From ${URL} : A new version of Icecast was released, following the discovery of a remote denial of service vulnerability by Juliane Holzt earlier today. Affected Icecast versions: 2.3.3(first release with stream_auth) 2.4.0 2.4.1 Fix released in: 2.4.2 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
+*icecast-2.4.2 (09 Apr 2015) + + 09 Apr 2015; Lars Wendler <polynomial-c@gentoo.org> icecast-2.4.1.ebuild, + +icecast-2.4.2.ebuild: + Security bump (bug #545968). Fixed slot dependency on openssl. + Arches please test and mar stable =net-misc/icecast-2.4.2 with target KEYWORDS: amd64 ppc ppc64 x86 ~x86-fbsd
amd64 stable
x86 stable
ppc64 stable
ppc stable
Arches, Thank you for your work. Vote: Yes Maintainer(s), please drop the vulnerable version(s).
+ 23 Apr 2015; Lars Wendler <polynomial-c@gentoo.org> -icecast-2.4.1.ebuild: + Removed vulnerable version. +
GLSA Vote: Yes, new request filed
CVE-2015-3026 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3026): Icecast before 2.4.2, when a stream_auth handler is defined for URL authentication, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a request without login credentials, as demonstrated by a request to "admin/killsource?mount=/test.ogg."
This issue was resolved and addressed in GLSA 201508-03 at https://security.gentoo.org/glsa/201508-03 by GLSA coordinator Yury German (BlueKnight).