Package: socat
Version: 1.7.2.4-2
Severity: important
Tags: patch upstream
Control: fixed -1 1.7.3.0-1
Dear Maintainer,
Jessie's version of socat uses 512-bit DH parameters in the
OPENSSL-LISTEN mode by default. To mitigate CVE-2015-4000 ("Logjam"),
OpenSSL as shipped in jessie and wheezy will abort a connection when DH
parameters smaller than 768 bits are detected. This means that Debian
stable and oldstable clients are unable to connect to socat in OpenSSL
server mode using socat's defaults. This has been fixed upstream with
commit 281d1bd6515c2f0f8984fc168fb3d3b91c20bdc0 that introduced 1024-bit
DH parameters.
The good news is that socat allows one to use external DH parameters, or
DH parameters embedded in X.509 certificate files. However, this is not
always possible when socat is called by another application (for example
ganeti).
Ideally this should be fixed in Jessie. Note that since CVE-2015-4000
has been dealt with client-side, I will not tag this as a security bug.
Regards,
Apollon
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]