A flaw was found in the client URL authentication handling code:
The bug can only be triggered if "stream_auth" is being used, for example:
<option name="stream_auth" value="http://localhost/auth"/>
This means, that all installations that use a default configuration are NOT affected. The default configuration only uses <source-password>. Neither are simple mountpoints affected that use <password>.
A workaround, if installing an updated package is not possible, is to disable "stream_auth"and use <password> instead.
As far as we understand the bug only leads to a simple remote denial of service. The underlying issue is a null pointer dereference. For clarity: No remote code execution should be possible, server just segfaults.
Proof of concept:
Created icecast tracking bugs for this issue:
Affects: fedora-all [bug 1210199]
Affects: epel-all [bug 1210200]
icecast-2.4.2-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.