RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1021946 - socat: default DH parameters should be larger
Summary: socat: default DH parameters should be larger
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: socat
Version: 7.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Paul Wouters
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 1019961 1334761
TreeView+ depends on / blocked
 
Reported: 2013-10-22 11:40 UTC by Florian Weimer
Modified: 2018-11-13 10:58 UTC (History)
5 users (show)

Fixed In Version: 1.7.3.1-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1334761 (view as bug list)
Environment:
Last Closed: 2018-11-13 10:58:14 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Florian Weimer 2013-10-22 11:40:07 UTC 
At least a 1024 bit prime should be used as the default.  Generating a file with the parameters at installation time might not be feasible, but it would prevent any appearance of choosing a special prime that makes the discrete logarithm problem feasible.
Comment 4 Florian Weimer 2015-09-24 08:39:12 UTC 
Upstream fix:

commit 281d1bd6515c2f0f8984fc168fb3d3b91c20bdc0
Author: Gerhard Rieger <gerhard>
Date:   Sun Jan 4 16:38:36 2015 +0100

    FIPS requires 1024 bit DH prime
Comment 5 Tomas Hoger 2016-02-11 08:40:30 UTC 
(In reply to Florian Weimer from comment #4)
> Upstream fix:
> 
> commit 281d1bd6515c2f0f8984fc168fb3d3b91c20bdc0
> Author: Gerhard Rieger <gerhard>
> Date:   Sun Jan 4 16:38:36 2015 +0100
> 
>     FIPS requires 1024 bit DH prime

This upstream fix:

http://repo.or.cz/socat.git/commitdiff/281d1bd6515c2f0f8984fc168fb3d3b91c20bdc0

was found to be problematic - see CVE-2016-2217 / bug 1305437, and replaced with:

http://repo.or.cz/socat.git/commitdiff/eab3c89f2dc0df0d9638941891e8ab233dfb0611
Comment 6 Paul Wouters 2016-04-28 04:34:03 UTC 
this fix is in 1.7.3.1 as well
Comment 7 Aleksandar Kostadinov 2016-05-10 13:37:48 UTC 
Any update, why don't we upgrade socat?
Comment 8 Martin Stefany 2016-06-14 17:57:57 UTC 
+1 for this, socat has also issues when used in MariaDB Galera cluster with SSL/TLS SST - https://jira.mariadb.org/browse/MDEV-9403
Please, rebase socat to latest stable 1.7.3.1 version.
Comment 9 Martin Stefany 2016-06-14 18:43:22 UTC 
I needed it for additional fun with MariaDB, so I've rebuilt the package with COPR: https://copr.fedorainfracloud.org/coprs/mstefany/socat/
Comment 10 Paul Wouters 2018-11-13 10:58:14 UTC 
This bug is addressed by ERRATA RHBA-2017:2049-03 socat bug fix update

https://errata.devel.redhat.com/advisory/26967
Note You need to log in before you can comment on or make changes to this bug.