Arch Linux Security Advisory ASA-201504-12 ========================================= Severity: Medium Date : 2015-04-11 CVE-ID : CVE-2015-3026 Package : icecast Type : denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package icecast before version 2.4.2-1 is vulnerable to denial of service. Resolution ========== Upgrade to 2.4.2-1. # pacman -Syu "icecast>=2.4.2-1" The problem has been fixed upstream in version 2.4.2. Workaround ========== None. Description =========== CVE-2015-3026 (denial of service): The bug can only be triggered if "stream_auth" is being used. This means, that all installations that use a default configuration are NOT affected.The default configuration only uses <source-password>. Neither are simple mountpoints affected that use <password>. A workaround, if installing an updated package is not possible, is to disable "stream_auth"and use <password> instead. As far as we understand the bug only leads to a simple remote denial of service. The underlying issue is a null pointer dereference. For clarity: No remote code execution should be possible, server just segfaults. Impact ====== An attacker could kill, with triggering the server with a special URL, the icecast-server due to a null pointer dereference. References ========== http://seclists.org/oss-sec/2015/q2/78 http://seclists.org/oss-sec/2015/q2/80 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-3026 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782120 https://trac.xiph.org/ticket/2191 http://lists.xiph.org/pipermail/icecast-dev/2015-April/002460.html https://trac.xiph.org/changeset/27abfbbd688df3e3077b535997330aa06603250f/ice...