CVE-2015-3026: Null Pointer Dereference
First published: Wed Apr 08 2015(Updated: )
Icecast before 2.4.2, when a stream_auth handler is defined for URL authentication, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a request without login credentials, as demonstrated by a request to "admin/killsource?mount=/test.ogg."
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Xiph Icecast | <=2.4.1 | |
| Debian Debian Linux | =8.0 | |
| openSUSE openSUSE | =13.1 | |
| openSUSE openSUSE | =13.2 | |
| debian/icecast2 | <=2.3.3-1<=2.4.0-1.1 | 2.4.2-1 2.4.0-1.1+deb8u1 |
| debian/icecast2 | 2.4.4-4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163859.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164061.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164074.html
- http://lists.opensuse.org/opensuse-updates/2015-04/msg00030.html
- http://lists.xiph.org/pipermail/icecast-dev/2015-April/002460.html
- http://www.debian.org/security/2015/dsa-3239
- http://www.openwall.com/lists/oss-security/2015/04/08/11
- http://www.openwall.com/lists/oss-security/2015/04/08/8
- http://www.securityfocus.com/bid/73965
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782120
- https://security.gentoo.org/glsa/201508-03
- https://trac.xiph.org/changeset/27abfbbd688df3e3077b535997330aa06603250f/icecast-server
- https://trac.xiph.org/ticket/2191
- http://127.0.0.1/bla"/
- http://<servername>:8000/admin/killsource?mount=/test
- https://security-tracker.debian.org/tracker/CVE-2015-3026
- https://www.openwall.com/lists/oss-security/2015/04/08/8
- agent/type
- agent/first-publish-date
- agent/references
- agent/author
- agent/weakness
- agent/severity
- agent/description
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- collector/debian-bugs
- source/Debian
- alias/CVE-2015-3026
- agent/software-canonical-lookup
- collector/security-tracker-debian
- agent/tags
- vendor/xiph
- canonical/xiph icecast
- version/xiph icecast/2.4.1
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- vendor/opensuse
- canonical/opensuse opensuse
- version/opensuse opensuse/13.1
- version/opensuse opensuse/13.2
- package-manager/debian