Date: Tue, 25 Nov 2014 22:13:06 +0100 From: jmm@...ian.org To: oss-security@...ts.openwall.com Cc: mmcallis@...hat.com, cve-assign@...re.org Subject: Re: Re: CVE request: icecast: possible leak of on-connect scripts On Thu, Nov 20, 2014 at 09:52:44AM -0500, cve-assign@...re.org wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > It was reported that Icecast could possibly leak the contents of > > on-connect scripts to clients, which may contain sensitive information. > > This issue has been fixed in the 2.4.1 release: > > > "Fix on-connect and on-disconnect script STDIN/STDOUT/STDERR corruption > > due to shared file descriptors." > > > Information contained can include passwords > > > http://icecast.org/news/icecast-release-2_4_1/ > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770222 > > https://trac.xiph.org/ticket/2089 > > https://trac.xiph.org/ticket/2087 > > https://trac.xiph.org/changeset/19308 > > Use CVE-2014-9018. I think this icecast2 issue should also receive a CVE ID: https://trac.xiph.org/changeset/19137/ Cheers, Moritz
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.