From ${URL} : It was reported that Icecast could possibly leak the contents of on-connect scripts, which may contain sensitive information. This issue has been fixed in the 2.4.1 release: "Fix on-connect and on-disconnect script STDIN/STDOUT/STDERR corruption due to shared file descriptors." References: https://trac.xiph.org/changeset/19312 https://trac.xiph.org/attachment/ticket/2087/env-nofeature.patch https://trac.xiph.org/ticket/2089 http://icecast.org/news/icecast-release-2_4_1/ @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
+*icecast-2.4.1 (20 Nov 2014) + + 20 Nov 2014; Lars Wendler <polynomial-c@gentoo.org> +icecast-2.4.1.ebuild, + files/icecast.xml: + Security bump (bug #529956) with kind permission by hwoarang. + Arches please test and mark stable =net-misc/icecast-2.4.1 with target KEYWORDS: amd64 ppc ppc64 x86 ~x86-fbsd
amd64 stable
x86 stable
ppc64 stable
ppc stable. Maintainer(s), please cleanup. Security, please vote.
+ 06 Dec 2014; Lars Wendler <polynomial-c@gentoo.org> -icecast-2.3.3-r2.ebuild, + -icecast-2.3.3-r3.ebuild, -icecast-2.4.0.ebuild, -files/init.d.icecast, + metadata.xml: + Removed vulnerable versions. Took over maintenance. +
Arches and Mainter(s), Thank you for your work. Added to an existing GLSA request.
CVE-2014-9018 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9018): Icecast before 2.4.1 transmits the output of the on-connect script, which might allow remote attackers to obtain sensitive information, related to shared file descriptors.
This issue was resolved and addressed in GLSA 201412-38 at http://security.gentoo.org/glsa/glsa-201412-38.xml by GLSA coordinator Sean Amoss (ackle).
