Bug 1021946 - socat: default DH parameters should be larger
socat: default DH parameters should be larger
Status: MODIFIED
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: socat (Show other bugs)
7.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Paul Wouters
BaseOS QE Security Team
:
Depends On:
Blocks: 1019961 1334761
  Show dependency treegraph
 
Reported: 2013-10-22 07:40 EDT by Florian Weimer
Modified: 2017-10-03 21:24 EDT (History)
3 users (show)

See Also:
Fixed In Version: 1.7.3.1-1
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1334761 (view as bug list)
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Florian Weimer 2013-10-22 07:40:07 EDT
At least a 1024 bit prime should be used as the default.  Generating a file with the parameters at installation time might not be feasible, but it would prevent any appearance of choosing a special prime that makes the discrete logarithm problem feasible.
Comment 4 Florian Weimer 2015-09-24 04:39:12 EDT
Upstream fix:

commit 281d1bd6515c2f0f8984fc168fb3d3b91c20bdc0
Author: Gerhard Rieger <gerhard@dest-unreach.org>
Date:   Sun Jan 4 16:38:36 2015 +0100

    FIPS requires 1024 bit DH prime
Comment 5 Tomas Hoger 2016-02-11 03:40:30 EST
(In reply to Florian Weimer from comment #4)
> Upstream fix:
> 
> commit 281d1bd6515c2f0f8984fc168fb3d3b91c20bdc0
> Author: Gerhard Rieger <gerhard@dest-unreach.org>
> Date:   Sun Jan 4 16:38:36 2015 +0100
> 
>     FIPS requires 1024 bit DH prime

This upstream fix:

http://repo.or.cz/socat.git/commitdiff/281d1bd6515c2f0f8984fc168fb3d3b91c20bdc0

was found to be problematic - see CVE-2016-2217 / bug 1305437, and replaced with:

http://repo.or.cz/socat.git/commitdiff/eab3c89f2dc0df0d9638941891e8ab233dfb0611
Comment 6 Paul Wouters 2016-04-28 00:34:03 EDT
this fix is in 1.7.3.1 as well
Comment 7 Aleksandar Kostadinov 2016-05-10 09:37:48 EDT
Any update, why don't we upgrade socat?
Comment 8 Martin Stefany 2016-06-14 13:57:57 EDT
+1 for this, socat has also issues when used in MariaDB Galera cluster with SSL/TLS SST - https://jira.mariadb.org/browse/MDEV-9403
Please, rebase socat to latest stable 1.7.3.1 version.
Comment 9 Martin Stefany 2016-06-14 14:43:22 EDT
I needed it for additional fun with MariaDB, so I've rebuilt the package with COPR: https://copr.fedorainfracloud.org/coprs/mstefany/socat/

Note You need to log in before you can comment on or make changes to this bug.