Arch Linux Security Advisory ASA-201411-32 ========================================== Severity: Critical Date : 2014-11-28 CVE-ID : CVE-2014-9018 Package : icecast Type : information leak Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package icecast before version 2.4.1-1 is vulnerable to information leak. Resolution ========== Upgrade to 2.4.1-1. # pacman -Syu "icecast>=2.4.1-1" The problem has been fixed upstream in version 2.4.1. Workaround ========== Disable on-connect and on-disconnect scripts. Description =========== It was reported that Icecast could possibly leak the contents of on-connect scripts to clients, which may contain sensitive information. If on-connect/on-disconnect scripts are used, file descriptors of the server process remain open and could be written to or read from. Most pressing STDIN, STDOUT, STDERR are handled. Further all file descriptors up to 1024 are closed. There is a remaining (much lower) risk in combination of either a malicious or susceptible script and FDs above 1024. Impact ====== A remote attacker may be able to extract sensitive information from the process memory, including but not limited to passwords. References ========== http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9018 http://icecast.org/news/icecast-release-2_4_1/ https://trac.xiph.org/ticket/2087 https://bugs.archlinux.org/task/42912 http://seclists.org/oss-sec/2014/q4/716