Bug 15654

Summary: icecast new security issue fixed upstream in 2.4.2 (CVE-2015-3026)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Christiaan Welvaart <cjw>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: cjw
Version: Cauldron   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/640165/
Whiteboard:
Source RPM: icecast-2.3.3-2.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-04-08 15:38:18 CEST 
A CVE was requested for a security issue fixed in icecast 2.4.2:
http://openwall.com/lists/oss-security/2015/04/08/8

Mageia 5 is affected.

Mageia 4 has 2.3.2 and the issue was introduced in 2.3.3, so it is not affected.

The icecast package should be updated to 2.4.2 (as 2.3.3 is EOL) or dropped.

There is PoC information in the message linked above.

Reproducible: 

Steps to Reproduce:
David Walser 2015-04-08 15:38:30 CEST

CC: (none) => cjw
Whiteboard: (none) => MGA5TOO

Comment 1 Christiaan Welvaart 2015-04-08 16:15:38 CEST 
Thanks, icecast 2.4.2 built and install-tested on cauldron. Now I only need to test if it produces a proper audio stream.

Assignee: bugsquad => cjw

Comment 2 David Walser 2015-04-08 22:23:03 CEST 
CVE-2015-3026 has been assigned:
http://openwall.com/lists/oss-security/2015/04/08/11

Summary: icecast new security issue fixed upstream in 2.4.2 => icecast new security issue fixed upstream in 2.4.2 (CVE-2015-3026)

Comment 3 David Walser 2015-04-09 16:57:12 CEST 
icecast-2.4.2-1.mga5 uploaded for Cauldron.  Thanks Christiaan!

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-04-13 23:08:37 CEST

URL: (none) => http://lwn.net/Vulnerabilities/640165/
Whiteboard: MGA5TOO => (none)