Your message dated Thu, 30 Apr 2015 18:47:17 +0000 with message-id <[email protected]> and subject line Bug#782120: fixed in icecast2 2.4.0-1.1+deb8u1 has caused the Debian Bug report #782120, regarding icecast2: icecast can be remotely killed by anyone if using <authentication type="url"> and stream_auth option (CVE-2015-3026) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 782120: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782120 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: icecast2 Version: 2.4.0-1.1 Severity: important icecast can be killed by anyone with a simple HTTP request when <authentication type="url"> is used and a stream_auth handler is defined. Example configuration: <mount> <mount-name>/test</mount-name> <authentication type="url"> <option name="stream_auth" value="http://127.0.0.1/bla"/> </authentication> </mount> (Note: It does not matter where the URL for stream_auth points to, if it is reachable or not. Actually icecast dies before even accessing that URL.) Given the above configuration anyone can now easily kill icecast by this command: wget http://<servername>:8000/admin/killsource?mount=/test This only happens when making a request WITHOUT login credentials. I'm marking this bug important but it might justify a higher severity. With this security problem the package appears unfit for release.
--- End Message ---
--- Begin Message ---Source: icecast2 Source-Version: 2.4.0-1.1+deb8u1 We believe that the bug you reported is fixed in the latest version of icecast2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Unit 193 <[email protected]> (supplier of updated icecast2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 28 Apr 2015 16:25:58 -0400 Source: icecast2 Binary: icecast2 Architecture: source amd64 Version: 2.4.0-1.1+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Debian Multimedia Maintainers <[email protected]> Changed-By: Unit 193 <[email protected]> Description: icecast2 - streaming media server Closes: 782120 Changes: icecast2 (2.4.0-1.1+deb8u1) jessie-security; urgency=high . * This fixes a crash (NULL reference) in case URL Auth is used and stream_auth is trigged with no credentials passed by the client. Username and password is now set to empty strings and transmited to the backend server this way. (Closes: #782120, fixes CVE-2015-3026) Checksums-Sha1: 6e9527155c0048dd8c1802e7f5cd7f639af3f7ae 2345 icecast2_2.4.0-1.1+deb8u1.dsc 45bd403c2b1d6f1250216cd3a0447d41f979c348 1087795 icecast2_2.4.0.orig.tar.gz 321ebb03bbd744f70bbf056a0d3c6c3e6a430769 29592 icecast2_2.4.0-1.1+deb8u1.debian.tar.xz c111c2604f993416384fc7d58eaa8460464c2a8e 277478 icecast2_2.4.0-1.1+deb8u1_amd64.deb Checksums-Sha256: f8ffc26abe6e51f96a8013e1877be88a03169389fc79e7a7fa58bf92871afd11 2345 icecast2_2.4.0-1.1+deb8u1.dsc 17b7e957e1b16a576efaabd69c15126e84ce98d3791ccee4546b72c0c6460f32 1087795 icecast2_2.4.0.orig.tar.gz 895acd7bd62ab3fa83bcd254335f83d89c76ef30b06df71cc4316c459ae767ca 29592 icecast2_2.4.0-1.1+deb8u1.debian.tar.xz 9162b6c388649240e6b062d9d492712526aa5e99830fd77141beedf1e2e7843a 277478 icecast2_2.4.0-1.1+deb8u1_amd64.deb Files: 53563ee8b987f06581f9b9fffc89d337 2345 sound optional icecast2_2.4.0-1.1+deb8u1.dsc bb00bfc0d6d2dde24974641085602b81 1087795 sound optional icecast2_2.4.0.orig.tar.gz 726dc90c578d792542bb9423795a20ef 29592 sound optional icecast2_2.4.0-1.1+deb8u1.debian.tar.xz fc3f92a0d4d89f141531d1f169592c3e 277478 sound optional icecast2_2.4.0-1.1+deb8u1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVQK1GAAoJEK+lG9bN5XPLDakP+gNvOq9pkgR8Tp84oxEL9ITs GC7ozXVOZjLlweiBHB5ttoYkV49gz/eDxqAZkFpwapg3NG8o/Sb3UDBb1iSZ1Ab8 mT74eBBNpoZKWQ21daw8EeMtq5g7FPmTol/6dhkWn4n3QdcGzJPzzKw+YLokV5cF FzCvKaMWIQikuYWyCaVxQyn/eCkMDxXyZIVbHCvH9mT8QNRXm7oSQ4oS8668SbaH 0BHv/cohHJaeE1C6gEDenhgxh1sUDC67uhr0NVWlDi2XQszD5JnfK9xy+xYVmymn 9MtZBgHMd0zmzaVpNZ41/THiB+/hh1DK2SGTfzsG7OAdr22wEo0Cni1B7gTaCnye /bcziqMtWCnh8Iac3JDawi9rlhbzOCyTonH9EZ7vBe0HMBjnu/ohAqmojTAqgi9X 5vP+FNogSReVjOipFxjS/INvlEljPCwzt/NWG7Hr9wGX8DkcZ8eaE+aYNdPjUz1P bKHKodVSmziCw5CSZ4xiLtKycuNildSJAM8rzdrUDoDRBVZW+avGHnZEHcV/zZ4/ zAv3InUPImcXluNgDHwZ+NLkf5nSJsL10R4GijYAu+QHk3W/swKwstj/Y3YagIgc EqVgDW8dknRD2hxBuDpLvpNOMathEu6Acnopc/Y4p+6zvjr9lln1+rSKtiLbmIf6 nw1l+VxExCJXc6Yw29FE =6hpW -----END PGP SIGNATURE-----
--- End Message ---
