Package "icecast2"

  icecast2 (2.3.3-2ubuntu1.14.04.1) trusty-security; urgency=high

  * SECURITY UPDATE: Denial of service vulnerability.
    - d/p/0002-crash-in-url-auth:
      This fixes a crash (NULL reference) in case URL Auth is used
      and stream_auth is trigged with no credentials passed by the client.
      Username and password is now set to empty strings and transmited to
      the backend server this way.
    - CVE-2015-3026
  * SECURITY UPDATE: Potentially leaks sensitive information.
    - d/p/0001-disconnects_stdio_of_on_dis_connect_scripts:
      Include patchset 19313 (close file handles for external scripts).
    - CVE-2014-9018
  * SECURITY UPDATE: Potentially allows local users to gain
    privileges via unspecified vectors.
    - d/p/0003-override-supplementary-groups:
      In case of <changeowner> only UID and GID were changed,
      supplementary groups were left in place.
      This is a potential security issue only if <changeowner> is used.
      New behaviour is to set UID, GID and set supplementary groups
      based on the UID.
      Even in case of icecast remaining in supplementary group 0
      this "only" gives it things like access to files that are owned
      by group 0 and according to their umask. This is obviously bad,
      but not as bad as UID 0 with all its other special rights.
    - CVE-2014-9091

 -- Unit 193 <email address hidden> Tue, 28 Apr 2015 17:28:20 -0400