dest-unreach / socat / contrib / security advisory 7
In the OpenSSL address implementation the hard coded 1024 bit DH p parameter was not prime. The effective cryptographic strength of a key exchange using these parameters was weaker than the one one could get by using a prime p. Moreover, since there is no indication of how these parameters were chosen, the existence of a trapdoor that makes possible for an eavesdropper to recover the shared secret from a key exchange that uses them cannot be ruled out.
A new prime modulus p parameter has been generated by Socat developer using OpenSSL dhparam command.
In addition the new parameter is 2048 bit long.
Socat security issue 7
126.96.36.199 - 188.8.131.52
184.108.40.206 and later
2.0.0-b1 - 2.0.0-b7
2.0.0-b9 and later
Disable DH ciphers.
The updated sources can be downloaded from:
Patch to 220.127.116.11:http://www.dest-unreach.org/socat/download/socat-18.104.22.168.patch
Patch to 2.0.0-b8:http://www.dest-unreach.org/socat/download/socat-2.0.0-b9.patch
Santiago Zanella-Beguelin and Microsoft Vulnerability Research (MSVR).