Bug 1021946

Summary: socat: default DH parameters should be larger
Product: Red Hat Enterprise Linux 7 Reporter: Florian Weimer <fweimer>
Component: socatAssignee: Paul Wouters <pwouters>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: akostadi, jaster, martin, omoris, thoger
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 1.7.3.1-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1334761 (view as bug list) Environment:
Last Closed: 2018-11-13 10:58:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1019961, 1334761    

Description Florian Weimer 2013-10-22 11:40:07 UTC 
At least a 1024 bit prime should be used as the default.  Generating a file with the parameters at installation time might not be feasible, but it would prevent any appearance of choosing a special prime that makes the discrete logarithm problem feasible.
Comment 4 Florian Weimer 2015-09-24 08:39:12 UTC 
Upstream fix:

commit 281d1bd6515c2f0f8984fc168fb3d3b91c20bdc0
Author: Gerhard Rieger <gerhard>
Date:   Sun Jan 4 16:38:36 2015 +0100

    FIPS requires 1024 bit DH prime
Comment 5 Tomas Hoger 2016-02-11 08:40:30 UTC 
(In reply to Florian Weimer from comment #4)
> Upstream fix:
> 
> commit 281d1bd6515c2f0f8984fc168fb3d3b91c20bdc0
> Author: Gerhard Rieger <gerhard>
> Date:   Sun Jan 4 16:38:36 2015 +0100
> 
>     FIPS requires 1024 bit DH prime

This upstream fix:

http://repo.or.cz/socat.git/commitdiff/281d1bd6515c2f0f8984fc168fb3d3b91c20bdc0

was found to be problematic - see CVE-2016-2217 / bug 1305437, and replaced with:

http://repo.or.cz/socat.git/commitdiff/eab3c89f2dc0df0d9638941891e8ab233dfb0611
Comment 6 Paul Wouters 2016-04-28 04:34:03 UTC 
this fix is in 1.7.3.1 as well
Comment 7 Aleksandar Kostadinov 2016-05-10 13:37:48 UTC 
Any update, why don't we upgrade socat?
Comment 8 Martin Stefany 2016-06-14 17:57:57 UTC 
+1 for this, socat has also issues when used in MariaDB Galera cluster with SSL/TLS SST - https://jira.mariadb.org/browse/MDEV-9403
Please, rebase socat to latest stable 1.7.3.1 version.
Comment 9 Martin Stefany 2016-06-14 18:43:22 UTC 
I needed it for additional fun with MariaDB, so I've rebuilt the package with COPR: https://copr.fedorainfracloud.org/coprs/mstefany/socat/
Comment 10 Paul Wouters 2018-11-13 10:58:14 UTC 
This bug is addressed by ERRATA RHBA-2017:2049-03 socat bug fix update

https://errata.devel.redhat.com/advisory/26967