[KLUG Members] remote root exploit in icecast
Jamie McCarthy
members@kalamazoolinux.org
Wed, 5 Dec 2001 10:24:50 -0500
If you're running icecast-server, turn it off now. Then upgrade.
Or just leave it off... the three bulleted points below say very
clearly "this is not mature software"!
------------------------------------------------------------------------
Debian Security Advisory DSA-089-1 security@debian.org
http://www.debian.org/security/ Wichert Akkerman
December 5, 2001
------------------------------------------------------------------------
Package : icecast-server
Problem type : remote root exploit (and others)
Debian-specific: no
The icecast-server (a streaming music server) package as distributed
in Debian GNU/Linux 2.2 has several security problems:
* if a client added a / after the filename of a file to be downloaded
the server would crash
* by escaping dots as %2E it was possible to circumvent security
measures and download arbitrary files
* there were several buffer overflows that could be exploited to
gain root access
These have been fixed in version 1.3.10-1, and we strongly recommend
that you upgrade your icecast-server package immediately.
[etc...]
--
Jamie McCarthy
jamie@mccarthy.vg