Icecast-Server issueshttps://gitlab.xiph.org/xiph/icecast-server/-/issues2018-03-06T12:49:47Zhttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2082Require content-type for PUT connections2018-03-06T12:49:47ZThomas B. RückerRequire content-type for PUT connectionsWe should only allow PUT connections if the content-type is explicitly set.
This will avoid breakage such as a source sending a ogg/vorbis stream, but not setting a content-type and then being mis-listed as "audio/mpeg" instead of "audio...We should only allow PUT connections if the content-type is explicitly set.
This will avoid breakage such as a source sending a ogg/vorbis stream, but not setting a content-type and then being mis-listed as "audio/mpeg" instead of "audio/ogg".
This will need to be made very clear in release notes and documentation, so that people are aware when writing new clients or porting old clients to the PUT protocol to properly set content-type.
We can't enforce this for SOURCE connections as there are simply too many broken clients out there.Icecast 2.5.0Philipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2081Wrong duration value in access.log on mingw32 builds2018-03-06T12:49:47ZThomas B. RückerWrong duration value in access.log on mingw32 builds34678888 or such (jitter in the last 4-5 digits) for static files from the web interface that were served in under a second is rather unlikely.
On the mailing list someone reported also weird values in case of longer connections.
Teste...34678888 or such (jitter in the last 4-5 digits) for static files from the web interface that were served in under a second is rather unlikely.
On the mailing list someone reported also weird values in case of longer connections.
Tested on Windows 2012 R2Icecast 2.5.0Philipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2080Limit/Filter access types available through a listener socket2018-10-02T08:29:07ZThomas B. RückerLimit/Filter access types available through a listener socketOne thing that might be worth considering is to add another setting to listener sockets that would limit which requests are handled on that port.
Listener clients, POST/sources, admin, STATS, XSLT, static files - come to mind.
Especial...One thing that might be worth considering is to add another setting to listener sockets that would limit which requests are handled on that port.
Listener clients, POST/sources, admin, STATS, XSLT, static files - come to mind.
Especially in case of professional installations there is often the desire to limit exposure to potential attacks to a minimum.
That way there could be a listener client port on public IP, while all advanced functionality would only be available on a firewalled IP/port.Icecast 2.5.0Philipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2077Stats data in iso8601 fields on mingw32 builds is wrong.2018-03-06T12:49:47ZThomas B. RückerStats data in iso8601 fields on mingw32 builds is wrong.We're using %z, which isn't consistent with other platforms. It depends on system configuration but could be a textual representation of the time zone or the time zone offset. The latter is what we want.
There is a workaround in our log...We're using %z, which isn't consistent with other platforms. It depends on system configuration but could be a textual representation of the time zone or the time zone offset. The latter is what we want.
There is a workaround in our logging code for this, which should be applied here too.Icecast 2.5.0https://gitlab.xiph.org/xiph/icecast-server/-/issues/2074symlink icecast docs into web dir during install2018-03-06T12:49:39ZThomas B. Rückersymlink icecast docs into web dir during installThis would make the docs much more discoverable for the average user.
We could then simply link to them from the status page and the admin pages.
Docs are already HTML as we also expose them through http://icecast.org/docs/ for each ver...This would make the docs much more discoverable for the average user.
We could then simply link to them from the status page and the admin pages.
Docs are already HTML as we also expose them through http://icecast.org/docs/ for each version
On Windows it would be a full copy instead.Icecast 2.5.0Thomas B. RückerThomas B. Rückerhttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2073Turn on Forward Secrecy in openSSL support2022-03-21T09:33:34ZThomas B. RückerTurn on Forward Secrecy in openSSL supportThis would further improve security in case of HTTPS usage.
This will need a patch to configure the curve to be used.
cf.
http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html
https://github.com/bumptech/stud/pull/61/...This would further improve security in case of HTTPS usage.
This will need a patch to configure the curve to be used.
cf.
http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html
https://github.com/bumptech/stud/pull/61/filesIcecast 2.5.0Thomas B. RückerThomas B. Rückerhttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2072Update default SSL cipher list to be more secure2018-03-06T12:49:47ZThomas B. RückerUpdate default SSL cipher list to be more secureCurrently: "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"
Proposed: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:
DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
This was taken from: https://...Currently: "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"
Proposed: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:
DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
This was taken from: https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/#fnref2 (scroll up 2 lines)
I've tested this successfully against https://www.ssllabs.com/ssltest/ in combination with the patch for #2071. The only OS/Browser combination failing is: IE 6 / XPIcecast 2.4.1Thomas B. RückerThomas B. Rückerhttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2071disable SSLv3 and SSL compression explicitly2018-03-06T12:49:47ZThomas B. Rückerdisable SSLv3 and SSL compression explicitly** SSLv3 is broken.
* Disabling compression mitigates the CRIME attack.
see attached patch** SSLv3 is broken.
* Disabling compression mitigates the CRIME attack.
see attached patchIcecast 2.5.0Thomas B. RückerThomas B. Rückerhttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2070openSSL configuration overhaul in Icecast2023-01-03T10:26:01ZThomas B. RückeropenSSL configuration overhaul in IcecastI'd like to propose we update Icecast's openSSL configuration to have safer defaults and disable broken protocols and features completely.
Most recent vulnerabilities have been addressed by openSSL and should be up to date on people's sy...I'd like to propose we update Icecast's openSSL configuration to have safer defaults and disable broken protocols and features completely.
Most recent vulnerabilities have been addressed by openSSL and should be up to date on people's systems, but still we should do our part to prevent bad things from happening.
There will be dependent tickets filed for certain aspects.Icecast 2.5.0Philipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2063Go through compiler warnings and such2018-03-06T12:49:47ZThomas B. RückerGo through compiler warnings and suchThere are a couple build time warnings from e.g. gcc that might need to be addressed.
This is the top level ticket for such issues. If you create tickets about build time warnings, please put the ID of this ticket: #2063 into the "Paren...There are a couple build time warnings from e.g. gcc that might need to be addressed.
This is the top level ticket for such issues. If you create tickets about build time warnings, please put the ID of this ticket: #2063 into the "Parent Tickets" field of your ticket.Icecast 2.5.0Thomas B. RückerThomas B. Rückerhttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2057Rewrite HTTP handling to correctly implement HTTP/1.12018-11-09T14:06:15ZMarvin ScholzRewrite HTTP handling to correctly implement HTTP/1.1Icecast should support HTTP/1.1 especially since we already do this partially for PUT support.
HEAD should probably be added too, since it might be useful and some players maybe do it to check content-type, length…
Additionally to compl...Icecast should support HTTP/1.1 especially since we already do this partially for PUT support.
HEAD should probably be added too, since it might be useful and some players maybe do it to check content-type, length…
Additionally to completely support PUT and stay in spec we need to support chunked encoding.Icecast 2.6Thomas B. RückerThomas B. Rückerhttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2054[PATCH] On-Demand relay mount doesn't has on_demand set on startup2018-03-06T12:49:47ZMarvin Scholz[PATCH] On-Demand relay mount doesn't has on_demand set on startupA `<relay>` that has the `on-demand` option set is missing this information on icecast's first startup, when looking at the stats xml
```
<source mount="/diff.mp3">
<listener_peak>0</listener_peak>
<listeners>0</listeners>
...A `<relay>` that has the `on-demand` option set is missing this information on icecast's first startup, when looking at the stats xml
```
<source mount="/diff.mp3">
<listener_peak>0</listener_peak>
<listeners>0</listeners>
<listenurl>http://localhost:8000/diff.mp3</listenurl>
<max_listeners>unlimited</max_listeners>
<public>0</public>
</source>
```
missing the `<on_demand>1</on_demand>` on first startup. When a listener connects and it therefore connects to the relayed stream, it will have this set. The patch makes sure that this is set initially too.Icecast 2.5.0Philipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2047Icecast 2.4.0 - status-json.xsl - parse error2018-03-06T12:49:47ZGhost UserIcecast 2.4.0 - status-json.xsl - parse errorHello,
The attached status json file does not parse.
The file is here:
http://www.noizeukradio.com:8000/status-json.xsl
This topic looks similar:
http://icecast.imux.net/viewtopic.php?t=8240
Thanks,
DavidHello,
The attached status json file does not parse.
The file is here:
http://www.noizeukradio.com:8000/status-json.xsl
This topic looks similar:
http://icecast.imux.net/viewtopic.php?t=8240
Thanks,
DavidIcecast 2.5.0Thomas B. RückerThomas B. Rückerhttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2039Icecast segfault : auth_url.c2018-03-06T12:49:47ZTeddyIcecast segfault : auth_url.cHi !
I'm using Icecast 2.4.0 with stream_auth authentication option.
When Nicecast (OSX streaming client) connects and sends metadata, a segfault occurs.
I investigated a bit, and it seems that _client->username_ and _client->password_...Hi !
I'm using Icecast 2.4.0 with stream_auth authentication option.
When Nicecast (OSX streaming client) connects and sends metadata, a segfault occurs.
I investigated a bit, and it seems that _client->username_ and _client->password_ (auth_url.c, lines 542/543) are both _null_.
My icecast.xml config file is almost genuine (changed the port, and configured a mountpoint with stream_auth). Please see attachments.
Here is a GDB run :
```
(gdb) run -c etc/icecast.xml
Starting program: /home/radioking/icecast-dbg/icecast-2.4.0/build/bin/icecast -c etc/icecast.xml
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff7fda700 (LWP 16800)]
[New Thread 0x7ffff7f59700 (LWP 16801)]
[New Thread 0x7ffff7ed8700 (LWP 16802)]
[New Thread 0x7ffff14ca700 (LWP 16803)]
[New Thread 0x7ffff1449700 (LWP 16804)]
[Thread 0x7ffff1449700 (LWP 16804) exited]
[New Thread 0x7ffff083f700 (LWP 16805)]
[New Thread 0x7ffff07be700 (LWP 16806)]
[Thread 0x7ffff083f700 (LWP 16805) exited]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff7fda700 (LWP 16800)]
strlen () at ../sysdeps/x86_64/strlen.S:106
106 ../sysdeps/x86_64/strlen.S: Aucun fichier ou dossier de ce type.
```
And the backtrace :
```
(gdb) bt
#0 strlen () at ../sysdeps/x86_64/strlen.S:106
#1 0x000000000040ba9c in util_url_escape (src=0x0) at util.c:269
#2 0x000000000041e0db in url_stream_auth (auth_user=<optimized out>)
at auth_url.c:542
#3 0x000000000041ac80 in stream_auth_callback (auth=0x64cf20, auth_user=0x684280)
at auth.c:248
#4 0x000000000041a5cf in auth_run_thread (arg=arg@entry=0x64cf20) at auth.c:311
#5 0x0000000000421e77 in _start_routine (arg=0x657550) at thread.c:657
#6 0x00007ffff68c4182 in start_thread (arg=0x7ffff7fda700) at pthread_create.c:312
#7 0x00007ffff65f130d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
```Icecast 2.5.0Philipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2024configure does not find speex when using non-standard prefix2018-10-17T14:49:29ZRoland Hermansconfigure does not find speex when using non-standard prefixI tried to compile icecast 2.4.0 using a non-standard prefix as follows:
```
./configure --prefix=<mydir>
```
The libraries libogg, libvorbis and libtheora are found, but libspeex is not:
```
checking for libogg... ok
checking for lib...I tried to compile icecast 2.4.0 using a non-standard prefix as follows:
```
./configure --prefix=<mydir>
```
The libraries libogg, libvorbis and libtheora are found, but libspeex is not:
```
checking for libogg... ok
checking for libvorbis... ok
checking for libtheora... ok
checking for libspeex... configure: WARNING: Speex support disabled!
```
The reason for this is that the configure script does not append SPEEX_CFLAGS to CPPFLAGS. Attached patch contains a fix for m4/speex.m4 that temporarily modifies CPPFLAGS in a way similar to the other libraries.Icecast 2.5.0Thomas B. RückerThomas B. Rückerhttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2018Add a web interface equivalent of SIGHUP2018-03-06T12:49:47ZwillwhAdd a web interface equivalent of SIGHUPI run icecast2 on windows, and it'd be great to have some HTTP interface I could POST to, to call a reload to add mounts, without kicking any sources or clients from the running mounts.
Thanks guys!I run icecast2 on windows, and it'd be great to have some HTTP interface I could POST to, to call a reload to add mounts, without kicking any sources or clients from the running mounts.
Thanks guys!Icecast 2.5.0Philipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2017out of band Opus Metadata updates not allowed2018-11-10T09:27:15Zkidxout of band Opus Metadata updates not allowedMessage: Mountpoint will not accept URL updates.
Return Code: 1Message: Mountpoint will not accept URL updates.
Return Code: 1Icecast 2.5.0Gitlab BotGitlab Bothttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2016Add IP address of the source in error.log2018-03-06T12:49:48ZFrancois LafontAdd IP address of the source in error.logHere is typical content of error.log during a source connection:
```
[2014-05-02 13:43:49] INFO connection/_handle_source_request Source logging in at mountpoint "/test1.mp3"
[2014-05-02 13:43:49] INFO format-vorbis/initial_vorbis_pa...Here is typical content of error.log during a source connection:
```
[2014-05-02 13:43:49] INFO connection/_handle_source_request Source logging in at mountpoint "/test1.mp3"
[2014-05-02 13:43:49] INFO format-vorbis/initial_vorbis_page seen initial vorbis header
[2014-05-02 13:43:49] INFO source/source_main listener count on /test1.mp3 now 0
[2014-05-02 13:43:57] INFO source/get_next_buffer End of Stream /test1.mp3
[2014-05-02 13:43:57] INFO source/source_shutdown Source "/test1.mp3" exiting
```
It will be great if the IP source address was indicate in error.log. For example, something like that:
```
[2014-05-02 13:43:49] INFO connection/_handle_source_request Source (IP=192.168.0.26) logging in at mountpoint "/test1.mp3"
[2014-05-02 13:43:49] INFO format-vorbis/initial_vorbis_page seen initial vorbis header
[2014-05-02 13:43:49] INFO source/source_main listener count on /test1.mp3 now 0
[2014-05-02 13:43:57] INFO source/get_next_buffer End of Stream /test1.mp3
[2014-05-02 13:43:57] INFO source/source_shutdown Source (IP=192.168.0.26) "/test1.mp3" exiting
```
Isn't it? ;-)
Francois LafontIcecast 2.5.0Thomas B. RückerThomas B. Rückerhttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2010Improve Icecast htpasswd hash storage security2023-02-21T23:42:29ZThomas B. RückerImprove Icecast htpasswd hash storage securityCurrently Icecast uses unsalted md5 hashes of passwords.
Once an attacker obtains access to those the risk is high that simple passwords will be broken by simple md5 look-up through web search.
We should move to using bcrypt, as it's li...Currently Icecast uses unsalted md5 hashes of passwords.
Once an attacker obtains access to those the risk is high that simple passwords will be broken by simple md5 look-up through web search.
We should move to using bcrypt, as it's license permits us to incorporate it, also it should allow us to be compatible with the standard htpasswd(1) manipulation tool.
In the meanwhile using forwarded http authentication potentially offers higher security by deferring authentication to another http server.Icecast 2.5.0Philipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2004calls to abort() should be removed and checks for memory allocation failture ...2018-10-18T08:03:57ZPhilipp Schafftcalls to abort() should be removed and checks for memory allocation failture to be addedicecast calls abort() 3 times. All 3 times are related to memory allocation. It is used to avoid the need to handle errors on memory allocation. In many other places memory allocation is not checked to be successful.
* all calls to abor...icecast calls abort() 3 times. All 3 times are related to memory allocation. It is used to avoid the need to handle errors on memory allocation. In many other places memory allocation is not checked to be successful.
* all calls to abort() should be removed.
* all calls to malloc(), calloc() and realloc() should be checked handling errors correctly.
* There should be a policy on what happens on memory allocation failure (icecast dropping clients/resources OR dieing?)
* icecast should (at high/all cost) try to inform the user about this problem.
* memory failure can have many reasons. Not just the system being out of memory.Icecast 2.5.0Thomas B. RückerThomas B. Rücker