Icecast 2.4.4 ----------------------------------------------------------------------------- We are releasing Icecast 2.4.4, an important bugfix-only release. We recommend upgrading for increased stability and compatibility! A summary of the changes is listed below, for details please refer to the ChangeLog ## Downloads - Source http://downloads.xiph.org/releases/icecast/icecast-2.4.4.tar.gz - Windows http://downloads.xiph.org/releases/icecast/icecast_win32_2.4.4.exe ## Fixes - Fix: Fixed segfault in htpasswd auth if no filename is set - Fix: Do not report hashed user passworts in user list. - Fix two mistakes in the default config's comments - Add log message for succesful streamlist requests - Fix: update_from_master() for receiving HTTP/1.1 - Fix: Spelling, thanks to Ukikie - Fix: Fixed a segfault when xsltApplyStylesheet() returns error - Fix: Do not segfaul on bad Opus streams - Fix: Corrected response and fixed TLS for 416 Request Range Not Satisfiable responses - Fix: TLS for ICECAST_PROTOCOL_SHOUTCAST source clients and investigating the bug. - Fix: global listener count could be negative under certain circumstances Thanks a lot to Simeon Völkel (0xBD4E031CDB4043C9) for reporting and investigating the bug. - Fix: Send "Content-Length: 0" on 100-continue - Fix: Do not send 100-continue in plain text over TLS sockets - Fix: Added needed code to announce Opus streams as such to yp. - Fix: Avoid invalid locking in signal handlers. - Workaround: avoid libspeex printing warnings on Opus streams. - Fix: Fixed regression introduced by r19250. The fix checks if the source client is actually known before printing it's IP-Address. - Fix: do not allow unescaped strings in XML output. ## Known issues - HTTP PUT implementation currently doesn't support chunked encoding yet. - HTTP PUT with "Expect: 100-Continue" receives first a "100" and soon after a "200", instead of the "200" at the end of transmission. - Caution should be exercised when using `` or ``, as there is a small chance of stream file descriptors being mixed up with script file descriptors, if the FD numbers go above 1024. This will be further addressed in the next Icecast release. - Don't use comments inside `` as it will prevent processing of further `
` tags. - Webinterface shows Login when using just `stream_auth`. Icecast 2.4.3 ----------------------------------------------------------------------------- We released a new version of Icecast last week. It is a Windows only release and addresses a security issue recently brought to our attention. As it, embarrassingly, turns out this issue was previously raised on a security mailing list in 2005 and assigned CVE 2005-0837. A ticket (#635) was even created, once this posting was noticed by an Icecast project member, at that time. Sadly the original report was terse, the issue couldn't be readily reproduced and subsequently the ticket was closed. We were recently contacted about this issue and this time provided with details about the environment it occurred in. This allowed us to identify this as a Windows only issue. The vulnerability, identified as CVE-2005-0837, allows an attacker to acces the raw XSLT template file by appending a dot “.” to the URL. Due to the way how Windows handles file names ending with a dot, it only affects Icecast versions < 2.4.3 running on Windows. Icecast on other operating systems, like Linux, wasn't affected at any time by this issue. If you haven't modified the default XSLT files of a Windows installation, then no information disclosure of real value could have happened. We expect that most, of the comparatively few, Windows installations have unmodified template files and thus, while technically vulnerable, only expose those unmodified templates. To be clear, no runtime information can be accessed this way. In case you modified the templates and they contain sensitive information, it should be assumed that a third party could have accessed them. We're sorry, that this issue went unresolved for a long time. ## Downloads - Source: http://downloads.xiph.org/releases/icecast/icecast-2.4.3.tar.gz - Windows http://downloads.xiph.org/releases/icecast/icecast_win32_2.4.3.exe #635 https://trac.xiph.org/ticket/635 Icecast 2.4.2 ----------------------------------------------------------------------------- We are releasing Icecast 2.4.2, an important bugfix-only release. Upgrading to it is recommended due to security fixes. A summary of the changes is listed below, for details please refer to the ChangeLog ## Downloads - Source: http://downloads.xiph.org/releases/icecast/icecast-2.4.2.tar.gz - Windows http://downloads.xiph.org/releases/icecast/icecast_win32_2.4.2.exe ## Fixes - Fix a crash related to URL Auth end empty credentials, [CVE-2015-3026]. [#2191] ## Known issues - HTTP PUT implementation currently doesn't support chunked encoding yet. - HTTP PUT with "Expect: 100-Continue" receives first a "100" and soon after a "200", instead of the "200" at the end of transmission. - Caution should be exercised when using `` or ``, as there is a small chance of stream file descriptors being mixed up with script file descriptors, if the FD numbers go above 1024. This will be further addressed in the next Icecast release. - Don't use comments inside `` as it will prevent processing of further `
` tags. - Webinterface shows Login when using just `stream_auth`. #2191 https://trac.xiph.org/ticket/2191 CVE-2015-3026 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3026 Icecast 2.4.1 ----------------------------------------------------------------------------- We are pleased to announce release 2.4.1 of Icecast. This is a pure bugfix-only release. Upgrading to it is recommended due to security fixes. A summary of the changes is listed below, for details please refer to the ChangeLog ## Downloads - Source: http://downloads.xiph.org/releases/icecast/icecast-2.4.1.tar.gz - Windows http://downloads.xiph.org/releases/icecast/icecast_win32_2.4.1.exe ## Fixes - Fix autogen.sh to work properly on OS X - Removed threadpool from the example config (it is long gone and unused) - More detailed logging: - Add source IP adress to source start/stop logging - Add mountpoints to some log lines - Fix logging to send errors to STDERR prior to opening log files - Fix `` in default mounts (``) to work properly - Fix the JSON status API (`status-json.xsl`), which could return invalid JSON in some cases - SSL Security improvements: - Disable SSLv3 - Disable SSL compression - Updated the default ciphers to be more secure - Handle empty strings in config file better - Fix logging of client connection duration time on Windows - Fix possibly broken XML on Windows - Require `Content-Type` header for PUT requests - Fix on-connect and on-disconnect script STDIN/STDOUT/STDERR corruption due to shared file descriptors. (CVE-2014-9018) - Fix JSON access by adding support for global and mount specific custom HTTP headers ## Known issues - HTTP PUT implementation currently doesn't support chunked encoding yet. - HTTP PUT with "Expect: 100-Continue" receives first a "100" and soon after a "200", instead of the "200" at the end of transmission. - Caution should be exercised when using `` or ``, as there is a small chance of stream file descriptors being mixed up with script file descriptors, if the FD numbers go above 1024. This will be further addressed in the next Icecast release. - Don't use comments inside `` as it will prevent processing of further `
` tags. - Webinterface shows Login when using just `stream_auth`. Icecast 2.4.0 ----------------------------------------------------------------------------- We are pleased to announce release 2.4.0 of Icecast. A summary of the changes is listed below, for details please refer to the ChangeLog ## Downloads - Source: http://downloads.xiph.org/releases/icecast/icecast-2.4.0.tar.gz - Windows http://downloads.xiph.org/releases/icecast/icecast_win32_2.4.0.zip ## New features - Support for Ogg Opus streams - Support for WebM streams - HTTP 1.1 PUT support for source connections. Deprecates SOURCE method. - _Default mount_ This allows you to define a global set of defaults for _all_ mounts. This way you can use e.g. url-auth for sources and or listeners also for dynamically generated mounts. - _Web interface redone_ * Web output properly redone, credit to ePirat. * Added `