socat: Update from 1.7.2.4 to 1.7.3.0, fixes a possible denial of service attack

socat: Update from 1.7.2.4 to 1.7.3.0, fixes a possible denial of service attack (CVE Id pending), improves SSL client security, and provides a couple of bug and porting fixes. Among new features, socat now enables OpenSSL server side use of ECDHE ciphers, providing PFS (Perfect Forward Secrecy) http://www.dest-unreach.org/socat/doc/CHANGES
2024-11-16 14:54:29 +01:00 · 2015-01-25 13:48:11 +01:00 · 2015-01-25 13:48:11 +01:00 · 7a7e59d2a9
commit 7a7e59d2a9
parent 35af8c6105
2 changed files with 23 additions and 2 deletions
--- a/pkgs/tools/networking/socat/default.nix
+++ b/pkgs/tools/networking/socat/default.nix
@ -1,15 +1,17 @@
 { stdenv, fetchurl, openssl }:

 stdenv.mkDerivation rec {
-  name = "socat-1.7.2.4";
+  name = "socat-1.7.3.0";

  src = fetchurl {
    url = "http://www.dest-unreach.org/socat/download/${name}.tar.bz2";
-    sha256 = "028yjka2zr6j1i8pmfmvzqki8ajczdl1hnry1x31xbbg3j83jxsb";
+    sha256 = "011ydc0x8camplf8l6mshs3v5fswarld8v0wf7grz6rjq18fhrq7";
  };

  buildInputs = [ openssl ];

+  patches = [ ./enable-ecdhe.patch ];
+
  meta = {
    description = "A utility for bidirectional data transfer between two independent data channels";
    homepage = http://www.dest-unreach.org/socat/;
--- a/pkgs/tools/networking/socat/enable-ecdhe.patch
+++ b/pkgs/tools/networking/socat/enable-ecdhe.patch
@ -0,0 +1,19 @@
+--- socat-1.7.3.0/xio-openssl.c	2015-01-24 15:33:42.000000000 +0100
+++ socat-1.7.3.0-ecdhe/xio-openssl.c	2015-01-25 13:38:54.353641097 +0100
+@@ -960,7 +960,6 @@
+       }
+    }
+
+-#if defined(EC_KEY)	/* not on Openindiana 5.11 */
+    {
+       /* see http://openssl.6102.n7.nabble.com/Problem-with-cipher-suite-ECDHE-ECDSA-AES256-SHA384-td42229.html */
+       int	 nid;
+@@ -982,7 +981,6 @@
+
+       SSL_CTX_set_tmp_ecdh(*ctx, ecdh);
+    }
+-#endif /* !defined(EC_KEY) */
+
+ #if OPENSSL_VERSION_NUMBER >= 0x00908000L
+    if (opt_compress) {
+