[Icecast] Icecast 2.3.3 released

Rücker Thomas thomas.ruecker at tieto.com
Mon Jun 11 19:55:17 UTC 2012

This is to announce the release of Icecast 2.3.3

It's been almost to the day 4 years that 2.3.2 was released,
but all good things have to come to an end.
So here's a new Icecast release. Let's hope it is as stable as 2.3.2 was.

2.3.3 is mainly a bug fix release with a couple of new items that may be
of interest to a few of you. Even if the new features are not of
interest, it is still highly recommended that you update to 2.3.3.

The source code can be downloaded here :

http://downloads.xiph.org/releases/icecast/icecast-2.3.3.tar.gz  <http://downloads.xiph.org/releases/icecast/icecast-2.3.2.tar.gz>
SHA1: 61cf1bd5b4ed491aad488dc6cf1ca2d8eb657363
MD5:  2b5d1b40778922e5f6431b7758c359ad

A non exhaustive summary of the changes follows:

- Security
We fixed 3 security issues.
  - Improved HTTPS cipher handling and added support for chained certificates.
  - Allow the source password to be undefined.
    There was a corner case, where a default password would have taken effect.
    It would require the admin to remove the 'source-password' from the Icecast
    config to take effect. Default configs ship with the password set, so this
    vulnerability doesn't trigger there.
  - Prevent error log injection of control characters
    by substituting non-alphanumeric characters with a '.' (CVE-2011-4612).
    Injection attempts can be identified via access.log, as that stores
    URL encoded requests. Investigation if further logging code needs to have
    sanitized output is ongoing.

- Bugfixes
  - On-demand relaying -
     Reject listeners while reconnecting.
     Fix stats for relays without mount section.
  - Prevent too frequent YP updates.
  - Only allow raw metadata updates from same IP as connected source
    (unless user is admin). This addresses broken client software that issues
    updates without being connected.
  - Minor memory leaks
  - XSPF file installation
  - Fix case of global listeners count becoming out of sync.
  - Setting an interval of 0 in mount should disable Shoutcast metadata inserts.

- Authentication
  - Sources can now be authenticated via URL, like listeners. Post info is:
    As admin requests can come in for a stream (eg metadata update) these
    requests can be issued while stream is active. For these&admin=1 is added
    to the POST details.

- XSL update
  - Automatically generate VCLT playlist like we do with M3U, the mount-point
    extension is .vclt

- Documentation updates

Known problems:
Win32 build and installer not available at release time. Will be provided ASAP.
IPv6 on Win32 will not work.

Unless there are grave bugs or security issues,
the aim is to have a major release next.
In the pipeline is among other things WebM streaming.

Thomas B. Ruecker
on behalf of the Icecast Development Team

More information about the Icecast mailing list