Your message dated Wed, 26 Nov 2014 19:34:25 +0000 with message-id <e1xtim5-0006tq...@franck.debian.org> and subject line Bug#770222: fixed in icecast2 2.4.0-1.1 has caused the Debian Bug report #770222, regarding icecast2: CVE-2014-9018: on-connect scripts: icecast can leak output to attentive sources to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 770222: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770222 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: icecast2 Version: 2.4.0-1~bpo70+1 Severity: critical Tags: security upstream Justification: root security hole Icecast can leak the output of on-connect scripts to source clients by sending their output via HTTP. This information-disclosure can contain confidential information if the administrator of the icecast server did not explicitly check the output of their scripts. Information contained can include passwords or script interna helping to possibly exploit weak scripts. This bug has been reported upstream [1] which fixed it quickly in the bugfix release 2.4.1 [2]. Please consider upgrading to the latest upstream version. [1] https://trac.xiph.org/ticket/2089 [2] http://icecast.org/news/icecast-release-2_4_1/ -- System Information: Debian Release: 7.7 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.41-042stab094.7 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages icecast2 depends on: ii adduser 3.113+nmu3 ii debconf [debconf-2.0] 1.5.49 ii libc6 2.13-38+deb7u6 ii libcurl3-gnutls 7.26.0-1+wheezy11 ii libogg0 1.3.0-4 ii libspeex1 1.2~rc1-7 ii libtheora0 1.1.1+dfsg.1-3.1 ii libvorbis0a 1.3.2-1.3 ii libxml2 2.8.0+dfsg1-7+wheezy2 ii libxslt1.1 1.1.26-14.1 icecast2 recommends no packages. Versions of packages icecast2 suggests: pn ices2 <none> -- Configuration Files: /etc/default/icecast2 changed [not included] /etc/icecast2/icecast.xml [Errno 13] Keine Berechtigung: u'/etc/icecast2/icecast.xml' -- debconf information excluded
--- End Message ---
--- Begin Message ---Source: icecast2 Source-Version: 2.4.0-1.1 We believe that the bug you reported is fixed in the latest version of icecast2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 770...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Simon Richter <s...@debian.org> (supplier of updated icecast2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sun, 23 Nov 2014 20:02:58 +0100 Source: icecast2 Binary: icecast2 Architecture: source amd64 Version: 2.4.0-1.1 Distribution: unstable Urgency: medium Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintain...@lists.alioth.debian.org> Changed-By: Simon Richter <s...@debian.org> Description: icecast2 - streaming media server Closes: 770222 Changes: icecast2 (2.4.0-1.1) unstable; urgency=medium . * Non-maintainer upload. * Include patchset 19313 (close file handles for external scripts). (Closes: #770222) Checksums-Sha1: f07815e8f3a5e224586a07682b810175b6b4b8a0 1795 icecast2_2.4.0-1.1.dsc 4afe6209220fcbde5299dd9988987ce016eeb9d7 29244 icecast2_2.4.0-1.1.debian.tar.xz 32ca9d8e32f9acde56950d2c49550c322e219d0b 277488 icecast2_2.4.0-1.1_amd64.deb Checksums-Sha256: 149ac55f0b9f687f8c7745b7441b4c6f264407a41b6493e884ac1fbc2b97648b 1795 icecast2_2.4.0-1.1.dsc 92d4df3614f535ab765954602c95318b680979051dda8b88b86c0f07d5fe6cf9 29244 icecast2_2.4.0-1.1.debian.tar.xz 4db127a84a19aaf48ace2604e529613e6d7e03b537adb129dff395c42d8ac697 277488 icecast2_2.4.0-1.1_amd64.deb Files: ac0e53e427e89add56022d383dece46a 1795 sound optional icecast2_2.4.0-1.1.dsc 85bdb6502864cc6371854ee6ccf27da1 29244 sound optional icecast2_2.4.0-1.1.debian.tar.xz f0bb99682fa75d1fc9511f4e382cf2ef 277488 sound optional icecast2_2.4.0-1.1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iJwEAQECAAYFAlRyMQ8ACgkQ0sfeulffv7v3PQP/X2MDVYx6lr7oooJvtMK+iB92 amqjkoEqv4srmN8twhZw5vvhGn6knL2KL5pJAXhuoruukKLlP4I4G3APV6klWwb1 mZF4l832t9/8BXDsKPWyyovFextsLFQxwvzRwQtZKz+H5ow+Zwvp22U6UZ5xgpb9 yahs+YXSlxeQvZ0AKzg= =4Bkj -----END PGP SIGNATURE-----
--- End Message ---
