dest-unreach / socat / contrib / security advisory 7

Socat security advisory 7


In the OpenSSL address implementation the hard coded 1024 bit DH p parameter was not prime. The effective cryptographic strength of a key exchange using these parameters was weaker than the one one could get by using a prime p. Moreover, since there is no indication of how these parameters were chosen, the existence of a trapdoor that makes possible for an eavesdropper to recover the shared secret from a key exchange that uses them cannot be ruled out.

A new prime modulus p parameter has been generated by Socat developer using OpenSSL dhparam command.

In addition the new parameter is 2048 bit long.

Vulnerability Ids

Socat security issue 7




Affected versions


Not affected or corrected versions - and later

2.0.0-b1 - 2.0.0-b7

2.0.0-b9 and later


Disable DH ciphers.


The updated sources can be downloaded from:

Patch to

Patch to 2.0.0-b8:


Santiago Zanella-Beguelin and Microsoft Vulnerability Research (MSVR).