[v2.6] icecast: remote DoS (CVE-2015-3026)
Icecast before 2.4.2, when a stream_auth handler is defined for URL authentication, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a request without login credentials, as demonstrated by a request to “admin/killsource?mount=/test.ogg.”
Affected Icecast versions:
2.3.3(first release with stream_auth)
2.4.x before 2.4.2
Fix released in:
2.4.2
Fix is not released for:
2.3.3: EOL
References:
http://seclists.org/oss-sec/2015/q2/77
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3026
CONFIRM:
https://trac.xiph.org/changeset/27abfbbd688df3e3077b535997330aa06603250f/icecast-server
http://lists.xiph.org/pipermail/icecast-dev/2015-April/002460.html
(from redmine: issue id 4191, created on 2015-05-18, closed on 2015-05-22)
- Relations:
- parent #4190 (closed)
- Changesets:
- Revision 39554ea0 by Natanael Copa on 2015-05-21T11:06:36Z:
main/icecast: security fix for CVE-2015-3026
fixes #4191