Upstream Bug: https://gitlab.xiph.org/xiph/icecast-server/issues/2342
https://gitlab.xiph.org/xiph/icecast-server/blob/release-2.4.4/ChangeLog ## Fixes - Fix buffer overflows in URL auth code, [CVE-2018-18820]. [#2342] * This security issue affects all Icecast servers running version 2.4.0, 2.4.1, 2.4.2 or 2.4.3 if there is a "mount" definition that enables URL authentication. * A malicious client could send long HTTP headers, leading to a buffer overflow and potential remote code execution. * The problematic code was introduced in version 2.4.0 and was now brought to our attention by Nick Rolfe of Semmle Security Research Team https://lgtm.com/security - Worked around buffer overflows in URL auth's cURL interface. * We currently do not believe that this issue is exploitable. It would require a malicious URL authentication back end server to send a crafted payload and make it through libcURL. * If someone manages, please let us know. - Do not report hashed user passworts in user list. There is no practical reason to show this to the administrator and it improves security. - Fixed segfault in htpasswd auth if no filename is set - Fixed a segfault when xsltApplyStylesheet() returns error - Do not segfault on malformed Opus streams - Global listener count could be negative under certain circumstances. Thanks a lot to Simeon Völkel (0xBD4E031CDB4043C9) for reporting and investigating the bug. - Added code to announce Opus streams as such towards yp servers. http://downloads.xiph.org/releases/icecast/icecast-2.4.4.tar.gz -- Paul Martin <p...@debian.org>
