Change logs for icecast2 source package in Utopic

icecast2 (2.3.3-2ubuntu1.14.10.1) utopic-security; urgency=high

  * SECURITY UPDATE: Denial of service vulnerability.
    - d/p/0002-crash-in-url-auth:
      This fixes a crash (NULL reference) in case URL Auth is used
      and stream_auth is trigged with no credentials passed by the client.
      Username and password is now set to empty strings and transmited to
      the backend server this way.
    - CVE-2015-3026
  * SECURITY UPDATE: Potentially leaks sensitive information.
    - d/p/0001-disconnects_stdio_of_on_dis_connect_scripts:
      Include patchset 19313 (close file handles for external scripts).
    - CVE-2014-9018
  * SECURITY UPDATE: Potentially allows local users to gain
    privileges via unspecified vectors.
    - d/p/0003-override-supplementary-groups:
      In case of <changeowner> only UID and GID were changed,
      supplementary groups were left in place.
      This is a potential security issue only if <changeowner> is used.
      New behaviour is to set UID, GID and set supplementary groups
      based on the UID.
      Even in case of icecast remaining in supplementary group 0
      this "only" gives it things like access to files that are owned
      by group 0 and according to their umask. This is obviously bad,
      but not as bad as UID 0 with all its other special rights.
    - CVE-2014-9091

 -- Unit 193 <email address hidden>  Tue, 28 Apr 2015 17:28:20 -0400

icecast2 (2.3.3-2ubuntu1) trusty; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - 1004_fix_xmlCleanupParser_splatter.patch: Make sure that
      xmlCleanupParser() is only called once: on exit. Doing otherwise
      potentially results in Bad Things (e.g., crashes that point
      incorrectly to PulseAudio).
  * Refresh patch.

icecast2 (2.3.3-2) unstable; urgency=low

  * Team Upload.

  [ Jonas Smedegaard ]
  * Add DEP3 header to patch 1001.
  * Remove debian/source/local-options: abort-on-upstream-changes and
    unapply-patches are default in dpkg-source since 1.16.1.
  * Drop obsolete NEWS file: Latest news more than 8 years ago.
  * Modernize CDBS usage:
    + Re-enable upstream tarball handling and copyright-check.
    + Drop unused local snippets.
    + Reorganize CDBS usage in rules file.
    + Drop obsolete README.cdbs-tweaks.
  * Extend copyright years for packaging, and add proper licensing
    header to rules file.
  * Rewrite copyright file, using DEP5 format.
  * Bump standards-version to 3.9.3.
  * Bump autotools to match versions used upstream.
  * suppress copyright-check of some images.
  * Put aside autogenerated files during build, and regenerate most
    possible of them.
    Closes: bug#653401. Thanks to Peter Eisentraut.

  [ David Prévot ]
  * Mark the first debconf template as translatable. Closes: #686181

  [ Debconf translations ]
  * Russian, Yuri Kozlov. Closes: #686263
  * Slovak, Slavko. Closes: #686280
  * Danish, Joe Hansen. Closes: #686288
  * Vietnamese, Nguyễn Vũ Hưng.
  * Swedish, Martin Bagge. Closes: #686444
  * French, David Prévot.
  * Portuguese, Rui Branco. Closes: #686530
  * German, Erik Pfannenstein. Closes: #686591
  * Polish, Michał Kułach. Closes: #686596
  * Czech, Michal Simunek. Closes: #686607
  * Italian, Beatrice Torracca. Closes: #686691
  * Dutch, Jeroen Schot. Closes: #686659
  * Brazilian Portuguese, Adriano Rafael Gomes. Closes: #652050, #686716
  * Spanish, Javier Fernández-Sanguino. Closes: #686773

  [ Felipe Sateler ]
  * Fix missing Copyright header
  * Init script: import lsb functions
  * Fix spelling mistake in README.Debian
  * Import changes from wheezy upload to master
 -- Logan Rosen <email address hidden>   Thu, 10 Apr 2014 14:01:47 -0400