File icecast.changes of Package icecast
-------------------------------------------------------------------
Fri Nov 2 14:05:20 CET 2018 - tiwai@suse.de
- Fix buffer overflow in url-auth (CVE-2018-18820, bsc#1114434):
icecast-CVE-2018-18820-1.patch
icecast-CVE-2018-18820-2.patch
-------------------------------------------------------------------
Sun Dec 17 16:25:42 UTC 2017 - avindra@opensuse.org
- update to version 2.4.3:
* Fixes Windows only vulnerability (CVE-2005-0837), where an
attacker could access the raw XSLT template file by appending a
dot “.” to the URL. To be clear, no runtime information could be
accessed this way.
- cleanup spec file with spec-cleaner
- fix bad line endings warning in CSS file
- rebase icecast-fix-no-add-needed.patch
- replace PreReq statements with Requires(pre)
-------------------------------------------------------------------
Wed Apr 8 15:24:06 CEST 2015 - tiwai@suse.de
- update to version 2.4.2:
Fix crash when URL Auth is used with stream_autho without
credentials (bnc#926402)
-------------------------------------------------------------------
Mon Jan 19 22:10:57 UTC 2015 - p.drouand@gmail.com
- Remove sysvinit support as the package now build only for systems
with systemd support
- Add a backward rc compatibility symlink to systemd service file
- Only require systemd-rpm-macros to build; no need to require
entire systemd environment
- Clean up specfile
-------------------------------------------------------------------
Tue Nov 25 22:38:43 CET 2014 - tiwai@suse.de
- updated to version 2.4.1:
* Fixes in logging, <auth> in default mounts, JSON status API
* SSL Security improvements:
* Handle empty strings in config file better
* Require Content-Type header for PUT requests
* Fix possible leak of on-connect scripts (CVE-2014-9018,bnc#906538)
More details, see http://icecast.org/news/icecast-release-2_4_1/
- Remove obsoleted patch:
icecast-2.4.0-produce-valid-json.patch
- Change doc subpackage to noarch
- Spec file cleanup
-------------------------------------------------------------------
Sat Nov 22 12:44:18 UTC 2014 - fisiu@opensuse.org
- Add icecast-mp3-frame-validation.patch: validate mp3 frame.
-------------------------------------------------------------------
Fri Nov 14 15:36:05 UTC 2014 - fisiu@opensuse.org
- Add icecast-2.4.0-produce-valid-json.patch: produce valid json status,
fix boo#905468.
-------------------------------------------------------------------
Sun Nov 09 04:42:00 UTC 2014 - Led <ledest@gmail.com>
- fix bashisms in pre script
-------------------------------------------------------------------
Tue May 20 17:14:26 UTC 2014 - mail@davykager.nl
- Update to version 2.4.0:
* Support for WebM video
* Support for Opus audio in Ogg
* Fixes for some race conditions
* Allow (standard strftime(3)) %x codes in <dump-file>. Disabled for win32.
* Dropped debian packaging directory as debian use their own.
- Disable Gentoo patches because they have no effect on the OBS builds.
icecast-2.3.3-libkate.patch (has no effect on automated builds)
icecast-2.3.3-fix-xiph_openssl.patch (spec file guarantees openssl exists)
- Rebase icecast-fix-no-add-needed.patch for version 2.4.0.
-------------------------------------------------------------------
Tue Feb 11 11:34:17 CET 2014 - tiwai@suse.de
- Remove the obsoleted icecast-2.3.2-CVE-2011-4612.diff that leads
to invalid access to freed memory (bnc#862096)
-------------------------------------------------------------------
Fri Nov 29 11:07:13 UTC 2013 - pascal.bleser@opensuse.org
- remove dependency to syslog.target in icecast.service, as it doesn't exist
any more, see bnc#852314
-------------------------------------------------------------------
Wed Jun 5 00:10:46 UTC 2013 - pascal.bleser@opensuse.org
- update to 2.3.3:
* security:
+ Improved HTTPS cipher handling and added support for chained certificates.
+ Allow the source password to be undefined. There was a corner case, where
a default password would have taken effect. It would require the admin to
remove the 'source-password' from the icecast config to take effect. Default
configs ship with the password set, so this vulnerability doesn't trigger
there.
+ Prevent error log injection of control characters by substituting
non-alphanumeric characters with a '.' (CVE-2011-4612). Injection attempts
can be identified via access.log, as that stores URL encoded requests.
Investigation if further logging code needs to have sanitized output is
ongoing.
* bugfixes:
+ On-demand relaying - Reject listeners while reconnecting. Fix stats for
relays without mount section.
+ Prevent too frequent YP updates.
+ Only allow raw metadata updates from same IP as connected source (unless
user is admin). This addresses broken client software that issues updates
without being connected.
+ Minor memory leaks
+ XSPF file installation
+ Fix case of global listeners count becoming out of sync.
+ Setting an interval of 0 in mount should disable shoutcast metadata inserts.
* authentication:
+ Sources can now be authenticated via URL, like listeners. Post info is
"action=stream_auth&mount=/stream&ip=IP&server=SERVER&port=8000&user=fred&pass=pass"
As admin requests can come in for a stream (eg metadata update) these
requests can be issued while stream is active. For these &admin=1 is added to
the POST details.
* XSL update:
+ automatically generate VCLT playlist like we do with M3U, the mountpoint
extension is .vclt
- package updates:
* add systemd service file
* add logrotate configuration
* add Gentoo patches
* set pidfile directive in default config file to make it work with
systemd
* split out HTML documentation into -doc subpackage
-------------------------------------------------------------------
Tue Jan 22 15:17:07 UTC 2013 - jw@suse.com
- nuked %make_install to make SLES11 SP2 happy.
-------------------------------------------------------------------
Mon Nov 19 19:26:04 UTC 2012 - dimstar@opensuse.org
- Fix useradd invocation: -o is useless without -u and newer
versions of pwdutils/shadowutils fail on this now.
-------------------------------------------------------------------
Mon Mar 5 18:15:03 CET 2012 - tiwai@suse.de
- Fix VUL-1: icecast log injection (CVE-2011-4612, bnc#737255)
-------------------------------------------------------------------
Sat Oct 15 04:47:10 UTC 2011 - coolo@suse.com
- add libtool as buildrequire to make the spec file more reliable
-------------------------------------------------------------------
Mon Aug 29 16:19:14 UTC 2011 - crrodriguez@opensuse.org
- Fix build with --no-add-needed
- Enable SSL support.
-------------------------------------------------------------------
Wed Jun 18 17:16:29 CEST 2008 - tiwai@suse.de
- updated to version 2.3.2:
* Character set support
* Authentication improvements
* Listening socket update
* XSL update
* Updates for stream directory handling.
* Updates for Win32.
* Accept/Ban IP support.
* A Mountpoint is exported to the slaves even if no mount
section is defined for it.
* Relays handle redirection (HTTP 302) if one is received at
startup.
* Automatically generate XSPF playlist like we do with M3U, the
mountpoint extension is .xspf
* Header updates for proxy handling and certain clients like
some shoutcast source clients and flash players.
* Added Kate/Skeleton codecs to Ogg handler.
* Various stats cleanups.
* The streamlist passed from master to slave had a limited
length
* Documentation updates.
* Relay startup/shutdown is cleaner.
* several build cleanups.
* several resource leaks and race conditions fixed
-------------------------------------------------------------------
Fri Feb 2 12:49:43 CET 2007 - mmarek@suse.cz
- fix build with curl-7.16
- fixed more comparison with string literals by using static char*
variables instead of #defines to string constans to detect
whether a default or malloced value is used
-------------------------------------------------------------------
Tue Dec 19 15:35:28 CET 2006 - tiwai@suse.de
- fix comparison of string literal in cfgfile.c (#226380).
-------------------------------------------------------------------
Wed Oct 11 03:22:10 CEST 2006 - tiwai@suse.de
- added icecast-2.3.1_runas_icecast_user.patch:
run icecast as "icecast" user and group by default
- added init script
- added log/home dir to the fileist
- dont run suse_update_config/autoreconf seems unneeded.
(tested with the buildservice on 10.0->Factory)
- replaced manual configure call with %configure
-------------------------------------------------------------------
Wed Jan 25 21:36:33 CET 2006 - mls@suse.de
- converted neededforbuild to BuildRequires
-------------------------------------------------------------------
Mon Dec 12 18:41:56 CET 2005 - tiwai@suse.de
- fix the log directory of the sample xml file (#137965).
-------------------------------------------------------------------
Fri Dec 2 16:10:16 CET 2005 - tiwai@suse.de
- updated to version 2.3.1.
-------------------------------------------------------------------
Sat Oct 15 15:22:41 CEST 2005 - max@suse.de
- Enabled support for ogg/speex and ogg/theora streams.
-------------------------------------------------------------------
Fri Oct 7 17:28:19 CEST 2005 - stark@suse.de
- update to version 2.3.0
-------------------------------------------------------------------
Tue Jun 14 12:52:08 CEST 2005 - tiwai@suse.de
- repackaged - initial version: 2.2.0.
