Will crash if certain config tags are left empty.
|
||||||
|
- Webinterface shows Login when using just `stream_auth`.
|
||||||
|
|
||||||
Icecast 2.4 beta1
|
Icecast 2.4 beta1
|
||||||
-----------------------------------------------------------------------------
|
-----------------------------------------------------------------------------
|
||||||
Note: While WebM and Opus are production grade, there are other pending fixes.
|
Note: While WebM and Opus are production grade, there are other pending fixes.
|
||||||
|
Loading…
Reference in New Issue
Block a user