Multiple CVEs in 2.3.3-2ubuntu1 found in trusty
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
icecast2 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned | ||
Utopic |
Fix Released
|
Undecided
|
Unassigned | ||
Vivid |
Invalid
|
Undecided
|
Unassigned |
Bug Description
As seen http://
Changelog of attached debdiff:
icecast2 (2.3.3-2ubuntu1.1) trusty; urgency=high
* SECURITY UPDATE: Denial of service vulnerability.
- d/p/0002-
This fixes a crash (NULL reference) in case URL Auth is used
and stream_auth is trigged with no credentials passed by the client.
Username and password is now set to empty strings and transmited to
the backend server this way.
- CVE-2015-3026
* SECURITY UPDATE: Potentially leaks sensitive information.
- d/p/0001-
Include patchset 19313 (close file handles for external scripts).
- CVE-2014-9018
* SECURITY UPDATE: Potentially allows local users to gain
privileges via unspecified vectors.
- d/p/0003-
In case of <changeowner> only UID and GID were changed,
supplementary groups were left in place.
This is a potential security issue only if <changeowner> is used.
New behaviour is to set UID, GID and set supplementary groups
based on the UID.
Even in case of icecast remaining in supplementary group 0
this "only" gives it things like access to files that are owned
by group 0 and according to their umask. This is obviously bad,
but not as bad as UID 0 with all its other special rights.
- CVE-2014-9091
-- Unit 193 <email address hidden> Tue, 28 Apr 2015 17:28:20 -0400
information type: | Private Security → Public Security |
Changed in icecast2 (Ubuntu Trusty): | |
status: | Fix Committed → Fix Released |
Changed in icecast2 (Ubuntu Utopic): | |
status: | Fix Committed → Fix Released |
Changed in icecast2 (Ubuntu Vivid): | |
status: | Confirmed → Invalid |
Changed in icecast2 (Ubuntu): | |
status: | Confirmed → Fix Released |
ACK on the debdiff, looks good.
I am using it for both trusty and utopic with an appropriate version change since they both have the same package version.
Packages are building now and will be released today.
Thanks!