Bugzilla – Bug 964843
VUL-0: CVE-2016-2217: socat: DH p parameter not prime
Last modified: 2016-02-05 09:54:02 UTC
In the OpenSSL address implementation the hard coded 1024 bit DH p
parameter was not prime. The effective cryptographic strength of a key
exchange using these parameters was weaker than the one one could get by
using a prime p. Moreover, since there is no indication of how these
parameters were chosen, the existence of a trapdoor that makes possible
for an eavesdropper to recover the shared secret from a key exchange that
uses them cannot be ruled out.
A new prime modulus p parameter has been generated by Socat developer
using OpenSSL dhparam command.
In addition the new parameter is 2048 bit long.
Socat security issue 7
Affected versions: 188.8.131.52, 2.0.0-b8
Not affected or corrected versions
184.108.40.206 - 220.127.116.11
18.104.22.168 and later
2.0.0-b1 - 2.0.0-b7
2.0.0-b9 and later
Disable DH ciphers
Santiago Zanella-Beguelin and Microsoft Vulnerability Research (MSVR).
Already submitted for openSUSE:Factory:
Probably somewhat related to logjam changes - bug 938913
SLE 12: socat 22.214.171.124 no affected
openSUSE not affected
only Tumbleweed affected
CVE-2016-2217 was assigned to this issue.