---
- branch: MAIN
  date: Tue Feb  9 07:02:54 UTC 2016
  files:
  - new: '1.60'
    old: '1.59'
    path: pkgsrc/audio/icecast/Makefile
    pathrev: pkgsrc/audio/icecast/Makefile@1.60
    type: modified
  - new: '1.22'
    old: '1.21'
    path: pkgsrc/audio/icecast/distinfo
    pathrev: pkgsrc/audio/icecast/distinfo@1.22
    type: modified
  - new: '1.11'
    old: '1.10'
    path: pkgsrc/audio/icecast/patches/patch-ab
    pathrev: pkgsrc/audio/icecast/patches/patch-ab@1.11
    type: modified
  id: 20160209T070254Z.5c56d60625bcf1830e0f4c52111ffd54f4ff315b
  log: |
    Changes 2.4.3:
    Fixes CVE-2005-0837.
    The vulnerability, identified as CVE-2005-0837, allows an attacker to acces the raw XSLT template file by appending a dot ���.��� to the URL. Due to the way how Windows handles file names ending with a dot, it only affects Icecast versions < 2.4.3 running on Windows. Icecast on other operating systems, like Linux, wasn���t affected at any time by this issue. If you haven���t modified the default XSLT files of a Windows installation, then no information disclosure of real value could have happened. We expect that most, of the comparatively few, Windows installations have unmodified template files and thus, while technically vulnerable, only expose those unmodified templates. To be clear, no runtime information can be accessed this way.
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/audio/icecast'
  unixtime: '1455001374'
  user: adam