[KLUG Members] remote root exploit in icecast

Jamie McCarthy members@kalamazoolinux.org
Wed, 5 Dec 2001 10:24:50 -0500

Previous message: [KLUG Members] Evolution 1.0 is here!
Next message: [KLUG Members] Evolution 1.0 is here!
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If you're running icecast-server, turn it off now.  Then upgrade.

Or just leave it off... the three bulleted points below say very
clearly "this is not mature software"!




------------------------------------------------------------------------
Debian Security Advisory DSA-089-1                   security@debian.org
http://www.debian.org/security/                         Wichert Akkerman
December  5, 2001
------------------------------------------------------------------------

Package        : icecast-server
Problem type   : remote root exploit (and others)
Debian-specific: no

The icecast-server (a streaming music server) package as distributed
in Debian GNU/Linux 2.2 has several security problems:

* if a client added a / after the filename of a file to be downloaded
  the server would crash
* by escaping dots as %2E it was possible to circumvent security
  measures and download arbitrary files
* there were several buffer overflows that could be exploited to
  gain root access

These have been fixed in version 1.3.10-1, and we strongly recommend
that you upgrade your icecast-server package immediately.

[etc...]

--
 Jamie McCarthy
 jamie@mccarthy.vg

Previous message: [KLUG Members] Evolution 1.0 is here!
Next message: [KLUG Members] Evolution 1.0 is here!
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]