* Sun Dec 17 2017 avindra@opensuse.org
- update to version 2.4.3:
* Fixes Windows only vulnerability (CVE-2005-0837), where an
attacker could access the raw XSLT template file by appending a
dot “.” to the URL. To be clear, no runtime information could be
accessed this way.
- cleanup spec file with spec-cleaner
- fix bad line endings warning in CSS file
- rebase icecast-fix-no-add-needed.patch
- replace PreReq statements with Requires(pre)
* Wed Apr 08 2015 tiwai@suse.de
- update to version 2.4.2:
Fix crash when URL Auth is used with stream_autho without
credentials (bnc#926402)
* Mon Jan 19 2015 p.drouand@gmail.com
- Remove sysvinit support as the package now build only for systems
with systemd support
- Add a backward rc compatibility symlink to systemd service file
- Only require systemd-rpm-macros to build; no need to require
entire systemd environment
- Clean up specfile
* Tue Nov 25 2014 tiwai@suse.de
- updated to version 2.4.1:
* Fixes in logging, <auth> in default mounts, JSON status API
* SSL Security improvements:
* Handle empty strings in config file better
* Require Content-Type header for PUT requests
* Fix possible leak of on-connect scripts (CVE-2014-9018,bnc#906538)
More details, see http://icecast.org/news/icecast-release-2_4_1/
- Remove obsoleted patch:
icecast-2.4.0-produce-valid-json.patch
- Change doc subpackage to noarch
- Spec file cleanup
* Sat Nov 22 2014 fisiu@opensuse.org
- Add icecast-mp3-frame-validation.patch: validate mp3 frame.
* Fri Nov 14 2014 fisiu@opensuse.org
- Add icecast-2.4.0-produce-valid-json.patch: produce valid json status,
fix boo#905468.
* Sun Nov 09 2014 Led <ledest@gmail.com>
- fix bashisms in pre script
* Tue May 20 2014 mail@davykager.nl
- Update to version 2.4.0:
* Support for WebM video
* Support for Opus audio in Ogg
* Fixes for some race conditions
* Allow (standard strftime(3)) %x codes in <dump-file>. Disabled for win32.
* Dropped debian packaging directory as debian use their own.
- Disable Gentoo patches because they have no effect on the OBS builds.
icecast-2.3.3-libkate.patch (has no effect on automated builds)
icecast-2.3.3-fix-xiph_openssl.patch (spec file guarantees openssl exists)
- Rebase icecast-fix-no-add-needed.patch for version 2.4.0.
* Tue Feb 11 2014 tiwai@suse.de
- Remove the obsoleted icecast-2.3.2-CVE-2011-4612.diff that leads
to invalid access to freed memory (bnc#862096)
* Fri Nov 29 2013 pascal.bleser@opensuse.org
- remove dependency to syslog.target in icecast.service, as it doesn't exist
any more, see bnc#852314
* Wed Jun 05 2013 pascal.bleser@opensuse.org
- update to 2.3.3:
* security:
+ Improved HTTPS cipher handling and added support for chained certificates.
+ Allow the source password to be undefined. There was a corner case, where
a default password would have taken effect. It would require the admin to
remove the 'source-password' from the icecast config to take effect. Default
configs ship with the password set, so this vulnerability doesn't trigger
there.
+ Prevent error log injection of control characters by substituting
non-alphanumeric characters with a '.' (CVE-2011-4612). Injection attempts
can be identified via access.log, as that stores URL encoded requests.
Investigation if further logging code needs to have sanitized output is
ongoing.
* bugfixes:
+ On-demand relaying - Reject listeners while reconnecting. Fix stats for
relays without mount section.
+ Prevent too frequent YP updates.
+ Only allow raw metadata updates from same IP as connected source (unless
user is admin). This addresses broken client software that issues updates
without being connected.
+ Minor memory leaks
+ XSPF file installation
+ Fix case of global listeners count becoming out of sync.
+ Setting an interval of 0 in mount should disable shoutcast metadata inserts.
* authentication:
+ Sources can now be authenticated via URL, like listeners. Post info is
"action=stream_auth&mount=/stream&ip=IP&server=SERVER&port=8000&user=fred&pass=pass"
As admin requests can come in for a stream (eg metadata update) these
requests can be issued while stream is active. For these &admin=1 is added to
the POST details.
* XSL update:
+ automatically generate VCLT playlist like we do with M3U, the mountpoint
extension is .vclt
- package updates:
* add systemd service file
* add logrotate configuration
* add Gentoo patches
* set pidfile directive in default config file to make it work with
systemd
* split out HTML documentation into -doc subpackage
* Tue Jan 22 2013 jw@suse.com
- nuked %make_install to make SLES11 SP2 happy.
* Mon Nov 19 2012 dimstar@opensuse.org
- Fix useradd invocation: -o is useless without -u and newer
versions of pwdutils/shadowutils fail on this now.
* Mon Mar 05 2012 tiwai@suse.de
- Fix VUL-1: icecast log injection (CVE-2011-4612, bnc#737255)
* Sat Oct 15 2011 coolo@suse.com
- add libtool as buildrequire to make the spec file more reliable
* Mon Aug 29 2011 crrodriguez@opensuse.org
- Fix build with --no-add-needed
- Enable SSL support.
* Wed Jun 18 2008 tiwai@suse.de
- updated to version 2.3.2:
* Character set support
* Authentication improvements
* Listening socket update
* XSL update
* Updates for stream directory handling.
* Updates for Win32.
* Accept/Ban IP support.
* A Mountpoint is exported to the slaves even if no mount
section is defined for it.
* Relays handle redirection (HTTP 302) if one is received at
startup.
* Automatically generate XSPF playlist like we do with M3U, the
mountpoint extension is .xspf
* Header updates for proxy handling and certain clients like
some shoutcast source clients and flash players.
* Added Kate/Skeleton codecs to Ogg handler.
* Various stats cleanups.
* The streamlist passed from master to slave had a limited
length
* Documentation updates.
* Relay startup/shutdown is cleaner.
* several build cleanups.
* several resource leaks and race conditions fixed
* Fri Feb 02 2007 mmarek@suse.cz
- fix build with curl-7.16
- fixed more comparison with string literals by using static char*
variables instead of #defines to string constans to detect
whether a default or malloced value is used
* Tue Dec 19 2006 tiwai@suse.de
- fix comparison of string literal in cfgfile.c (#226380).
* Wed Oct 11 2006 tiwai@suse.de
- added icecast-2.3.1_runas_icecast_user.patch:
run icecast as "icecast" user and group by default
- added init script
- added log/home dir to the fileist
- dont run suse_update_config/autoreconf seems unneeded.
(tested with the buildservice on 10.0->Factory)
- replaced manual configure call with %configure