Package: icecast2 Version: 2.4.0-1~bpo70+1 Severity: critical Tags: security upstream Justification: root security hole
Icecast can leak the output of on-connect scripts to source clients by sending their output via HTTP. This information-disclosure can contain confidential information if the administrator of the icecast server did not explicitly check the output of their scripts. Information contained can include passwords or script interna helping to possibly exploit weak scripts. This bug has been reported upstream [1] which fixed it quickly in the bugfix release 2.4.1 [2]. Please consider upgrading to the latest upstream version. [1] https://trac.xiph.org/ticket/2089 [2] http://icecast.org/news/icecast-release-2_4_1/ -- System Information: Debian Release: 7.7 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.41-042stab094.7 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages icecast2 depends on: ii adduser 3.113+nmu3 ii debconf [debconf-2.0] 1.5.49 ii libc6 2.13-38+deb7u6 ii libcurl3-gnutls 7.26.0-1+wheezy11 ii libogg0 1.3.0-4 ii libspeex1 1.2~rc1-7 ii libtheora0 1.1.1+dfsg.1-3.1 ii libvorbis0a 1.3.2-1.3 ii libxml2 2.8.0+dfsg1-7+wheezy2 ii libxslt1.1 1.1.26-14.1 icecast2 recommends no packages. Versions of packages icecast2 suggests: pn ices2 <none> -- Configuration Files: /etc/default/icecast2 changed [not included] /etc/icecast2/icecast.xml [Errno 13] Keine Berechtigung: u'/etc/icecast2/icecast.xml' -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org