Bugzilla – Bug 907300
VUL-0: CVE-2014-9091: icecast: supplementary groups are not overriden
Last modified: 2015-02-19 07:03:54 UTC
t was found that when the UID and GID were changed in the <changeowner> section of the /etc/icecast.xml file, the supplementary groups were left in place. This could allow an attacker to escalate their privileges if the <changeowner> configuration was used.
The fix was added in version 2.4.0.
This is an autogenerated message for OBS integration:
This bug (907300) was mentioned in
https://build.opensuse.org/request/show/263121 12.3 / icecast
https://build.opensuse.org/request/show/263122 13.1 / icecast
I submitted the fixed packages to openSUSE 12.3 and 13.1.
oS 13.2 has already icecast 2.4.0, and SLE don't contain this package.
openSUSE-SU-2014:1591-1: An update that fixes two vulnerabilities is now available.
Category: security (moderate)
Bug References: 906538,907300
CVE References: CVE-2014-9018,CVE-2014-9091
openSUSE 13.1 (src): icecast-2.3.3-2.12.1
openSUSE 12.3 (src): icecast-2.3.2-72.4.1