Commit fa3c7eeb authored by Thomas B. Rücker's avatar Thomas B. Rücker

Update change documentation

parent 5edc89ec
2018-10-31 09:07 ph3-der-loewe
* Update: Changed set of default headers
* Improve compatibility with broken clients
2018-10-30 13:53 tbr
* Win32 clean up
* Removed all files related to the removed Windows UI
* Added files needed by NSIS
* Added batch file used to start icecast on Windows
* Include icecast.bat into Makefile
2018-10-28 10:42 ph3-der-loewe
* Fix: Worked around buffer overflows in URL auth's cURL interface
2018-10-27 17:42 ph3-der-loewe
* Security fix: Fixed buffer overflows in URL auth code.
* CVE-2018-18820
* Fix: Fixed a memory leak
* Fix: Removed integer overflows
2018-10-27 11:59 ph3-der-loewe
* Fix: Corrected possible bufferoverflows in format_prepare_headers()
2018-06-17 06:50 ph3-der-loewe
* Fix: Do not shut down fserve engine if not started up
* Fix: Corrected const for SSL_METHOD*.
2018-06-10 18:13 tbr
* Release preparation for Icecast 2.4.4
......
......@@ -24,6 +24,13 @@
<h4 id="fixes-4">Fixes</h4>
<ul>
<li><strong>Security fix</strong>: Buffer overflow in URL-auth <br />
<ul>
<li>A malicious client can send long HTTP headers, leading to a buffer overflow and potential remote code execution.</li>
<li>The issue has been assigned CVE-2018-18820.</li>
<li>An Icecast server (version &lt;2.4.4) is only vulnerable if a &lt;mount&gt; definition exists that enables URL authentication.</li>
<li>The problematic code exists since version 2.4.0 and was now brought to our attention by Nick Rolfe of <a href="https://lgtm.com/security">Semmle Security Research Team</a></li>
</ul>
<li>Fixed segfault in htpasswd auth, if no filename was set</li>
<li>Do not report hashed user passwords in user list</li>
<li>Fix two mistakes in the default config's comments</li>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment