socat-1.7.3.0-1.fc22.i686
[351 KiB] |
Changelog
by Lawrence R. Rogers (2016-08-03):
* Release 1.7.3.0
security:
(CVE Id pending)
Fixed problems with signal handling caused by use of not async signal
safe functions in signal handlers that could freeze socat, allowing
denial of service attacks.
Many changes in signal handling and the diagnostic messages system were
applied to make the code async signal safe but still provide detailled
logging from signal handlers:
Coded function vsnprintf_r() as async signal safe incomplete substitute
of libc vsnprintf()
Coded function snprinterr() to replace %m in strings with a system error
message
Instead of gettimeofday() use clock_gettime() when available
Pass Diagnostic messages from signal handler per unix socket to the main
program flow
Use sigaction() instead of signal() for better control
Turn off nested signal handler invocations
Thanks to Peter Lobsinger for reporting and explaining this issue.
Red Hat issue 1019975: add TLS host name checks
OpenSSL client checks if the server certificates names in
extensions/subjectAltName/DNS or in subject/commonName match the name
used to connect or the value of the openssl-commonname option.
Test: OPENSSL_CN_CLIENT_SECURITY
OpenSSL server checks if the client certificates names in
extensions/subjectAltNames/DNS or subject/commonName match the value of
the openssl-commonname option when it is used.
Test: OPENSSL_CN_SERVER_SECURITY
Red Hat issue 1019964: socat now uses the system certificate store with
OPENSSL when neither options cafile nor capath are used
Red Hat issue 1019972: needs to specify OpenSSL cipher suites
Default cipherlist is now "HIGH:-NULL:-PSK:-aNULL" instead of empty to
prevent downgrade attacks
new features:
OpenSSL addresses set couple of environment variables from values in
peer certificate, e.g.:
SOCAT_OPENSSL_X509_SUBJECT, SOCAT_OPENSSL_X509_ISSUER,
SOCAT_OPENSSL_X509_COMMONNAME,
SOCAT_OPENSSL_X509V3_SUBJECTALTNAME_DNS
Tests: ENV_OPENSSL_{CLIENT,SERVER}_X509_*
Added support for methods TLSv1, TLSv1.1, TLSv1.2, and DTLS1
Tests: OPENSSL_METHOD_*
Enabled OpenSSL server side use of ECDHE ciphers. Feature suggested
by Andrey Arapov.
Added a new option termios-rawer for ptys.
Thanks to Christian Vogelgsang for pointing me to this requirement
corrections:
Bind with ABSTRACT commands used non-abstract namespace (Linux).
Test: ABSTRACT_BIND
Thanks to Denis Shatov for reporting this bug.
Fixed return value of nestlex()
Option ignoreeof on the right address hung.
Test: IGNOREEOF_REV
Thanks to Franz Fasching for reporting this bug.
Address SYSTEM, when terminating, shut down its parent addresses,
e.g. an SSL connection which the parent assumed to still be active.
Test: SYSTEM_SHUTDOWN
Passive (listening or receiving) addresses with empty port field bound
to a random port instead of terminating with error.
Test: TCP4_NOPORT
configure with some combination of disable options produced config
files that failed to compile due to missing IPPROTO_TCP.
Thanks to Thierry Fournier for report and patch.
fixed a few minor bugs with OpenSSL in configure and with messages
Socat did not work in FIPS mode because 1024 instead of 512 bit DH prime
is required. Thanks to Zhigang Wang for reporting and sending a patch.
Christophe Leroy provided a patch that fixes memory leaks reported by
valgrind
Help for filan -L was bad, is now corrected to:
"follow symbolic links instead of showing their properties"
Address options fdin and fdout were silently ignored when not applicable
due to -u or -U option. Now these combinations are caught as errors.
Test: FDOUT_ERROR
Issue reported by Hendrik.
Added option termios-cfmakeraw that calls cfmakeraw() and is preferred
over option raw which is now obsolote. On SysV systems this call is
simulated by appropriate setting.
Thanks to Youfu Zhang for reporting issue with option raw.
porting:
Socat included <sys/poll.h> instead of POSIX <poll.h>
Thanks to John Spencer for reporting this issue.
Version 1.7.2.4 changed the check for gcc in configure.ac; this
broke cross compiling. The particular check gets reverted.
Thanks to Ross Burton and Danomi Manchego for reporting this issue.
Debian Bug#764251: Set the build timestamp to a deterministic time:
support external BUILD_DATE env var to allow to build reproducable
binaries
Joachim Fenkes provided an new adapted spec file.
Type bool and macros Min and Max are defined by socat which led to
compile errors when they were already provided by build framework.
Thanks to Liyu Liu for providing a patch.
David Arnstein contributed a patch for NetBSD 5.1 including stdbool.h
support and appropriate files in Config/
Lauri Tirkkonen contributed a patch regarding netinet/if_ether.h
on Illumos
Changes for Openindiana: define _XPG4_2, __EXTENSIONS__,
_POSIX_PTHREAD_SEMANTICS; and minor changes
Red Hat issue 1182005: socat 1.7.2.4 build failure missing
linux/errqueue.h
Socat failed to compile on on PPC due to new requirements for
including <linux/errqueue.h> and a weakness in the conditional code.
Thanks to Michel Normand for reporting this issue.
doc:
In the man page the PTY example was badly formatted. Thanks to
J.F.Sebastian for sending a patch.
Added missing CVE ids to security issues in CHANGES
testing:
Do not distribute testcert.conf with socat source but generate it
(and new testcert6.conf) during test.sh run.
|