Commit 18594bbd authored by Thomas B. Rücker's avatar Thomas B. Rücker 😊

Update NEWS in preparation for 2.4.4

parent ce0ae708
Icecast 2.4.4
-----------------------------------------------------------------------------
We are releasing Icecast 2.4.4, an important bugfix-only release.
We recommend upgrading for increased stability and compatibility!
A summary of the changes is listed below, for details please refer
to the ChangeLog
## Downloads
- Source http://downloads.xiph.org/releases/icecast/icecast-2.4.4.tar.gz
- Windows http://downloads.xiph.org/releases/icecast/icecast_win32_2.4.4.exe
## Fixes
- Fix: Fixed segfault in htpasswd auth if no filename is set
- Fix: Do not report hashed user passworts in user list.
- Fix two mistakes in the default config's comments
- Add log message for succesful streamlist requests
- Fix: update_from_master() for receiving HTTP/1.1
- Fix: Spelling, thanks to Ukikie
- Fix: Fixed a segfault when xsltApplyStylesheet() returns error
- Fix: Do not segfaul on bad Opus streams
- Fix: Corrected response and fixed TLS for 416 Request Range Not Satisfiable
responses
- Fix: TLS for ICECAST_PROTOCOL_SHOUTCAST source clients
and investigating the bug.
## Known issues
- HTTP PUT implementation currently doesn't support chunked encoding yet.
- HTTP PUT with "Expect: 100-Continue" receives first a "100" and soon
after a "200", instead of the "200" at the end of transmission.
- Caution should be exercised when using `<on-connect>` or
`<on-disconnect>`, as there is a small chance of stream file descriptors
being mixed up with script file descriptors, if the FD numbers go above
1024. This will be further addressed in the next Icecast release.
- Don't use comments inside `<http-headers>` as it will
prevent processing of further `<header>` tags.
- Webinterface shows Login when using just `stream_auth`.
Icecast 2.4.3
-----------------------------------------------------------------------------
We released a new version of Icecast last week.
It is a Windows only release and addresses a security issue recently brought
to our attention.
As it, embarrassingly, turns out this issue was previously raised on a
security mailing list in 2005 and assigned CVE 2005-0837.
A ticket (#635) was even created, once this posting was noticed
by an Icecast project member, at that time. Sadly the original report was
terse, the issue couldn't be readily reproduced and subsequently the ticket
was closed.
We were recently contacted about this issue and this time provided with
details about the environment it occurred in. This allowed us to identify
this as a Windows only issue.
The vulnerability, identified as CVE-2005-0837, allows an attacker to acces
the raw XSLT template file by appending a dot “.” to the URL. Due to the
way how Windows handles file names ending with a dot, it only affects
Icecast versions < 2.4.3 running on Windows. Icecast on other operating
systems, like Linux, wasn't affected at any time by this issue. If you
haven't modified the default XSLT files of a Windows installation,
then no information disclosure of real value could have happened.
We expect that most, of the comparatively few, Windows installations have
unmodified template files and thus, while technically vulnerable,
only expose those unmodified templates. To be clear, no runtime information
can be accessed this way.
In case you modified the templates and they contain sensitive information,
it should be assumed that a third party could have accessed them.
We're sorry, that this issue went unresolved for a long time.
## Downloads
- Source: http://downloads.xiph.org/releases/icecast/icecast-2.4.3.tar.gz
- Windows http://downloads.xiph.org/releases/icecast/icecast_win32_2.4.3.exe
#635 https://trac.xiph.org/ticket/635
Icecast 2.4.2
-----------------------------------------------------------------------------
We are releasing Icecast 2.4.2, an important bugfix-only release.
Upgrading to it is recommended due to security fixes.
A summary of the changes is listed below, for details please refer
to the ChangeLog
## Downloads
- Source: http://downloads.xiph.org/releases/icecast/icecast-2.4.2.tar.gz
- Windows http://downloads.xiph.org/releases/icecast/icecast_win32_2.4.2.exe
## Fixes
- Fix a crash related to URL Auth end empty credentials,
[CVE-2015-3026]. [#2191]
## Known issues
- HTTP PUT implementation currently doesn't support chunked encoding yet.
- HTTP PUT with "Expect: 100-Continue" receives first a "100" and soon
after a "200", instead of the "200" at the end of transmission.
- Caution should be exercised when using `<on-connect>` or
`<on-disconnect>`, as there is a small chance of stream file descriptors
being mixed up with script file descriptors, if the FD numbers go above
1024. This will be further addressed in the next Icecast release.
- Don't use comments inside `<http-headers>` as it will
prevent processing of further `<header>` tags.
- Webinterface shows Login when using just `stream_auth`.
#2191 https://trac.xiph.org/ticket/2191
CVE-2015-3026 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3026
Icecast 2.4.1
-----------------------------------------------------------------------------
We are pleased to announce release 2.4.1 of Icecast.
This is a pure bugfix-only release. Upgrading to it is recommended
due to security fixes.
A summary of the changes is listed below, for details please
refer to the ChangeLog
## Downloads
- Source: http://downloads.xiph.org/releases/icecast/icecast-2.4.1.tar.gz
- Windows http://downloads.xiph.org/releases/icecast/icecast_win32_2.4.1.exe
## Fixes
- Fix autogen.sh to work properly on OS X
- Removed threadpool from the example config (it is long gone and unused)
- More detailed logging:
- Add source IP adress to source start/stop logging
- Add mountpoints to some log lines
- Fix logging to send errors to STDERR prior to opening log files
- Fix `<auth>` in default mounts (`<mount type="default">`)
to work properly
- Fix the JSON status API (`status-json.xsl`), which could return invalid
JSON in some cases
- SSL Security improvements:
- Disable SSLv3
- Disable SSL compression
- Updated the default ciphers to be more secure
- Handle empty strings in config file better
- Fix logging of client connection duration time on Windows
- Fix possibly broken XML on Windows
- Require `Content-Type` header for PUT requests
- Fix on-connect and on-disconnect script STDIN/STDOUT/STDERR corruption
due to shared file descriptors. (CVE-2014-9018)
- Fix JSON access by adding support for global and mount specific
custom HTTP headers
## Known issues
- HTTP PUT implementation currently doesn't support chunked encoding yet.
- HTTP PUT with "Expect: 100-Continue" receives first a "100" and soon
after a "200", instead of the "200" at the end of transmission.
- Caution should be exercised when using `<on-connect>` or
`<on-disconnect>`, as there is a small chance of stream
file descriptors being mixed up with script file descriptors, if
the FD numbers go above 1024. This will be further addressed
in the next Icecast release.
- Don't use comments inside `<http-headers>` as it will prevent
processing of further `<header>` tags.
- Webinterface shows Login when using just `stream_auth`.
Icecast 2.4.0
-----------------------------------------------------------------------------
We are pleased to announce release 2.4.0 of Icecast.
A summary of the changes is listed below, for details please
refer to the ChangeLog
## Downloads
- Source: http://downloads.xiph.org/releases/icecast/icecast-2.4.0.tar.gz
- Windows http://downloads.xiph.org/releases/icecast/icecast_win32_2.4.0.zip
## New features
- Support for Ogg Opus streams
- Support for WebM streams
- HTTP 1.1 PUT support for source connections. Deprecates SOURCE method.
- _Default mount_
This allows you to define a global set of defaults for _all_ mounts.
This way you can use e.g. url-auth for sources and or listeners also
for dynamically generated mounts.
- _Web interface redone_
* Web output properly redone, credit to ePirat.
* Added `<audio>` element for supported audio streams.
* Now validates completely as XHTML1.0 strict.
* Improves rendering on mobile devices.
- Added basic JSON API (`/status-json.xsl`) based on a xml2json template
by Doeke Zanstra (see `xml2json.xslt`).
Output is roughly limited to data also visible through `status.xsl`.
- Send charset in HTTP headers for everything, excluding file-serv
and streams.
- Allow (standard `strftime(3)`) `%x` codes in `<dump-file>`.
Disabled for win32.
- Added stream_start_iso8601, server_start_iso8601 to statitics.
ISO8601 compliant timestamps for statistics.
Should make usage in e.g. JSON much easier. Added as new variables
to avoid breaking backwards compatibility.
- Now compiles for win32 using mingw
- Added options `headers` and `header_prefix` to URL based listener auth.
- Updated listener_remove handler, added `ip=` and `agent=`
- Allow full URLs to be returned by the master server.
## Fixes
- Security Fix: Override supplementary groups if `<changeowner>` is used
- Fixes for some race conditions
- Dropped debian packaging directory as debian use their own.
- Send proper HTTP headers in responses to clients.
- Corrected `Content-Length` header in admin (raw) requests.
Thanks to paluh for reporting.
- Escape log entries in access log
- Fixed a memory leak. Lost headers of stream because of wrong
ref counter in associated refbuf objects.
- Avoid memory leak in `_parse_mount()` when `type`-attribute is set
- Updated web interface to be XHTML compliant.
- Removed `status2.xsl` from release.
It was only a broken example file anyway.
## Known issues
- Will crash if certain config tags are left empty.
- Webinterface shows Login when using just `stream_auth`.
Icecast 2.4 beta1
-----------------------------------------------------------------------------
Note: While WebM and Opus are production grade, there are other pending fixes.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment