Upstream has issued an advisory on November 1: https://www.openwall.com/lists/oss-security/2018/11/01/3 The issue is fixed upstream in 2.4.4. Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Done for Cauldron and mga6!
CC: (none) => geiger.david68210
Advisory: ======================== Updated icecast packages fix security vulnerability: Buffer overflows in URL auth code if there is a "mount" definition that enables URL authentication. A malicious client could send long HTTP headers, leading to a buffer overflow and potential remote code execution (CVE-2018-18820). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18820 https://www.openwall.com/lists/oss-security/2018/11/01/3 ======================== Updated packages in core/updates_testing: ======================== icecast-2.4.4-1.mga6 from icecast-2.4.4-1.mga6.src.rpm
Version: Cauldron => 6Assignee: bugsquad => qa-bugsWhiteboard: MGA6TOO => (none)
MGA6-32 MATE on IBM Thinkpad R50e No installation issues. Tried to follow bug 14629 Comment 2 , but I don't get it: in step 3 on the vlc setup it says: "set server: localhost, port:8000, mountpoint: test login: source, password:2 but the vlc dialogue only asks for Address, mount point and password and I get: $ mplayer http://localhost:8000/test MPlayer 1.3.0-12.mga6.tainted-5.4.0 (C) 2000-2016 MPlayer Team mplayer: could not connect to socket mplayer: No such file or directory Failed to open LIRC support. You will not be able to use your remote control. Playing http://localhost:8000/test. Resolving localhost for AF_INET... Connecting to server localhost[127.0.0.1]: 8000... Server returned 404: File Not Found STREAM_ASF, URL: http://localhost:8000/test Resolving localhost for AF_INET... Connecting to server localhost[127.0.0.1]: 8000... Server returned 404:File Not Found Failed to parse header. Failed, exiting. Resolving localhost for AF_INET... Connecting to server localhost[127.0.0.1]: 8000... Server returned 404: File Not Found No stream found to handle url http://localhost:8000/test
CC: (none) => herman.viaene
Errors when starting stream in vlc: [b1f10fb8] access_output_shout access out error: failed to initialize shout streaming to localhost:8000//test [b1f15080] stream_out_standard stream out error: no suitable sout access module for `shout/mp3:////tester@localhost:8000/test' [b1f15380] main stream output error: stream chain failed for `std{access=shout,mux=mp3,dst=//tester@localhost:8000/test}' [09741ea0] main input error: cannot start stream output instance, aborting Note: the mux parameter is set to ogg by vlc, I changed it before submitting to mp3 , but my first tries were with the ogg setting, and thay gave the same result.
Debian has issued an advisory for this on November 4: https://www.debian.org/security/2018/dsa-4333
Re comment #3: The wizard did present the port number as well Re comment #4. Tried this fo x86_64 before updating and saw very similar output from vlc and mplayer. $ mplayer http://localhost:8000/ice MPlayer 1.3.0-12.mga6.tainted-5.4.0 (C) 2000-2016 MPlayer Team mplayer: could not connect to socket mplayer: No such file or directory Failed to open LIRC support. You will not be able to use your remote control. Playing http://localhost:8000/ice. Resolving localhost for AF_INET6... Connecting to server localhost[::1]: 8000... connect error: Connection refused Resolving localhost for AF_INET... Connecting to server localhost[127.0.0.1]: 8000... Server returned 404: File Not Found STREAM_ASF, URL: http://localhost:8000/ice Resolving localhost for AF_INET6... Connecting to server localhost[::1]: 8000... connect error: Connection refused Resolving localhost for AF_INET... Connecting to server localhost[127.0.0.1]: 8000... Server returned 404:File Not Found Failed to parse header. Failed, exiting. Resolving localhost for AF_INET6... Connecting to server localhost[::1]: 8000... connect error: Connection refused Resolving localhost for AF_INET... Connecting to server localhost[127.0.0.1]: 8000... Server returned 404: File Not Found No stream found to handle url http://localhost:8000/ice Exiting... (End of file)
CC: (none) => tarazed25
The following 2 packages are going to be installed: - icecast-2.4.4-1.mga6.x86_64 - perl-MP3-Info-1.240.0-7.mga6.noarch 437KB of additional disk space will be used. $ uname -a Linux localhost 4.14.78-desktop-1.mga6 #1 SMP Sun Oct 21 20:31:12 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux I had to go in: 1. Add my id to the icecast group 2. from root user #chmod g+w /var/log/icecast to run it: $ icecast -c /etc/icecast.xml
CC: (none) => brtians1
Created attachment 10515 [details] screen print and notes - openoffice format
Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0472.html
Status: NEW => RESOLVEDResolution: (none) => FIXED