CVE-2011-4612

Debian Bug report logs - #652663
CVE-2011-4612

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2011-4612

Date: Mon, 19 Dec 2011 18:17:04 +0100

Package: icecast2
Severity: important
Tags: security

Hi,
a minor vulnerability has been discovered in Icecast. Please see
https://bugs.launchpad.net/ubuntu/+source/icecast2/+bug/894782 for
details.

This is CVE-2011-4612, please mention it in the changelog.

This doesn't warrant a DSA. You can however fix it through a point
update:
http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable

Cheers,
        Moritz

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Message #10 received at 652663@bugs.debian.org (full text, mbox, reply):

From: Rücker Thomas <thomas.ruecker@tieto.com>

To: <652663@bugs.debian.org>

Subject: CVE-2011-4612

Date: Wed, 13 Jun 2012 00:50:32 +0300

Hello, your friendly upstream here.

We just released Icecast 2.3.3 which addresses this issue.

Also for the record. It's fairly easy to spot those injection attempts 
by looking at the Icecast access log.

Cheers

Thomas

Message #15 received at 652663@bugs.debian.org (full text, mbox, reply):

From: Jonas Smedegaard <dr@jones.dk>

To: Rücker Thomas <thomas.ruecker@tieto.com>, 652663@bugs.debian.org

Subject: Re: Bug#652663: CVE-2011-4612

Date: Wed, 13 Jun 2012 01:02:37 +0200

[Message part 1 (text/plain, inline)]

Hi Thomas,

On 12-06-13 at 12:50am, Rücker Thomas wrote:
> Hello, your friendly upstream here.
> 
> We just released Icecast 2.3.3 which addresses this issue.
> 
> Also for the record. It's fairly easy to spot those injection
> attempts by looking at the Icecast access log.

Great. I am looking into updating the packaging now.

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 652663@bugs.debian.org (full text, mbox, reply):

From: Rücker Thomas <thomas.ruecker@tieto.com>

To: Jonas Smedegaard <dr@jones.dk>

Cc: "652663@bugs.debian.org" <652663@bugs.debian.org>

Subject: Re: Bug#652663: CVE-2011-4612

Date: Tue, 26 Jun 2012 18:36:56 +0300

Hi Jonas,

On 13/06/12 02:02, Jonas Smedegaard wrote:
> Hi Thomas,
>
> On 12-06-13 at 12:50am, Rücker Thomas wrote:
>> Hello, your friendly upstream here.
>>
>> We just released Icecast 2.3.3 which addresses this issue.
>>
>> Also for the record. It's fairly easy to spot those injection
>> attempts by looking at the Icecast access log.
> Great. I am looking into updating the packaging now.

Just wondering how the updated package is going.
Mainly as I hear there is a freeze coming to debian.
Would be too bad to miss the window.

Cheers

Thomas

Message #25 received at 652663-close@bugs.debian.org (full text, mbox, reply):

From: Jonas Smedegaard <dr@jones.dk>

To: 652663-close@bugs.debian.org

Subject: Bug#652663: fixed in icecast2 2.3.3-1

Date: Mon, 23 Jul 2012 08:47:11 +0000

Source: icecast2
Source-Version: 2.3.3-1

We believe that the bug you reported is fixed in the latest version of
icecast2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 652663@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated icecast2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 23 Jul 2012 10:31:34 +0200
Source: icecast2
Binary: icecast2
Architecture: source amd64
Version: 2.3.3-1
Distribution: unstable
Urgency: low
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Description: 
 icecast2   - streaming media server
Closes: 652050 652663
Changes: 
 icecast2 (2.3.3-1) unstable; urgency=low
 .
   [ upstream ]
   * New upstream bugfix release.
     + Allow the source password to be undefined. This is to avoid
       falling back to a default password which would be a security
       problem. Fixing #1846
     + Applied justdave's patches, fixing #1717 and #1718. HTTPS now with
       better security and support for chained certificates.
     + trunk/icecast/conf/icecast_minimal.xml.in: Updated <alias> to use
       destination="" not dest="". The old dest="" attribute is still
       supported.
     + Added 'admin' and 'location' to default config, thus fixing #1839.
     + Added VCLT playlist support.
     Closes: bug#652663, which fixes CVE-2011-4612.
 .
   [ Jonas Smedegaard ]
   * Setup git-import-orig to filter out debian subdir.
   * Drop patches 1002 and 1003, applied upstream.
   * Unfuzz patch 1001.
   * Avoid locally shipped CDBS snippets (but keep them included with
     source to minimize diff for freeze-exception inspection).
   * Add Brazilian Portuguese (pt_BR) localization.
     Closes: bug#652050. Thanks to Adriano Rafael Gomes.
   * Setup git-buildpackage to use wheezy branch.
Checksums-Sha1: 
 71a92164876b2c5b6294d316806767ac1ea8d2c2 2225 icecast2_2.3.3-1.dsc
 61cf1bd5b4ed491aad488dc6cf1ca2d8eb657363 1161774 icecast2_2.3.3.orig.tar.gz
 b2df5769f323083c7a1f2d6bc480b0fdd5a2fbe3 32502 icecast2_2.3.3-1.debian.tar.gz
 30097d9cf2f8e33af982b71c64be0cce7f5f7a77 328220 icecast2_2.3.3-1_amd64.deb
Checksums-Sha256: 
 218d5495ca3f9df4674d27649c19df950d4e182f76a638a7d277ea947cddae99 2225 icecast2_2.3.3-1.dsc
 1b1d06f5f83c9a983cd28cc78aa90e4038f933511b3d20d7fd2cfc116645c36d 1161774 icecast2_2.3.3.orig.tar.gz
 a49d3cf207c19f2385d979ba5c2fa912413727ac6c75bad54c059f0c2893d4f9 32502 icecast2_2.3.3-1.debian.tar.gz
 d4aa362c17c9744bd21ca5c16436d698bf6d19a230e92780951b6f8a0f636a9a 328220 icecast2_2.3.3-1_amd64.deb
Files: 
 cfb01fef13e4c9f9bde5029fa06aedf4 2225 sound optional icecast2_2.3.3-1.dsc
 2b5d1b40778922e5f6431b7758c359ad 1161774 sound optional icecast2_2.3.3.orig.tar.gz
 11c159523ab53ac086ee5e6c6fc1f1c3 32502 sound optional icecast2_2.3.3-1.debian.tar.gz
 0e0ccdedf0ecf1b8b6a3c76016ed186f 328220 sound optional icecast2_2.3.3-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJQDQ4UAAoJECx8MUbBoAEhvuQQAKdhYqrVKaWhyOkNaRWu4gyU
2TdS7NB4gmjWuXb8WjD+b+I/Yd8dyWEXbXP+09zfsCAfj2EqrgxFdE8fAv6P+DEq
KeuZLNp/UZZwiY4PRGg5AsGsQsabrT9dfe2GATGkKlJa9MNaly4L0iM2Rw4uOi36
pb25FrXMAIorE0zMDuZQqHUJznQ5PVEdAZNmQ2rJZU+yr7VfCrLNcROGl/yeMXS7
cF5cLJnTTbgElsEmoVhn/vhbieZLB1uEst/2CTGZsadA7rEpVFTp3v2gVd3GSVIu
gFTtVv6CG3Plu8OS8cmoWwG71ZWC4YJqBkrCXAFD6D/2rMQLAFqWA3Bl348exVIC
ixeXs+KUYHg1za2SxYdq7MdGk5TCxtulWqnYzbE6qK+jsH0nDB/Gn7exoKPSgvSZ
14OMEm6uv8CNmWtjayiZYlFhH529meCrUaPe1rKVqMEjDG9Xn6lwY3FtCJhWa5Bg
3LBqV978sB913dZ0Ed7BRswPdrFo8C3vodAtW3kpRPSHS255zXs5ez/wgWonyKcO
geTHJuDhk9CXanfrPmIQsW7oswMU+5vSn6f3O1mEaM0i9oeQIlkuUWjAs+7hljaK
WQRyeVHjvsAepqqDxupMADiFkc/pbLu4ROYocZGE0Kh/lhtGpyR8xt8Lh7PHDUFx
0OgDujL080/GYexbVCDZ
=jgro
-----END PGP SIGNATURE-----

Message #30 received at 652663@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 652663@bugs.debian.org

Subject: Re: CVE-2011-4612

Date: Tue, 31 Jul 2012 11:15:04 -0000

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.6) - use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/652663/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Message #35 received at 652663@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Rücker Thomas <thomas.ruecker@tieto.com>

Cc: Jonas Smedegaard <dr@jones.dk>, "652663@bugs.debian.org" <652663@bugs.debian.org>

Subject: Re: Bug#652663: CVE-2011-4612

Date: Thu, 6 Sep 2012 18:05:26 +0200

On Tue, Jun 26, 2012 at 06:36:56PM +0300, Rücker Thomas wrote:
> Hi Jonas,
>
> On 13/06/12 02:02, Jonas Smedegaard wrote:
>> Hi Thomas,
>>
>> On 12-06-13 at 12:50am, Rücker Thomas wrote:
>>> Hello, your friendly upstream here.
>>>
>>> We just released Icecast 2.3.3 which addresses this issue.
>>>
>>> Also for the record. It's fairly easy to spot those injection
>>> attempts by looking at the Icecast access log.
>> Great. I am looking into updating the packaging now.
>
> Just wondering how the updated package is going.
> Mainly as I hear there is a freeze coming to debian.
> Would be too bad to miss the window.

CVE-2011-4612 is still unfixed in Wheezy, only in unstable. Please either
ask the release managers to unblock 2.3.3 (unlikely at this time
in the freeze) or upload an isolated fix to testing-proposed-updates.

Cheers,
        Moritz

Message #40 received at 652663@bugs.debian.org (full text, mbox, reply):

From: Rücker Thomas <thomas.ruecker@tieto.com>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: Jonas Smedegaard <dr@jones.dk>, "652663@bugs.debian.org" <652663@bugs.debian.org>

Subject: Re: Bug#652663: CVE-2011-4612

Date: Sun, 16 Sep 2012 10:11:49 +0300

On 06/09/12 19:05, Moritz Muehlenhoff wrote:
> On Tue, Jun 26, 2012 at 06:36:56PM +0300, Rücker Thomas wrote:
>> Hi Jonas,
>>
>> On 13/06/12 02:02, Jonas Smedegaard wrote:
>>> Hi Thomas,
>>>
>>> On 12-06-13 at 12:50am, Rücker Thomas wrote:
>>>> Hello, your friendly upstream here.
>>>>
>>>> We just released Icecast 2.3.3 which addresses this issue.
>>>>
>>>> Also for the record. It's fairly easy to spot those injection
>>>> attempts by looking at the Icecast access log.
>>> Great. I am looking into updating the packaging now.
>> Just wondering how the updated package is going.
>> Mainly as I hear there is a freeze coming to debian.
>> Would be too bad to miss the window.
> CVE-2011-4612 is still unfixed in Wheezy, only in unstable. Please either
> ask the release managers to unblock 2.3.3 (unlikely at this time
> in the freeze) or upload an isolated fix to testing-proposed-updates.

JFTR: We hurried out 2.3.3 still before the freeze so that it could
possibly make it into wheezy. Carrying a 4+ year old release that misses
numerous security and stability fixes is kind of impractical.
So far there have been no regressions or new bugs found in 2.3.3 and it
is a clean drop-in replacement for 2.3.2.

Cheers

Thomas

Send a report that this bug log contains spam.