Icecast is a streaming media (audio/video) server which currently supports
Ogg (Vorbis and Theora), Opus, WebM and MP3 streams.
It can be used to create an Internet radio station or a privately running jukebox and many things in between. It is very versatile in that new formats can be added relatively easily and supports open standards for communication and interaction.
Icecast is distributed under the GNU GPL, version 2.
PSA: The GPG signing key for the official Xiph.org package repositories on the openSuse Open Build Service has changed:
pub rsa2048 2017-11-21 [SC] [expires: 2020-01-30] 0E313DB7936B4E76E720065B77EC2301F23C6AA3 uid multimedia OBS Project <firstname.lastname@example.org>
The old key was DSA1024 and didn’t allow SHA256 signatures, only SHA1, which are being phased out right now. So to avoid future problems we approached the maintainer for the whole multimedia project to replace its signing key. This has now taken place and the multimedia:xiph subproject has rebuilt its repositories to have all of them signed by the new key.
We also host an independent copy of the public key for your convenience: https://icecast.org/multimedia-obs.key
We released a new version of Icecast last week. It is a Windows only release and addresses a security issue recently brought to our attention.
As it, embarrassingly, turns out this issue was previously raised on a security mailing list in 2005 and assigned CVE 2005-0837. A ticket (#635) was even created, once this posting was noticed by an Icecast project member, at that time. Sadly the original report was terse, the issue couldn’t be readily reproduced and subsequently the ticket was closed.
We were recently contacted about this issue and this time provided with details about the environment it occurred in. This allowed us to identify this as a Windows only issue.
The vulnerability, identified as CVE-2005-0837, allows an attacker to acces the raw XSLT template file by appending a dot “.” to the URL. Due to the way how Windows handles file names ending with a dot, it only affects Icecast versions < 2.4.3 running on Windows. Icecast on other operating systems, like Linux, wasn’t affected at any time by this issue. If you haven’t modified the default XSLT files of a Windows installation, then no information disclosure of real value could have happened. We expect that most, of the comparatively few, Windows installations have unmodified template files and thus, while technically vulnerable, only expose those unmodified templates. To be clear, no runtime information can be accessed this way.
In case you modified the templates and they contain sensitive information, it should be assumed that a third party could have accessed them. We’re sorry, that this issue went unresolved for a long time.