| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
pkgsrc changes:
- Adjust test related definition
- Remove no longer needed patches
Changes:
1.7.3.3:
--------
Corrections:
Makefile.in did not specify dependencies of filan on vsnprintf_r.o
and snprinterr.o
Added definition of FILAN_OBJS
Thanks to Craig Leres, Clayton Shotwell, and Chris Packham for
providing patches.
configure option --enable-msglevel did not work with numbers
The autoconf mechanism for determining SHIFT_OFFSET did not work when
cross compiling.
Thanks to Max Freisinger from Gentoo for sending a patch.
Socat still depended on obsolete gethostbyname() function, thus
compiling with MUSL libc failed.
Problem reported by Kennedy33.
The async signal safe diagnostic system used FDs 3 and 4 internally, so
use of appropriate fdin or fdout led to failures.
Test: DIAG_FDIN
Problem reported by Onur Sentürk.
The socket based mechanism for passing messages and signal information
from signal handler to process could reach and kill the wrong process.
Introduces functions diag_sock_pair(), diag_fork()
Thanks to Darren Zhao for analysing and reporting this problem.
Option ipv6-join-group did not work because it was applied in the wrong
phase
Test: UDP6MULTICAST_UNIDIR
Thanks to Angus Gratton for sending a patch.
Setting ispeed and ospeed failed for some serial devices because the
two settings were applied with two different get/set cycles, Thanks to
Alexandre Fenyo for providing an initial patch.
However, the actual fix is part of a conceptual change of the termios
module that aims for applying all changes in a single tcsetaddr call.
Fixes FreeBSD Bug 198441
Termios options TAB0,TAB1,TAB2,TAB3, and XTABS did not have an effect.
Thanks to Alan Walters for reporting this bug.
Substituted cumbersom ISPEED_OFFSET mechanism for cfsetispeed() calls
With TCP6-LISTEN and the other passive IPv6 addresses the range option
just failed: due to a bug in the syntax parser and two more bugs in
the xiocheckrange_ip6() function.
The syntax has now been changed from "[::1/128]" to "[::1]/128"!
Thanks Leah Neukirchen for sending an initial fix.
For name resolution Socat only checked the first character of the host
name to decide if it is an IPv4 address. This was not RFC conform. This
fix removes the possibility for use of IPv4 addresses with IPv6, e.g.
TCP6:127.0.0.1:80
Thanks to Nicolas Fournil for reporting this issue.
Print a useful error message when single character options appear to be
merged in Socat invocation
Test: SOCCAT_OPT_HINT
Fixed some docu typos.
Thanks to Travis Wellman, Thomas <tjps636>, Dan Kenigsberg,
Julian Zinn, and Simon Matter
Porting:
OpenSSL functions TLS1_client_method() and similar are
deprecated. Socat now uses recommended TLS_client_method(). The old
functions and dependend option openssl-method can still be
used when configuring socat with --enable-openssl-method
Shell scripts in socat distribution are now headed with:
#! /usr/bin/env bash
to make them better portable to systems without /bin/bash
Thanks to Maya Rashish for sending a patch
RES_AAONLY, RES_PRIMARY are deprecated. You can still enable them with
configure option --enable-res-deprecated.
New versions of OpenSSL preset SSL_MODE_AUTO_RETRY which may hang socat.
Solution: clear SSL_MODE_AUTO_RETRY when it is set.
Renamed configure.in to configure.ac and set an appropriate symlink for
older environments.
Related Gentoo bug 426262: Warning on configure.in
Thanks to Francesco Turco for reporting that warning.
Fixed new IPv6 range code for platforms without s6_addr32 component.
Testing:
test.sh: Show a warning when phase-1 (insecure phase) of a security
test fails
OpenSSL tests failed on actual Linux distributions. Measures:
Increased key lengths from 768 to 1024 bits
Added test.sh option -C to delete temp certs from prevsious runs
Provide DH-parameter in certificate in PEM
OpenSSL s_server option -verify 0 must be omitted
OpenSSL authentication method aNULL no longer works
Failure of cipher aNULL is not a failure
Failure of methods SSL3 and SSL23 is desired
test.sh depended on ifconfig and netstat utilities which are no longer
available in some distributions. test.sh now checks for and prefers
ip and ss.
Thanks to Ruediger Meier for reporting this problem.
More corrections to test.sh:
Language settings could still influence test results
netstat was still required
Suppress usleep deprecated messag
Force use of IPv4 with some certificates
Set timeout for UDPxMAXCHILDREN tests
Git:
Added missing Config/Makefile.DragonFly-2-8-2,
Config/config.DragonFly-2-8-2.h
Removed testcert.conf (to be generated by test.sh)
Cosmetics:
Simplified handling of missing termios defines.
New features:
Permit combined -d options as -dd etc.
|
|
Performing substitutions during post-patch breaks tools such as mkpatches,
making it very difficult to regenerate correct patches after making changes,
and often leading to substituted string replacements being committed.
|
|
bump PKGREVISION in case any of those scripts are used at runtime
|
|
pkgsrc changes:
- Take MAINTAINERship
Changes:
1.7.3.2
-------
corrections:
- SIGSEGV and other signals could lead to a 100% CPU loop
- Failing name resolution could lead to SIGSEGV
Thanks to Max for reporting this issue.
- Include <stddef.h> for ptrdiff_t
Thanks to Jeroen Roovers for reporting this issue.
- Building with --disable-sycls failed due to missing sslcls.h defines
Socat hung when configured with --disable-sycls.
- Some minor corrections with includes etc.
- Option so-reuseport did not work. Thanks to Some Raghavendra Prabhu
for sending a patch.
- Programs invoked with EXEC, nofork, and -u or -U had stdin and stdout
incorrectly assigned
Test: EXEC_NOFORK_UNIDIR
Thanks to David Reiss for reporting this problem.
- Socat exited with status 0 even when a program invoked with SYSTEM or
EXEC failed.
Tests: SYSTEM_RC EXEC_RC
Issue reported by Felix Winkelmann.
- AddressSanitizer reported a few buffer overflows (false positives).
Nevertheless fixed Socat source.
Issue reported by Hanno Böck.
- Socat did not use option ipv6-join-group.
Test: USE_IPV6_JOIN_GROUP
Thanks to Linux Lüssing for sending a patch.
- UDP-LISTEN did not honor the max-children option.
Test: UDP4MAXCHILDREN UDP6MAXCHILDREN
Thanks to Leander Berwers for reporting this issue.
- Options so-rcvtimeo and so-sndtimeo do not work with poll()/select()
and therefore were useless.
Thanks to Steve Borenstein for reporting this issue.
- Option dhparam was documented as dhparams. Added the alias name
dhparams to fix this.
Thanks to Alexander Neumann for sending a patch.
- Options shut-down and shut-close did not work.
Thanks to Stefan Schimanski for providing a patch.
- There was a bug in printing readline log message caused by a misleading
indentation.
Thanks to Paul Wouters for reporting.
- The internal vsnprintf_r function looped or crashed on size parameter
with hexadecimal output.
- Ignore exit code of child process when it was killed by master due to
EOF
- Corrected byte order on read of IPV6_TCLASS value from ancillary
message
- Fixed type of the bool element in options. This had bug caused failures
e.g. of ignoreeof on big-endian systems when bool was not based on int.
- On systems with predefined bool type whose size differs from int some
IPv6 and TCP options (per setsockopt()) failed.
- Length of integral data in ancillary messages varies (TOS: 1 byte,
TTL: 4 bytes), the old implementation failed for TTL on big-endian
hosts.
- Fixed an issue in options processing: TUN and DNS flags had failed on
big-endian systems and the NO- forms had probable never worked.
porting:
- Type conflict between int and sig_atomic_t between declaration and
definition of diag_immediate_type and diag_immediate_exit broke
compilation on FreeBSD 10.1 with clang. Thanks to Emanuel Haupt for
reporting this bug.
- Socat failed to compile on platforms with OpenSSL without
DTLSv1_client_method or DTLSv1_server_method.
Thanks to Simon Matter for sending a patch.
- NuttX OS headers do not provide struct ip, thus socat did not compile.
Made struct ip subject to configure.
Thanks to SP for reporting this issue.
- Socat failed to compile with OpenSSL version 1.0.2d where
SSLv3_server_method and SSLv3_client_method are no longer defined.
Thanks to Mischa ter Smitten for reporting this issue and providing
a patch.
- configure checked for OpenSSL EC_KEY assuming it is a define but it
is a type, thus OpenSSL ECDHE ciphers failed even on Linux.
Thanks to Andrey Arapov for reporting this bug.
- Changes to make socat compile with OpenSSL 1.1.
Thanks to Sebastian Andrzej Siewior e.a. from the Debian team for
providing the base patch.
Debian Bug#828550
- Make Socat compatible with BoringSSL.
Thanks to Matt Braithwaite for providing a patch.
- OpenSSL: Use RAND_status to determine PRNG state
Thanks to Adam Langley for providing a patch
- AIX-7 uses an extended O_ACCMODE that does not fit socat's internal
requirements. Thanks to Garrick Trowsdale for providing a patch
- LibreSSL support: check for OPENSSL_NO_COMP
Thanks to Bernard Spil for providing a patch
testing:
- socks4echo.sh and socks4a-echo.sh hung with new bash with read -n
- test.sh: stderr; option -v (verbose); FDOUT_ERROR description
- improved proxy.sh - it now also takes hostnames
- A few corrections in test.sh
- DTLS1 test hangs on some distributions. Test is now only performed
with OpenSSL 1.0.2 or higher.
- More corrections to test.sh that reveal a mistake with IPV6_TCLASS
docu:
- Corrected source of socat man page to correctly show man references
like socket(2); removed obseolete entries from See Also
- Docu and some comments mentioned addresses SSL-LISTEN and SSL-CONNECT
that do not exist (OPENSSL-LISTEN, SSL-L; and OPENNSSL-CONNECT, SSL
are correct).
Thanks to Zhigang Wang for reporting this issue.
- Fixed a couple of English spelling and grammar mistakes.
Thanks to Jakub Wild for sending the patches.
- NOEXPAND() was not resolved 2 times.
- More minor docu corrections
legal:
- Added contributors to copyright notices. Suggested by Matt Braithwaite.
|
|
|
|
Changes:
####################### V 1.7.3.1:
security:
Socat security advisory 8
A stack overflow in vulnerability was found that can be triggered when
command line arguments (complete address specifications, host names,
file names) are longer than 512 bytes.
Successful exploitation might allow an attacker to execute arbitrary
code with the privileges of the socat process.
This vulnerability can only be exploited when an attacker is able to
inject data into socat's command line.
A vulnerable scenario would be a CGI script that reads data from clients
and uses (parts of) this data as hostname for a Socat invocation.
Test: NESTEDOVFL
Credits to Takumi Akiyama for finding and reporting this issue.
Socat security advisory 7
MSVR-1499
In the OpenSSL address implementation the hard coded 1024 bit DH p
parameter was not prime. The effective cryptographic strength of a key
exchange using these parameters was weaker than the one one could get by
using a prime p. Moreover, since there is no indication of how these
parameters were chosen, the existence of a trapdoor that makes possible
for an eavesdropper to recover the shared secret from a key exchange
that uses them cannot be ruled out.
Futhermore, 1024bit is not considered sufficiently secure.
Fix: generated a new 2048bit prime.
Thanks to Santiago Zanella-Beguelin and Microsoft Vulnerability
Research (MSVR) for finding and reporting this issue.
|
|
####################### V 1.7.3.0:
security:
(CVE Id pending)
Fixed problems with signal handling caused by use of not async signal
safe functions in signal handlers that could freeze socat, allowing
denial of service attacks.
Many changes in signal handling and the diagnostic messages system were
applied to make the code async signal safe but still provide detailled
logging from signal handlers:
Coded function vsnprintf_r() as async signal safe incomplete substitute
of libc vsnprintf()
Coded function snprinterr() to replace %m in strings with a system error
message
Instead of gettimeofday() use clock_gettime() when available
Pass Diagnostic messages from signal handler per unix socket to the main
program flow
Use sigaction() instead of signal() for better control
Turn off nested signal handler invocations
Thanks to Peter Lobsinger for reporting and explaining this issue.
Red Hat issue 1019975: add TLS host name checks
OpenSSL client checks if the server certificates names in
extensions/subjectAltName/DNS or in subject/commonName match the name
used to connect or the value of the openssl-commonname option.
Test: OPENSSL_CN_CLIENT_SECURITY
OpenSSL server checks if the client certificates names in
extensions/subjectAltNames/DNS or subject/commonName match the value of
the openssl-commonname option when it is used.
Test: OPENSSL_CN_SERVER_SECURITY
Red Hat issue 1019964: socat now uses the system certificate store with
OPENSSL when neither options cafile nor capath are used
Red Hat issue 1019972: needs to specify OpenSSL cipher suites
Default cipherlist is now "HIGH:-NULL:-PSK:-aNULL" instead of empty to
prevent downgrade attacks
new features:
OpenSSL addresses set couple of environment variables from values in
peer certificate, e.g.:
SOCAT_OPENSSL_X509_SUBJECT, SOCAT_OPENSSL_X509_ISSUER,
SOCAT_OPENSSL_X509_COMMONNAME,
SOCAT_OPENSSL_X509V3_SUBJECTALTNAME_DNS
Tests: ENV_OPENSSL_{CLIENT,SERVER}_X509_*
Added support for methods TLSv1, TLSv1.1, TLSv1.2, and DTLS1
Tests: OPENSSL_METHOD_*
Enabled OpenSSL server side use of ECDHE ciphers. Feature suggested
by Andrey Arapov.
Added a new option termios-rawer for ptys.
Thanks to Christian Vogelgsang for pointing me to this requirement
corrections:
Bind with ABSTRACT commands used non-abstract namespace (Linux).
Test: ABSTRACT_BIND
Thanks to Denis Shatov for reporting this bug.
Fixed return value of nestlex()
Option ignoreeof on the right address hung.
Test: IGNOREEOF_REV
Thanks to Franz Fasching for reporting this bug.
Address SYSTEM, when terminating, shut down its parent addresses,
e.g. an SSL connection which the parent assumed to still be active.
Test: SYSTEM_SHUTDOWN
Passive (listening or receiving) addresses with empty port field bound
to a random port instead of terminating with error.
Test: TCP4_NOPORT
configure with some combination of disable options produced config
files that failed to compile due to missing IPPROTO_TCP.
Thanks to Thierry Fournier for report and patch.
fixed a few minor bugs with OpenSSL in configure and with messages
Socat did not work in FIPS mode because 1024 instead of 512 bit DH prime
is required. Thanks to Zhigang Wang for reporting and sending a patch.
Christophe Leroy provided a patch that fixes memory leaks reported by
valgrind
Help for filan -L was bad, is now corrected to:
"follow symbolic links instead of showing their properties"
Address options fdin and fdout were silently ignored when not applicable
due to -u or -U option. Now these combinations are caught as errors.
Test: FDOUT_ERROR
Issue reported by Hendrik.
Added option termios-cfmakeraw that calls cfmakeraw() and is preferred
over option raw which is now obsolote. On SysV systems this call is
simulated by appropriate setting.
Thanks to Youfu Zhang for reporting issue with option raw.
porting:
Socat included <sys/poll.h> instead of POSIX <poll.h>
Thanks to John Spencer for reporting this issue.
Version 1.7.2.4 changed the check for gcc in configure.ac; this
broke cross compiling. The particular check gets reverted.
Thanks to Ross Burton and Danomi Manchego for reporting this issue.
Debian Bug#764251: Set the build timestamp to a deterministic time:
support external BUILD_DATE env var to allow to build reproducable
binaries
Joachim Fenkes provided an new adapted spec file.
Type bool and macros Min and Max are defined by socat which led to
compile errors when they were already provided by build framework.
Thanks to Liyu Liu for providing a patch.
David Arnstein contributed a patch for NetBSD 5.1 including stdbool.h
support and appropriate files in Config/
Lauri Tirkkonen contributed a patch regarding netinet/if_ether.h
on Illumos
Changes for Openindiana: define _XPG4_2, __EXTENSIONS__,
_POSIX_PTHREAD_SEMANTICS; and minor changes
Red Hat issue 1182005: socat 1.7.2.4 build failure missing
linux/errqueue.h
Socat failed to compile on on PPC due to new requirements for
including <linux/errqueue.h> and a weakness in the conditional code.
Thanks to Michel Normand for reporting this issue.
doc:
In the man page the PTY example was badly formatted. Thanks to
J.F.Sebastian for sending a patch.
Added missing CVE ids to security issues in CHANGES
testing:
Do not distribute testcert.conf with socat source but generate it
(and new testcert6.conf) during test.sh run.
####################### V 1.7.2.4:
corrections:
LISTEN based addresses applied some address options, e.g. so-keepalive,
to the listening file descriptor instead of the connected file
descriptor
Thanks to Ulises Alonso for reporting this bug
make failed after configure with non gcc compiler due to missing
include. Thanks to Horacio Mijail for reporting this problem
configure checked for --disable-rawsocket but printed
--disable-genericsocket in the help text. Thanks to Ben Gardiner for
reporting and patching this bug
In xioshutdown() a wrong branch was chosen after RECVFROM type addresses.
Probably no impact.
Thanks to David Binderman for reproting this issue.
procan could not cleanly format ulimit values longer than 16 decimal
digits. Thanks to Frank Dana for providing a patch that increases field
width to 24 digits.
OPENSSL-CONNECT with bind option failed on some systems, eg.FreeBSD, with
"Invalid argument"
Thanks to Emile den Tex for reporting this bug.
Changed some variable definitions to make gcc -O2 aliasing checker happy
Thanks to Ilya Gordeev for reporting these warnings
On big endian platforms with type long >32bit the range option applied a
bad base address. Thanks to hejia hejia for reporting and fixing this bug.
Red Hat issue 1022070: missing length check in xiolog_ancillary_socket()
Red Hat issue 1022063: out-of-range shifts on net mask bits
Red Hat issue 1022062: strcpy misuse in xiosetsockaddrenv_ip4()
Red Hat issue 1022048: strncpy hardening: corrected suspicious strncpy()
uses
Red Hat issue 1021958: fixed a bug with faulty buffer/data length
calculation in xio-ascii.c:_xiodump()
Red Hat issue 1021972: fixed a missing NUL termination in return string
of sysutils.c:sockaddr_info() for the AF_UNIX case
fixed some typos and minor issues, including:
Red Hat issue 1021967: formatting error in manual page
UNIX-LISTEN with fork option did not remove the socket file system entry
when exiting. Other file system based passive address types had similar
issues or failed to apply options umask, user e.a.
Thanks to Lorenzo Monti for pointing me to this issue
porting:
Red Hat issue 1020203: configure checks fail with some compilers.
Use case: clang
Performed changes for Fedora release 19
Adapted, improved test.sh script
Red Hat issue 1021429: getgroupent fails with large number of groups;
use getgrouplist() when available instead of sequence of calls to
getgrent()
Red Hat issue 1021948: snprintf API change;
Implemented xio_snprintf() function as wrapper that tries to emulate C99
behaviour on old glibc systems, and adapted all affected calls
appropriately
Mike Frysinger provided a patch that supports long long for time_t,
socklen_t and a few other libc types.
Artem Mygaiev extended Cedril Priscals Android build script with pty code
The check for fips.h required stddef.h
Thanks to Matt Hilt for reporting this issue and sending a patch
Check for linux/errqueue.h failed on some systems due to lack of
linux/types.h inclusion. Thanks to Michael Vastola for sending a patch.
autoconf now prefers configure.ac over configure.in
Thanks to Michael Vastola for sending a patch.
type of struct cmsghdr.cmsg is system dependend, determine it with
configure; some more print format corrections
docu:
libwrap always logs to syslog
added actual text version of GPLv2
|
|
should be handled if desired.
|
|
(XXX: shouldn't the wrappers be taking care of -Werror for compilers
that don't understand it?)
|
|
patches/patch-aa seems to have been committed upstream. Passing readline
location to configure and fixing CCOPTS in Makefile.in seems to not be
necessary anymore. From CHANGES:
####################### V 1.7.2.4:
corrections:
LISTEN based addresses applied some address options, e.g. so-keepalive,
to the listening file descriptor instead of the connected file
descriptor
make failed after configure with non gcc compiler due to missing
include.
configure checked for --disable-rawsocket but printed
--disable-genericsocket in the help text.
In xioshutdown() a wrong branch was chosen after RECVFROM type addresses.
Probably no impact.
procan could not cleanly format ulimit values longer than 16 decimal
digits. Thanks to Frank Dana for providing a patch that increases field
width to 24 digits.
OPENSSL-CONNECT with bind option failed on some systems, eg.FreeBSD, with
"Invalid argument"
Changed some variable definitions to make gcc -O2 aliasing checker happy
On big endian platforms with type long >32bit the range option applied a
bad base address.
Red Hat issue 1022070: missing length check in xiolog_ancillary_socket()
Red Hat issue 1022063: out-of-range shifts on net mask bits
Red Hat issue 1022062: strcpy misuse in xiosetsockaddrenv_ip4()
Red Hat issue 1022048: strncpy hardening: corrected suspicious strncpy()
uses
Red Hat issue 1021958: fixed a bug with faulty buffer/data length
calculation in xio-ascii.c:_xiodump()
Red Hat issue 1021972: fixed a missing NUL termination in return string
of sysutils.c:sockaddr_info() for the AF_UNIX case
fixed some typos and minor issues, including:
Red Hat issue 1021967: formatting error in manual page
UNIX-LISTEN with fork option did not remove the socket file system entry
when exiting. Other file system based passive address types had similar
issues or failed to apply options umask, user e.a.
porting:
Red Hat issue 1020203: configure checks fail with some compilers.
Use case: clang
Performed changes for Fedora release 19
Adapted, improved test.sh script
Red Hat issue 1021429: getgroupent fails with large number of groups;
use getgrouplist() when available instead of sequence of calls to
getgrent()
Red Hat issue 1021948: snprintf API change;
Implemented xio_snprintf() function as wrapper that tries to emulate C99
behaviour on old glibc systems, and adapted all affected calls
appropriately
Mike Frysinger provided a patch that supports long long for time_t,
socklen_t and a few other libc types.
Artem Mygaiev extended Cedril Priscals Android build script with pty code
The check for fips.h required stddef.h
Check for linux/errqueue.h failed on some systems due to lack of
linux/types.h inclusion.
autoconf now prefers configure.ac over configure.in
type of struct cmsghdr.cmsg is system dependend, determine it with
configure; some more print format corrections
docu:
libwrap always logs to syslog
added actual text version of GPLv2
####################### V 1.7.2.3:
security:
CVE-2014-0019: socats PROXY-CONNECT address was vulnerable to a buffer
overflow with data from command line (see socat-secadv5.txt)
|
|
|
|
Changes:
- Fix for CVE-2013-3571.
|
|
are replaced with .include "../../devel/readline/buildlink3.mk", and
USE_GNU_READLINE are removed,
* .include "../../devel/readline/buildlink3.mk" without USE_GNU_READLINE
are replaced with .include "../../mk/readline.buildlink3.mk".
|
|
The right fix is to thwap socat over the head for worrying about the
values of these constants at compile-time, but that's inexpedient...
ok agc
|
|
Security update:
"A heap based buffer overflow vulnerability has been found with data that happens to be output on the READLINE address." (CVE-2012-0219)
Tested according to the official advisory at http://www.dest-unreach.org/socat/contrib/socat-secadv3.html
XXX pull-up to 2013Q1
|
|
|
|
|
|
Changelog:
security:
fixed a stack overflow vulnerability that occurred when command
line arguments (whole addresses, host names, file names) were longer
than 512 bytes.
Note that this could only be exploited when an attacker was able to
inject data into socat's command line.
Full credits to Felix Grobert, Google Security Team, for finding and
reporting this issue
|
|
Changelog:
corrections:
user-late and group-late, when applied to a pty, affected the system
device /dev/ptmx instead of the pty (thanks to Matthew Cloke for
pointing me to this bug)
socats openssl addresses failed with "nonblocking operation did not
complete" when the peer performed a renegotiation. Thanks to Benjamin
Delpy for reporting this bug.
info message during socks connect showed bad port number on little
endian systems due to wrong byte order (thanks to Peter M. Galbavy for
bug report and patch)
Debian bug 531078: socat execs children with SIGCHLD ignored; corrected
to default. Thanks to Martin Dorey for reporting this bug.
porting:
building socat on systems that predefined the CFLAGS environment to
contain -Wall failed (esp.RedHat). Thanks to Paul Wouters for reporting
this problem and to Simon Matter for providing the patch
support for Solaris 8 and Sun Studio support (thanks to Sebastian
Kayser for providing the patches)
on some 64bit systems a compiler warning "cast from pointer to integer
of different size" was issued on some option definitions
added struct sockaddr_ll to union sockaddr_union to avoid "strict
aliasing" warnings (problem reported by Paul Wouters)
docu:
minor corrections in docu
|
|
|
|
ChangeLog:
V 1.7.1.1:
corrections:
corrected the "fixed possible SIGSEGV" fix because SIGSEGV still might
occur under those conditions. Thanks to Toni Mattila for first
reporting this problem.
ftruncate64 cut its argument to 32 bits on systems with 32 bit long type
socat crashed on systems without setenv() (esp. SunOS up to Solaris 9);
thanks to Todd Stansell for reporting this bug
with unidirectional EXEC and SYSTEM a close() operation was performed
on a random number which could result in hanging e.a.
fixed a compile problem caused by size_t/socklen_t mismatch on 64bit
systems
docu mentioned option so-bindtodev but correct name is so-bindtodevice.
Thanks to Jim Zimmerman for reporting.
docu changes:
added environment variables example to doc/socat-multicast.html
V 1.7.1.0:
new features:
address options shut-none, shut-down, and shut-close allow to control
socat's half close behaviour
with address option shut-null socat sends an empty packet to the peer
to indicate EOF
option null-eof changes the behaviour of sockets that receive an empty
packet to see EOF instead of ignoring it
introduced option names substuser-early and su-e, currently equivalent
to option substuser (thanks to Mike Perry for providing the patch)
corrections:
fixed some typos and improved some comments
V 1.7.0.1:
corrections:
fixed possible SIGSEGV in listening addresses when a new connection was
reset by peer before the socket addresses could be retrieved. Thanks to
Mike Perry for sending a patch.
fixed a bug, introduced with version 1.7.0.0, that let client
connections with option connect-timeout fail when the connections
succeeded. Thanks to Bruno De Fraine for reporting this bug.
option end-close "did not apply" to addresses PTY, SOCKET-CONNECT,
and most UNIX-* and ABSTRACT-*
half close of EXEC and SYSTEM addresses did not work for pipes and
sometimes socketpair
help displayed for some option a wrong type
under some circumstances shutdown was called multiple times for the
same fd
|
|
|
|
major change.
Reported by Robert Elz in PR 41345.
|
|
"unsigned long long".
|
|
2008/10/15: socat version 1.7.0.0 brings support for SCTP stream, raw
interface, and generic sockets. New option escape allows to interrupt raw
terminal connections. Listening and receiving sockets can set a couple of
environment variables. Added base control of System V STREAMS. Lots of
corrections were performed. socat compiles on Mac OS X again.
Patch from Leonardo Taccari
|
|
|
|
compiler warnings.
|
|
|
|
on packages that are affected by the switch from the openssl 0.9.7
branch to the 0.9.8 branch. ok jlam@
|
|
Patch from Yakovetsky Vladimir in PR# 37088
|
|
Some new features/corrections include:
* new addresses IP-DATAGRAM and UDP-DATAGRAM allow versatile broadcast
and multicast modes
* range option supports form address:mask with IPv4
* changed behaviour of SSL-LISTEN to require and verify client
certificate per default
* filan (and socat -D) could hang when a socket was involved
See: http://www.dest-unreach.org/socat/doc/CHANGES for all the details
|
|
new features:
new datagram modes for udp, rawip, unix domain sockets
socat option -T specifies inactivity timeout
rewrote lexical analysis to allow nested socat calls
addresses tcp, udp, tcp-l, udp-l, and rawip now support IPv4 and IPv6
socat options -4, -6 and environment variables SOCAT_DEFAULT_LISTEN_IP,
SOCAT_PREFERRED_RESOLVE_IP for control of protocol selection
addresses ssl, ssl-l, socks, proxy now support IPv4 and IPv6
option protocol-family (pf), esp. for openssl-listen
range option supports IPv6 - syntax: range=[::1/128]
option ipv6-v6only (ipv6only)
new tcp-wrappers options allow-table, deny-table, tcpwrap-etc
FIPS version of OpenSSL can be integrated - initial patch provided by
David Acker. See README.FIPS
support for resolver options res-debug, aaonly, usevc, primary, igntc,
recurse, defnames, stayopen, dnsrch
options for file attributes on advanced filesystems (ext2, ext3,
reiser): secrm, unrm, compr, ext2-sync, immutable, ext2-append, nodump,
ext2-noatime, journal-data etc.
option cool-write controls severeness of write failure (EPIPE, ECONNRESET)
option o-noatime
socat option -lh for hostname in log output
traffic dumping provides packet headers
configure.in became part of distribution
socats unpack directory now has full version, e.g. socat-1.5.0.0/
corrected docu of option verify
corrections:
fixed tcpwrappers integration - initial fix provided by Rudolf Cejka
exec with pipes,stderr produced error
setuid-early was ignored with many address types
some minor corrections
|
|
> ####################### V 1.4.3.1:
>
> corrections:
> PROBLEM: UNIX socket listen accepted only one (or a few) connections.
> FIX: do not remove listening UNIX socket in child process
>
> PROBLEM: SIGSEGV when TCP part of SSL connect failed
> FIX: check ssl pointer before calling SSH_shutdown
>
> In debug mode, show connect client port even when connect fails
>
> ####################### V 1.4.3.0:
>
> new features:
> socat options -L, -W for application level locking
>
> options "lockfile", "waitlock" for address level locking
> (Stefan Luethje)
>
> option "readbytes" limits read length (Adam Osuchowski)
>
> option "retry" for unix-connect, unix-listen, tcp6-listen (Dale Dude)
> socat options -L, -W for application level locking
>
> options "lockfile", "waitlock" for address level locking
> (Stefan Luethje)
>
> option "readbytes" limits read length (Adam Osuchowski)
>
> option "retry" for unix-connect, unix-listen, tcp6-listen (Dale Dude)
>
> pty symlink, unix listen socket, and named pipe are per default removed
> after use; option unlink-close overrides this new behaviour and also
> controls removal of other socat generated files (Stefan Luethje)
>
> corrections:
> option "retry" did not work with tcp-listen
>
> EPIPE condition could result in a 100% CPU loop
>
> further changes:
> support systems without SHUT_RD etc.
> handle more size_t types
> try to find makedepend options with gcc 3 (richard/OpenMacNews)
|
|
|
|
new features:
option "connect-timeout" limits wait time for connect operations
(requested by Giulio Orsero)
option "dhparam" for explicit Diffie-Hellman parameter file
corrections:
support for OpenSSL DSA certificates (Miika Komu)
create install directories before copying files (Miika Komu)
when exiting on signal, return status 128+signum instead of 1
on EPIPE and ECONNRESET, only issue a warning (Santiago Garcia
Mantinan)
-lu could cause a core dump on long messages
further changes:
modifications to simplify using socats features in application
|
|
new features:
option "wait-slave" blocks open of pty master side until a client
connects, "pty-intervall" controls polling
option -h as synonym to -? for help (contributed by Christian Lademann)
filan prints formatted time stamps and rdev (disable with -r)
redirect filan's output, so stdout is not affected (contributed by Luigi Iotti)
filan option -L to follow symbolic links
filan shows termios control characters
corrections:
proxy address no longer performs unsolicited retries
filan -f no longer needs read permission to analyze a file (but still
needs access permission to directory, of course)
porting:
Option dsusp
FreeBSD options noopt, nopush, md5sig
OpenBSD options sack-disable, signature-enable
HP-UX, Solaris options abort-threshold, conn-abort-threshold
HP-UX options b900, b3600, b7200
Tru64/OSF1 options keepinit, paws, sackena, tsoptena
further corrections:
address pty now uses ptmx as default if openpty is also available
|
|
- Security fix for: http://www.dest-unreach.org/socat/advisory/socat-adv-1.html
|
|
in the process. (More information on tech-pkg.)
Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.
Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.
|
|
- Change to my NetBSD email address
####################### V 1.4.0.2:
corrections:
exec'd write-only addresses get a chance to flush before being killed
error handler: print notice on error-exit
filan printed wrong file type information
####################### V 1.4.0.1:
corrections:
socks4a constructed invalid header. Problem found, reported, and fixed
by Thomas Themel, by Peter Palfrader, and by rik
with nofork, don't forget to apply some process related options
(chroot, setsid, setpgid, ...)
####################### V 1.4.0.0:
new features:
simple openssl server (ssl-l), experimental openssl trust
new options "cafile", "capath", "key", "cert", "egd", and "pseudo" for
openssl
new options "retry", "forever", and "intervall"
option "fork" for address TCP improves `gender changer´
options "sigint", "sigquit", and "sighup" control passing of signals to
sub process (thanks to David Shea who contributed to this issue)
readline takes respect to the prompt issued by the peer address
options "prompt" and "noprompt" allow to override readline's new
default behaviour
readline supports invisible password with option "noecho"
socat option -lp allows to set hostname in log output
socat option -lu turns on microsecond resolution in log output
corrections:
before reading available data, check if writing on other channel is
possible
tcp6, udp6: support hostname specification (not only IP address), and
map IP4 names to IP6 addresses
openssl client checks server certificate per default
support unidirectional communication with exec/system subprocess
try to restore original terminal settings when terminating
test.sh uses tmp dir /tmp/$USER/$$ instead of /tmp/$$
socks4 failed on platforms where long does not have 32 bits
(thanks to Peter Palfrader and Thomas Seyrat)
hstrerror substitute wrote wrong messages (HP-UX, Solaris)
proxy error message was truncated when answer contained multiple spaces
porting:
compiles with AIX xlc, HP-UX cc, Tru64 cc (but might not link)
|
|
Buildlink files: RECOMMENDED version changed to current version.
|
|
and slightly modified by me.
socat is a relay for bidirectional data transfer between two
independent data channels. Each of these data channels may be a file,
pipe, device (serial line etc. or a pseudo terminal), a socket (UNIX,
IP4, IP6 - raw, UDP, TCP), an SSL socket, proxy CONNECT connection, a
file descriptor (stdin etc.), the GNU line editor, a program, or a
combination of two of these. These modes include generation of
"listening" sockets, pipes and pseudo terminals.
|
