mirror of
https://gitlab.xiph.org/xiph/icecast-server.git
synced 2024-09-22 04:15:54 -04:00
Update NEWS in preparation for 2.4.4
This commit is contained in:
parent
ce0ae70845
commit
18594bbd8d
232
NEWS
232
NEWS
@ -1,3 +1,235 @@
|
||||
Icecast 2.4.4
|
||||
-----------------------------------------------------------------------------
|
||||
We are releasing Icecast 2.4.4, an important bugfix-only release.
|
||||
We recommend upgrading for increased stability and compatibility!
|
||||
A summary of the changes is listed below, for details please refer
|
||||
to the ChangeLog
|
||||
|
||||
## Downloads
|
||||
|
||||
- Source http://downloads.xiph.org/releases/icecast/icecast-2.4.4.tar.gz
|
||||
- Windows http://downloads.xiph.org/releases/icecast/icecast_win32_2.4.4.exe
|
||||
|
||||
## Fixes
|
||||
|
||||
- Fix: Fixed segfault in htpasswd auth if no filename is set
|
||||
- Fix: Do not report hashed user passworts in user list.
|
||||
- Fix two mistakes in the default config's comments
|
||||
- Add log message for succesful streamlist requests
|
||||
- Fix: update_from_master() for receiving HTTP/1.1
|
||||
- Fix: Spelling, thanks to Ukikie
|
||||
- Fix: Fixed a segfault when xsltApplyStylesheet() returns error
|
||||
- Fix: Do not segfaul on bad Opus streams
|
||||
- Fix: Corrected response and fixed TLS for 416 Request Range Not Satisfiable
|
||||
responses
|
||||
- Fix: TLS for ICECAST_PROTOCOL_SHOUTCAST source clients
|
||||
and investigating the bug.
|
||||
|
||||
## Known issues
|
||||
|
||||
- HTTP PUT implementation currently doesn't support chunked encoding yet.
|
||||
- HTTP PUT with "Expect: 100-Continue" receives first a "100" and soon
|
||||
after a "200", instead of the "200" at the end of transmission.
|
||||
- Caution should be exercised when using `<on-connect>` or
|
||||
`<on-disconnect>`, as there is a small chance of stream file descriptors
|
||||
being mixed up with script file descriptors, if the FD numbers go above
|
||||
1024. This will be further addressed in the next Icecast release.
|
||||
- Don't use comments inside `<http-headers>` as it will
|
||||
prevent processing of further `<header>` tags.
|
||||
- Webinterface shows Login when using just `stream_auth`.
|
||||
|
||||
Icecast 2.4.3
|
||||
-----------------------------------------------------------------------------
|
||||
We released a new version of Icecast last week.
|
||||
It is a Windows only release and addresses a security issue recently brought
|
||||
to our attention.
|
||||
|
||||
As it, embarrassingly, turns out this issue was previously raised on a
|
||||
security mailing list in 2005 and assigned CVE 2005-0837.
|
||||
A ticket (#635) was even created, once this posting was noticed
|
||||
by an Icecast project member, at that time. Sadly the original report was
|
||||
terse, the issue couldn't be readily reproduced and subsequently the ticket
|
||||
was closed.
|
||||
|
||||
We were recently contacted about this issue and this time provided with
|
||||
details about the environment it occurred in. This allowed us to identify
|
||||
this as a Windows only issue.
|
||||
|
||||
The vulnerability, identified as CVE-2005-0837, allows an attacker to acces
|
||||
the raw XSLT template file by appending a dot “.” to the URL. Due to the
|
||||
way how Windows handles file names ending with a dot, it only affects
|
||||
Icecast versions < 2.4.3 running on Windows. Icecast on other operating
|
||||
systems, like Linux, wasn't affected at any time by this issue. If you
|
||||
haven't modified the default XSLT files of a Windows installation,
|
||||
then no information disclosure of real value could have happened.
|
||||
We expect that most, of the comparatively few, Windows installations have
|
||||
unmodified template files and thus, while technically vulnerable,
|
||||
only expose those unmodified templates. To be clear, no runtime information
|
||||
can be accessed this way.
|
||||
|
||||
In case you modified the templates and they contain sensitive information,
|
||||
it should be assumed that a third party could have accessed them.
|
||||
We're sorry, that this issue went unresolved for a long time.
|
||||
|
||||
|
||||
## Downloads
|
||||
|
||||
- Source: http://downloads.xiph.org/releases/icecast/icecast-2.4.3.tar.gz
|
||||
- Windows http://downloads.xiph.org/releases/icecast/icecast_win32_2.4.3.exe
|
||||
|
||||
#635 https://trac.xiph.org/ticket/635
|
||||
|
||||
|
||||
Icecast 2.4.2
|
||||
-----------------------------------------------------------------------------
|
||||
We are releasing Icecast 2.4.2, an important bugfix-only release.
|
||||
Upgrading to it is recommended due to security fixes.
|
||||
A summary of the changes is listed below, for details please refer
|
||||
to the ChangeLog
|
||||
|
||||
## Downloads
|
||||
|
||||
- Source: http://downloads.xiph.org/releases/icecast/icecast-2.4.2.tar.gz
|
||||
- Windows http://downloads.xiph.org/releases/icecast/icecast_win32_2.4.2.exe
|
||||
|
||||
## Fixes
|
||||
|
||||
- Fix a crash related to URL Auth end empty credentials,
|
||||
[CVE-2015-3026]. [#2191]
|
||||
|
||||
## Known issues
|
||||
|
||||
- HTTP PUT implementation currently doesn't support chunked encoding yet.
|
||||
- HTTP PUT with "Expect: 100-Continue" receives first a "100" and soon
|
||||
after a "200", instead of the "200" at the end of transmission.
|
||||
- Caution should be exercised when using `<on-connect>` or
|
||||
`<on-disconnect>`, as there is a small chance of stream file descriptors
|
||||
being mixed up with script file descriptors, if the FD numbers go above
|
||||
1024. This will be further addressed in the next Icecast release.
|
||||
- Don't use comments inside `<http-headers>` as it will
|
||||
prevent processing of further `<header>` tags.
|
||||
- Webinterface shows Login when using just `stream_auth`.
|
||||
|
||||
#2191 https://trac.xiph.org/ticket/2191
|
||||
CVE-2015-3026 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3026
|
||||
|
||||
|
||||
Icecast 2.4.1
|
||||
-----------------------------------------------------------------------------
|
||||
We are pleased to announce release 2.4.1 of Icecast.
|
||||
This is a pure bugfix-only release. Upgrading to it is recommended
|
||||
due to security fixes.
|
||||
A summary of the changes is listed below, for details please
|
||||
refer to the ChangeLog
|
||||
|
||||
## Downloads
|
||||
|
||||
- Source: http://downloads.xiph.org/releases/icecast/icecast-2.4.1.tar.gz
|
||||
- Windows http://downloads.xiph.org/releases/icecast/icecast_win32_2.4.1.exe
|
||||
|
||||
## Fixes
|
||||
|
||||
- Fix autogen.sh to work properly on OS X
|
||||
- Removed threadpool from the example config (it is long gone and unused)
|
||||
- More detailed logging:
|
||||
- Add source IP adress to source start/stop logging
|
||||
- Add mountpoints to some log lines
|
||||
- Fix logging to send errors to STDERR prior to opening log files
|
||||
- Fix `<auth>` in default mounts (`<mount type="default">`)
|
||||
to work properly
|
||||
- Fix the JSON status API (`status-json.xsl`), which could return invalid
|
||||
JSON in some cases
|
||||
- SSL Security improvements:
|
||||
- Disable SSLv3
|
||||
- Disable SSL compression
|
||||
- Updated the default ciphers to be more secure
|
||||
- Handle empty strings in config file better
|
||||
- Fix logging of client connection duration time on Windows
|
||||
- Fix possibly broken XML on Windows
|
||||
- Require `Content-Type` header for PUT requests
|
||||
- Fix on-connect and on-disconnect script STDIN/STDOUT/STDERR corruption
|
||||
due to shared file descriptors. (CVE-2014-9018)
|
||||
- Fix JSON access by adding support for global and mount specific
|
||||
custom HTTP headers
|
||||
|
||||
## Known issues
|
||||
|
||||
- HTTP PUT implementation currently doesn't support chunked encoding yet.
|
||||
- HTTP PUT with "Expect: 100-Continue" receives first a "100" and soon
|
||||
after a "200", instead of the "200" at the end of transmission.
|
||||
- Caution should be exercised when using `<on-connect>` or
|
||||
`<on-disconnect>`, as there is a small chance of stream
|
||||
file descriptors being mixed up with script file descriptors, if
|
||||
the FD numbers go above 1024. This will be further addressed
|
||||
in the next Icecast release.
|
||||
- Don't use comments inside `<http-headers>` as it will prevent
|
||||
processing of further `<header>` tags.
|
||||
- Webinterface shows Login when using just `stream_auth`.
|
||||
|
||||
|
||||
Icecast 2.4.0
|
||||
-----------------------------------------------------------------------------
|
||||
We are pleased to announce release 2.4.0 of Icecast.
|
||||
A summary of the changes is listed below, for details please
|
||||
refer to the ChangeLog
|
||||
|
||||
## Downloads
|
||||
|
||||
- Source: http://downloads.xiph.org/releases/icecast/icecast-2.4.0.tar.gz
|
||||
- Windows http://downloads.xiph.org/releases/icecast/icecast_win32_2.4.0.zip
|
||||
|
||||
## New features
|
||||
|
||||
- Support for Ogg Opus streams
|
||||
- Support for WebM streams
|
||||
- HTTP 1.1 PUT support for source connections. Deprecates SOURCE method.
|
||||
|
||||
- _Default mount_
|
||||
This allows you to define a global set of defaults for _all_ mounts.
|
||||
This way you can use e.g. url-auth for sources and or listeners also
|
||||
for dynamically generated mounts.
|
||||
- _Web interface redone_
|
||||
* Web output properly redone, credit to ePirat.
|
||||
* Added `<audio>` element for supported audio streams.
|
||||
* Now validates completely as XHTML1.0 strict.
|
||||
* Improves rendering on mobile devices.
|
||||
- Added basic JSON API (`/status-json.xsl`) based on a xml2json template
|
||||
by Doeke Zanstra (see `xml2json.xslt`).
|
||||
Output is roughly limited to data also visible through `status.xsl`.
|
||||
- Send charset in HTTP headers for everything, excluding file-serv
|
||||
and streams.
|
||||
- Allow (standard `strftime(3)`) `%x` codes in `<dump-file>`.
|
||||
Disabled for win32.
|
||||
- Added stream_start_iso8601, server_start_iso8601 to statitics.
|
||||
ISO8601 compliant timestamps for statistics.
|
||||
Should make usage in e.g. JSON much easier. Added as new variables
|
||||
to avoid breaking backwards compatibility.
|
||||
- Now compiles for win32 using mingw
|
||||
- Added options `headers` and `header_prefix` to URL based listener auth.
|
||||
- Updated listener_remove handler, added `ip=` and `agent=`
|
||||
- Allow full URLs to be returned by the master server.
|
||||
|
||||
## Fixes
|
||||
|
||||
- Security Fix: Override supplementary groups if `<changeowner>` is used
|
||||
- Fixes for some race conditions
|
||||
- Dropped debian packaging directory as debian use their own.
|
||||
- Send proper HTTP headers in responses to clients.
|
||||
- Corrected `Content-Length` header in admin (raw) requests.
|
||||
Thanks to paluh for reporting.
|
||||
- Escape log entries in access log
|
||||
- Fixed a memory leak. Lost headers of stream because of wrong
|
||||
ref counter in associated refbuf objects.
|
||||
- Avoid memory leak in `_parse_mount()` when `type`-attribute is set
|
||||
- Updated web interface to be XHTML compliant.
|
||||
- Removed `status2.xsl` from release.
|
||||
It was only a broken example file anyway.
|
||||
|
||||
## Known issues
|
||||
|
||||
- Will crash if certain config tags are left empty.
|
||||
- Webinterface shows Login when using just `stream_auth`.
|
||||
|
||||
Icecast 2.4 beta1
|
||||
-----------------------------------------------------------------------------
|
||||
Note: While WebM and Opus are production grade, there are other pending fixes.
|
||||
|
Loading…
Reference in New Issue
Block a user