Bug 964843 - (CVE-2016-2217) VUL-0: CVE-2016-2217: socat: DH p parameter not prime
VUL-0: CVE-2016-2217: socat: DH p parameter not prime
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other openSUSE 42.1
: P5 - None : Major
: ---
Assigned To: Marcus Meissner
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2016-02-03 08:45 UTC by Andreas Stieger
Modified: 2016-02-05 09:54 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-02-03 08:45:35 UTC
From http://www.openwall.com/lists/oss-security/2016/02/01/4

  In the OpenSSL address implementation the hard coded 1024 bit DH p
  parameter was not prime. The effective cryptographic strength of a key
  exchange using these parameters was weaker than the one one could get by
  using a prime p. Moreover, since there is no indication of how these
  parameters were chosen, the existence of a trapdoor that makes possible
  for an eavesdropper to recover the shared secret from a key exchange that
  uses them cannot be ruled out.
  A new prime modulus p parameter has been generated by Socat developer
  using OpenSSL dhparam command.
  In addition the new parameter is 2048 bit long.

Vulnerability Ids:
  Socat security issue 7

Severity: Unknown

Affected versions:, 2.0.0-b8

Not affected or corrected versions - and later
  2.0.0-b1 - 2.0.0-b7
  2.0.0-b9 and later

  Disable DH ciphers

  Santiago Zanella-Beguelin and Microsoft Vulnerability Research (MSVR).

Already submitted for openSUSE:Factory:

Probably somewhat related to logjam changes - bug 938913
Comment 1 Andreas Stieger 2016-02-03 08:53:38 UTC
SLE 12: socat no affected
openSUSE not affected
only Tumbleweed affected
Comment 2 Alexander Bergmann 2016-02-05 09:54:02 UTC
CVE-2016-2217 was assigned to this issue.