- The version of
tinysvcmdnsbundled in Shairport Sync has a buffer overflow bug: "An exploitable heap overflow vulnerability exists in the tinysvcmdns library version 2016-07-18. A specially crafted packet can make the library overwrite an arbitrary amount of data on the heap with attacker controlled values. An attacker needs send a dns packet to trigger this vulnerability." The vulnerability is addressed by additional checking on packet sizes. See also CVE-2017-12087 and Vulnerability in tinysvcmdns.
Thanks and Chris Boot for fixing this bug.
- Somewhere in version 3.x, the
softvolplugin got broken as the volume change is not applied anymore. Turned out that, for the
parameters()are defined. Thanks to Jörg Krause for locating and fixing this bug.