About Icecast 2
Icecast is a streaming media (audio/video) server which currently supports
Ogg (Vorbis and Theora), Opus, WebM and MP3 streams.
It can be used to create an Internet radio station or a privately
running jukebox and many things in between.
It is very versatile in that new formats can be added
relatively easily and supports open standards for communication and
Icecast is distributed under the GNU GPL, version 2.
Icecast Release 2.4.4
We released a new version of Icecast. It is a security release and we recommend to update all Icecast installations of versions below 2.4.4 to it.
A summary of the changes is listed below, for details please refer
to the ChangeLog
The Xiph.org package repositories have been updated already. Most distributions should start shipping updated Icecast versions soon.
All issues have been also addressed in our development master branch. We plan to ship a 2.5 beta 3 in the near future.
- Fix buffer overflows in URL auth code, [CVE-2018-18820]. #2342
- This security issue affects all Icecast servers running version 2.4.0, 2.4.1, 2.4.2 or 2.4.3 if there is a “mount” definition that enables URL authentication.
- A malicious client could send long HTTP headers, leading to a buffer overflow and potential remote code execution.
- The problematic code was introduced in version 2.4.0 and was now brought to our attention by Nick Rolfe of Semmle Security Research Team
- Worked around buffer overflows in URL auth’s cURL interface.
- We currently do not believe that this issue is exploitable. It would require a malicious URL authentication back end server to send a crafted payload and make it through libcURL.
- If someone manages, please let us know.
- Do not report hashed user passworts in user list. There is no practical reason to show this to the administrator and it improves security.
- Fixed segfault in htpasswd auth if no filename is set
- Fixed a segfault when xsltApplyStylesheet() returns error
- Do not segfault on malformed Opus streams
- Global listener count could be negative under certain circumstances. Thanks a lot to Simeon Völkel (0xBD4E031CDB4043C9) for reporting and investigating the bug.
- Added code to announce Opus streams as such towards yp servers.
Icecast Release 2.5 beta2
We are pleased to announce Icecast 2.5 beta2 (22.214.171.124).
This is a beta release and not recommended for production use.
- Add support for HTTP PUT, including chunked encoding support
- Improve TLS support including additional options, on the fly certificate reload, RFC2817-mode, and TLS and non-TLS connections on same port
- Improve WebM support
- HTTP Keep-Alive support
- New error handling and better HTTP status codes in error cases
- Improved HTTP headers returned by Icecast
<admin> tag content to YP servers - provides contact information for directory operators
- Web Interface/API:
- Add support for Opus metadata in web/stats interface
- List last played songs in web/stats interface
- Add support for xsl includes from the admin directory
protocol to listener client stats XML
opmode (operation mode)
- Add support for config reload from the admin interface
- Add new tag
<tls-context> with childs
- Add new
<shoutcast-user> tag to specify the username that is used for SHOUTcast sources
<mime-types> to the
<mp3-metadata-interval> tag to
<kartoffelsalat> tag to
ssl tags (
- HTTP PUT now supports chunked encoding
- HTTP PUT with
Expect: 100-Continue now sends the
200 status as expected at the end of transmission, not right after the
- Fix login problems for admin user, if default mount had auth defined
- Fix that in some cases stats JSON would be malformed
- Fix that the JSON exposed listener details if queried with a specific mountpoint
- Fix segfault on some bad opus streams
- Fix segfaults due to empty strings in config
- Fix fetching of streamlist (for relaying) from HTTP/1.1 servers
- Fix information disclosure CVE that allowed to view the source of a xsl file by appending a
. to it, when using Icecast on Windows (#2248)
- YP and m3u playlists do not use the
https scheme for URLs when using TLS