[gentoo-announce] [ GLSA 201508-03 ] Icecast: Denial of Service - gentoo-announce

From:	Yury German <blueknight@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 201508-03 ] Icecast: Denial of Service
Date:	Sat, 15 Aug 2015 13:19:34
Message-Id:	`55CF3BAD.1050403@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201508-03

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: Icecast: Denial of Service

9

     Date: August 15, 2015

10

     Bugs: #545968

11

       ID: 201508-03

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

A bug in the Icecast code handling source client URL authentication

19

causes a Denial of Service condition.

20

21

Background

22

==========

23

24

Icecast is an open source alternative to shoutcast that supports mp3,

25

ogg (vorbis/theora) and aac streaming.

26

27

Affected packages

28

=================

29

30

    -------------------------------------------------------------------

31

     Package              /     Vulnerable     /            Unaffected

32

    -------------------------------------------------------------------

33

  1  net-misc/icecast             < 2.4.2                    >= 2.4.2

34

35

Description

36

===========

37

38

When stream_auth handler is defined for URL authentication and a

39

request is sent without login credentials, a Denial of Service

40

condition can occur.

41

42

Impact

43

======

44

45

A remote attacker could possibly cause a Denial of Service condition.

46

47

Workaround

48

==========

49

50

Users of affected versions can change stream_auth mountpoints to use

51

password authentication instead.

52

53

Resolution

54

==========

55

56

All icecast users should upgrade to the latest version:

57

58

  # emerge --sync

59

  # emerge --ask --oneshot --verbose ">=net-misc/icecast-2.4.2"

60

61

References

62

==========

63

64

[ 1 ] CVE-2015-3026

65

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3026

66

67

Availability

68

============

69

70

This GLSA and any updates to it are available for viewing at

71

the Gentoo Security Website:

72

73

 https://security.gentoo.org/glsa/201508-03

74

75

Concerns?

76

=========

77

78

Security is a primary focus of Gentoo Linux and ensuring the

79

confidentiality and security of our users' machines is of utmost

80

importance to us. Any security concerns should be addressed to

81

security@g.o or alternatively, you may file a bug at

82

https://bugs.gentoo.org.

83

84

License

85

=======

86

87

Copyright 2015 Gentoo Foundation, Inc; referenced text

88

belongs to its owner(s).

89

90

The contents of this document are licensed under the

91

Creative Commons - Attribution / Share Alike license.

92

93

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201508-03
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: Icecast: Denial of Service
9	Date: August 15, 2015
10	Bugs: #545968
11	ID: 201508-03
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	A bug in the Icecast code handling source client URL authentication
19	causes a Denial of Service condition.
20
21	Background
22	==========
23
24	Icecast is an open source alternative to shoutcast that supports mp3,
25	ogg (vorbis/theora) and aac streaming.
26
27	Affected packages
28	=================
29
30	-------------------------------------------------------------------
31	Package / Vulnerable / Unaffected
32	-------------------------------------------------------------------
33	1 net-misc/icecast < 2.4.2 >= 2.4.2
34
35	Description
36	===========
37
38	When stream_auth handler is defined for URL authentication and a
39	request is sent without login credentials, a Denial of Service
40	condition can occur.
41
42	Impact
43	======
44
45	A remote attacker could possibly cause a Denial of Service condition.
46
47	Workaround
48	==========
49
50	Users of affected versions can change stream_auth mountpoints to use
51	password authentication instead.
52
53	Resolution
54	==========
55
56	All icecast users should upgrade to the latest version:
57
58	# emerge --sync
59	# emerge --ask --oneshot --verbose ">=net-misc/icecast-2.4.2"
60
61	References
62	==========
63
64	[ 1 ] CVE-2015-3026
65	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3026
66
67	Availability
68	============
69
70	This GLSA and any updates to it are available for viewing at
71	the Gentoo Security Website:
72
73	https://security.gentoo.org/glsa/201508-03
74
75	Concerns?
76	=========
77
78	Security is a primary focus of Gentoo Linux and ensuring the
79	confidentiality and security of our users' machines is of utmost
80	importance to us. Any security concerns should be addressed to
81	security@g.o or alternatively, you may file a bug at
82	https://bugs.gentoo.org.
83
84	License
85	=======
86
87	Copyright 2015 Gentoo Foundation, Inc; referenced text
88	belongs to its owner(s).
89
90	The contents of this document are licensed under the
91	Creative Commons - Attribution / Share Alike license.
92
93	http://creativecommons.org/licenses/by-sa/2.5