Bugzilla – Bug 907300
VUL-0: CVE-2014-9091: icecast: supplementary groups are not overriden
Last modified: 2015-02-19 07:03:54 UTC
rh#1168146 t was found that when the UID and GID were changed in the <changeowner> section of the /etc/icecast.xml file, the supplementary groups were left in place. This could allow an attacker to escalate their privileges if the <changeowner> configuration was used. The fix was added in version 2.4.0. References: http://icecast.org/news/icecast-release-2_4_0/ https://trac.xiph.org/changeset/19137/ http://seclists.org/oss-sec/2014/q4/802 https://bugzilla.redhat.com/show_bug.cgi?id=1168146
This is an autogenerated message for OBS integration: This bug (907300) was mentioned in https://build.opensuse.org/request/show/263121 12.3 / icecast https://build.opensuse.org/request/show/263122 13.1 / icecast
I submitted the fixed packages to openSUSE 12.3 and 13.1. oS 13.2 has already icecast 2.4.0, and SLE don't contain this package.
openSUSE-SU-2014:1591-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 906538,907300 CVE References: CVE-2014-9018,CVE-2014-9091 Sources used: openSUSE 13.1 (src): icecast-2.3.3-2.12.1 openSUSE 12.3 (src): icecast-2.3.2-72.4.1