Now
MAIN commitmail json YAML
Update to 0.6.0. Changes:
* This release contains a SECURITY FIX for a command injection vulnerability
that was found and reported by Alexandre Rebert:
The previous handling of metadata placeholders allowed for arbitrary shell
commands to be trivially injected and executed as the ezstream user, via
malicious media files.
* This release requires users to ADJUST their CONFIGURATION:
To protect against the injection vulnerability above, metadata is now
properly quoted and escaped from the shell. This means that any extra
quoting must be removed from configuration files.
Remove all quoting from metadata placeholders in <encode/> and <decode/>
commands, e.g. replace "@M@" with @M@, and "@T@" with @T@, etc. Without
these changes, stream metadata will look both wrong and the injection
vulnerability may be re-introduced.
* This release contains a SECURITY FIX for a command injection vulnerability
that was found and reported by Alexandre Rebert:
The previous handling of metadata placeholders allowed for arbitrary shell
commands to be trivially injected and executed as the ezstream user, via
malicious media files.
* This release requires users to ADJUST their CONFIGURATION:
To protect against the injection vulnerability above, metadata is now
properly quoted and escaped from the shell. This means that any extra
quoting must be removed from configuration files.
Remove all quoting from metadata placeholders in <encode/> and <decode/>
commands, e.g. replace "@M@" with @M@, and "@T@" with @T@, etc. Without
these changes, stream metadata will look both wrong and the injection
vulnerability may be re-introduced.