dest-unreach / socat / contrib / security advisory 7
In the OpenSSL address implementation the hard coded 1024 bit DH p parameter was not prime. The effective cryptographic strength of a key exchange using these parameters was weaker than the one one could get by using a prime p. Moreover, since there is no indication of how these parameters were chosen, the existence of a trapdoor that makes possible for an eavesdropper to recover the shared secret from a key exchange that uses them cannot be ruled out.
A new prime modulus p parameter has been generated by Socat developer using OpenSSL dhparam command.
In addition the new parameter is 2048 bit long.
Socat security issue 7
MSVR-1499
1.7.3.0
2.0.0-b8
1.0.0.0 - 1.7.2.4
1.7.3.1 and later
2.0.0-b1 - 2.0.0-b7
2.0.0-b9 and later
Disable DH ciphers.
The updated sources can be downloaded from:
Patch to 1.7.3.0:
http://www.dest-unreach.org/socat/download/socat-1.7.3.1.patchPatch to 2.0.0-b8:
http://www.dest-unreach.org/socat/download/socat-2.0.0-b9.patchSantiago Zanella-Beguelin and Microsoft Vulnerability Research (MSVR).