Centova Technologies Inc.

Products and Services

Centova Cast
Customer Support
Centova Technologies
 

Centova Technologies Forum

Author Topic: Icecast 2.4.3  (Read 346 times)

bucihost

  • Newbie
  • *
  • Posts: 21
Icecast 2.4.3
« on: January 02, 2018, 01:20:22 am »
Hello! Icecast 2.4.3 available FEB 1, 2016, but CC still use 2.4.2. How can upgrade to 2.4.3?

Alexiu

  • Centova Staff
  • *
  • Posts: 481
Re: Icecast 2.4.3
« Reply #1 on: January 02, 2018, 12:57:53 pm »
Icecast 2.4.3 is a Windows only release. From Icecast's web page:

Quote
Icecast Release 2.4.3
We released a new version of Icecast last week. It is a Windows only release and addresses a security issue recently brought to our attention.

As it, embarrassingly, turns out this issue was previously raised on a security mailing list in 2005 and assigned CVE 2005-0837. A ticket (#635) was even created, once this posting was noticed by an Icecast project member, at that time. Sadly the original report was terse, the issue couldn’t be readily reproduced and subsequently the ticket was closed.

We were recently contacted about this issue and this time provided with details about the environment it occurred in. This allowed us to identify this as a Windows only issue.

The vulnerability, identified as CVE-2005-0837, allows an attacker to acces the raw XSLT template file by appending a dot “.” to the URL. Due to the way how Windows handles file names ending with a dot, it only affects Icecast versions < 2.4.3 running on Windows. Icecast on other operating systems, like Linux, wasn’t affected at any time by this issue. If you haven’t modified the default XSLT files of a Windows installation, then no information disclosure of real value could have happened. We expect that most, of the comparatively few, Windows installations have unmodified template files and thus, while technically vulnerable, only expose those unmodified templates. To be clear, no runtime information can be accessed this way.

In case you modified the templates and they contain sensitive information, it should be assumed that a third party could have accessed them. We’re sorry, that this issue went unresolved for a long time.

bucihost

  • Newbie
  • *
  • Posts: 21
Re: Icecast 2.4.3
« Reply #2 on: January 03, 2018, 02:14:42 am »
No!
See in download section:

Icecast Current Release (2.4.3)
The latest Icecast release can be downloaded below. For Windows there is a binary release in an installer, for Linux/UNIX we provide the sources.

Icecast for Linux/Unix .tar.gz (2.3 MB), Source Tarball

Roger

  • Centova Staff
  • *
  • Posts: 373
Re: Icecast 2.4.3
« Reply #3 on: January 03, 2018, 12:14:47 pm »
Hello bucihost,

I believe that what my colleague Alexiu was referring to, is that the differences between 2.4.2 and 2.4.3, are limited to fixing the aforementioned security issue for the windows version.

If you know of some new feature that was introduced with 2.4.3, and would like to see it supported in Centova Cast please let us know.


Regards.

wisez

  • Newbie
  • *
  • Posts: 24
Re: Icecast 2.4.3
« Reply #4 on: January 03, 2018, 01:03:11 pm »
No!
See in download section:

Icecast Current Release (2.4.3)
The latest Icecast release can be downloaded below. For Windows there is a binary release in an installer, for Linux/UNIX we provide the sources.

Icecast for Linux/Unix .tar.gz (2.3 MB), Source Tarball

Download the .tar.gz.
Open it.
See Changelog with an editor like Notepad++

"   * Linux/Unix installations were never affected, Windows only release!
"
They just changed the version number.
Nothing's changed.