Package: socat Version: 1.7.2.4-2 Severity: important Tags: patch upstream Control: fixed -1 1.7.3.0-1
Dear Maintainer, Jessie's version of socat uses 512-bit DH parameters in the OPENSSL-LISTEN mode by default. To mitigate CVE-2015-4000 ("Logjam"), OpenSSL as shipped in jessie and wheezy will abort a connection when DH parameters smaller than 768 bits are detected. This means that Debian stable and oldstable clients are unable to connect to socat in OpenSSL server mode using socat's defaults. This has been fixed upstream with commit 281d1bd6515c2f0f8984fc168fb3d3b91c20bdc0 that introduced 1024-bit DH parameters. The good news is that socat allows one to use external DH parameters, or DH parameters embedded in X.509 certificate files. However, this is not always possible when socat is called by another application (for example ganeti). Ideally this should be fixed in Jessie. Note that since CVE-2015-4000 has been dealt with client-side, I will not tag this as a security bug. Regards, Apollon -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org