Icecast 2.4.3 Docs — Changes
Version 2.4.3
Fixes
- Security fix: Windows - remove trailing dots in URI.
A quirk in the Windows API made it possible to request the raw stylesheet file from webroot. Only XSLT files are affected, no internal state data is available this way.
This addresses CVE-2005-0837 (sic!), which was sadly ignored after the initial ticket got closed erroneously.
- Expected impact is low: most installations run with default XSLT files and there is nothing new to be learned in such a case. Also a majority of production Icecast servers don't run on Windows to start with.
- Linux/Unix installations were never affected, this is a Windows only release!
Known issues
Version 2.4.2
Fixes
- Security fix: Do not crash if URL Auth is used with stream_auth.
Known issues
Version 2.4.1
Fixes
- Fixed cross-corruption of file descriptors by on-connect/on-disconnect scripts, specifically STDIN, STDOUT and STDERRR vs TCP connections.
- We actually close not just 0, 1 and 2, but the first 1024 FDs, which seems common trade-off practice, but still not ideal. A more thorough fix will need platform specific logic and significant work.
- The STDIN/OUT/ERR problem is fixed reliably, but other problems could occur if both the script and the server use FDs >1024 at the same time
- This is now reasonably safe, but care should be exercised nevertheless.
- Disabled SSLv3 and SSL compression explicitly to improve security
- Updated the default ciphers to be more secure
- Fixed JSON status API problems
- Put the XSLT last item check into every filtered tag.
- This way we shouldn’t run into problems of this type anymore.
- Also it should be easier to customize the XSLT this way, if someone wants to filter differently.
- Fixed
<auth>
in <mount type="default">
to work properly.
- Fixed listener connection duration logging in access.log. Regression was introduced for only some platforms by an earlier security fix.
- Fixed time zone reporting in _iso8601 fields on Windows.
- added warnings on empty and default values of
<fileserve>
, <hostname>
, <location>
, <admin>
and <server-id>
- send errorlog (loglevel WARN) to stderr prior to opening logfiles.
- Fixed handling of empty strings in config file. Now empty strings are handled in: accesslog, errorlog, logdir, webroot, adminroot and hopefully all kinds of port.
- Be more verbose in case of fileserve off. People disable fileserve and then wonder why the web interface CSS breaks.
- More details in log messages
- Add source IP adress to startup and source exit logging
- Add mountpoint to some log lines
- Updated the config file to avoid common pitfalls and make some things more obvious.
- Fixed some compiler warnings
- Fixed autogen.sh to work properly on Mac OS
- Fixed JSON access by adding support for global and mount specific custom HTTP headers.
- The purpose is to fix JSON access from browsers, by supporting basic CORS use cases. This is both important for some HTML5
<audio>
or <video>
use cases and accessing the JSON status API.
- The default icecast config contains the very permissive global header: <header name="Access-Control-Allow-Origin" value="*" />
Known issues
- HTTP PUT implementation currently doesn’t support chunked encoding yet.
- HTTP PUT with “Expect: 100-Continue” receives first a “100” and soon after a “200”, instead of the “200” at the end of transmission.
- Caution should be exercised when using
<on-connect>
or <on-disconnect>
, as there is a small chance of stream file descriptors being mixed up with script file descriptors, if the FD numbers go above 1024. This will be further addressed in the next Icecast release.
- Don’t use comments inside
<http-headers>
as it will prevent processing of further <header>
tags.
Version 2.4.0
New Features
- Support for Ogg Opus streams
- Support for WebM streams
- HTTP 1.1 PUT support for source connections. Deprecating SOURCE method
- Default mount
This allows you to define a global set of defaults for ALL mounts. This way you can use e.g. url-auth for sources and or listeners also for dynamically generated mounts.
- Web interface redone
- Web output properly redone, credit to ePirat
- Added
<audio>
element for supported audio streams
- Now validates completely as XHTML1.0 strict
- Also improves rendering on mobile devices
- Added basic JSON API (
/status-json.xsl
) based on a xml2json template by Doeke Zanstra (see xml2json.xslt
). Output is roughly limited to data also visible through status.xsl
- Send charset in HTTP headers for everything, excluding file-serv and streams
- Allow (standard strftime(3))
%x
codes in <dump-file>
. Disabled for Win32
- Added
stream_start_iso8601
, server_start_iso8601
to statitics. ISO8601 compliante timestamps for statistics. Should make usage in e.g. JSON much easier. Added as new variables to avoid breaking backwards compatibility
- Now compiles for Win32 using mingw
- Added options
headers
and header_prefix
to URL based listener auth
- Updated
listener_remove
handler, added ip=
and agent=
- Allow full URLs to be returned by the master server
Fixes
- Security fix: Override supplementary groups if is used
- Fixes for some race conditions
- Dropped debian packaging directory as debian use their own.
- Send proper HTTP headers in responses to clients.
- Corrected Content-Length: header in admin (raw) requests. Thanks to paluh for reporting.
- Escape log entries in access log
- Fixed a memory leak. Lost headers of stream because of wrong ref counter in associated refbuf objects.
- Avoid memory leak in
_parse_mount()
when type
-attribute is set
- Updated web interface to be XHTML compliant.
- Removed
status2.xsl
from release. It was only a broken example file anyway.
Known issues
- Will crash if certain config tags are left empty