![[LWN Logo]](/images/lcorner.png)
![[LWN.net]](/images/Included.png)
|
|
|
|
Date: Tue, 13 Mar 2001 18:18:28 -0500 From: John Viega <viega@LIST.ORG> Subject: More Icecast remote vulnerabilities To: BUGTRAQ@SECURITYFOCUS.COM Following the announcement yesterday about buffer overflow vulnerabilities in Icecast, Andreas Hasenack <andreas@conectiva.com.br> identified several more likely buffer overflow vulnerabilities. Matt Messier <mmessier@prilnari.com> took a look, and determined that at least some of them are definitely remotely exploitable. Like the last round of vulnerabilities, these problems affect all Icecast users. The icecast team has released version 1.3.10 to correct these new problems. Everyone using icecast should upgrade immediately. The dist is available from www.icecast.org. Also, to clarify Icecast 1.3.9 not only fixed several buffer overflows we discovered, but it also (finally) fixed the format string vulnerabilities that were announced here on bugtraq in January. Finally, I'd like to encourage qualified people to seriously audit Icecast (in particular, their forthcoming 2.0 version). It's a widely used piece of free software that hasn't had the benefit of that kind of expert scrutiny yet. Even though we looked at the code a bit, we (unfortunately) do not have the time for a full audit. The development team is full of great people who are very humble, and they'd appreciate any help that the community has to offer. John