* Improved HTTPS cipher handling and added support for chained certificates.
* Allow the source password to be undefined. There was a corner case,
where a default password would have taken effect. It would require the
admin to remove the 'source-password' from the icecast config to take
effect. Default configs ship with the password set, so this
vulnerability doesn't trigger there.
* Prevent error log injection of control characters by substituting
non-alphanumeric characters with a '.' (CVE-2011-4612). Injection
attempts can be identified via access.log, as that stores URL encoded
requests. Investigation if further logging code needs to have
sanitized output is ongoing.
Tested on amd64.
Reads fine aja@
+ add user _icecast (home directory in /var/icecast)
+ enable chroot by default
+ populate chroot with all the necessary files
ok okan@ sthen@ ajacoutot@
upgrade to 2.0.2;
It is possible to execute remote code simply using HTTP request plus
31 headers followed by a shellcode that will be executed directly.
ok maintainer.
- fix CATEGORIES, this doesn't belong in www
- disable crypt support until the utility needed for making the passwds is
included
- rename checksums file
