Icecast can be crashed remotely if stream_auth is enabled.
Downstream bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782120
Icecast can be killed by anyone with a simple HTTP request when is used and a stream_auth handler is defined.
<mount> <mount-name>/test.ogg</mount-name> <authentication type="url"> <option name="stream_auth" value="http://localhost/auth"/> </authentication> </mount>
Proof of concept exploit:
This happens if no logon credentials are sent with the request. The crash happens regardless of a source client being connected to the vulnerable mountpoint.
This will be released in a security release 2.4.2 today.