are replaced with .include "../../devel/readline/buildlink3.mk", and
USE_GNU_READLINE are removed,
* .include "../../devel/readline/buildlink3.mk" without USE_GNU_READLINE
are replaced with .include "../../mk/readline.buildlink3.mk".
Security update:
"A heap based buffer overflow vulnerability has been found with data that happens to be output on the READLINE address." (CVE-2012-0219)
Tested according to the official advisory at http://www.dest-unreach.org/socat/contrib/socat-secadv3.html
XXX pull-up to 2013Q1
Changelog:
security:
fixed a stack overflow vulnerability that occurred when command
line arguments (whole addresses, host names, file names) were longer
than 512 bytes.
Note that this could only be exploited when an attacker was able to
inject data into socat's command line.
Full credits to Felix Grobert, Google Security Team, for finding and
reporting this issue
Changelog:
corrections:
user-late and group-late, when applied to a pty, affected the system
device /dev/ptmx instead of the pty (thanks to Matthew Cloke for
pointing me to this bug)
socats openssl addresses failed with "nonblocking operation did not
complete" when the peer performed a renegotiation. Thanks to Benjamin
Delpy for reporting this bug.
info message during socks connect showed bad port number on little
endian systems due to wrong byte order (thanks to Peter M. Galbavy for
bug report and patch)
Debian bug 531078: socat execs children with SIGCHLD ignored; corrected
to default. Thanks to Martin Dorey for reporting this bug.
porting:
building socat on systems that predefined the CFLAGS environment to
contain -Wall failed (esp.RedHat). Thanks to Paul Wouters for reporting
this problem and to Simon Matter for providing the patch
support for Solaris 8 and Sun Studio support (thanks to Sebastian
Kayser for providing the patches)
on some 64bit systems a compiler warning "cast from pointer to integer
of different size" was issued on some option definitions
added struct sockaddr_ll to union sockaddr_union to avoid "strict
aliasing" warnings (problem reported by Paul Wouters)
docu:
minor corrections in docu
ChangeLog:
V 1.7.1.1:
corrections:
corrected the "fixed possible SIGSEGV" fix because SIGSEGV still might
occur under those conditions. Thanks to Toni Mattila for first
reporting this problem.
ftruncate64 cut its argument to 32 bits on systems with 32 bit long type
socat crashed on systems without setenv() (esp. SunOS up to Solaris 9);
thanks to Todd Stansell for reporting this bug
with unidirectional EXEC and SYSTEM a close() operation was performed
on a random number which could result in hanging e.a.
fixed a compile problem caused by size_t/socklen_t mismatch on 64bit
systems
docu mentioned option so-bindtodev but correct name is so-bindtodevice.
Thanks to Jim Zimmerman for reporting.
docu changes:
added environment variables example to doc/socat-multicast.html
V 1.7.1.0:
new features:
address options shut-none, shut-down, and shut-close allow to control
socat's half close behaviour
with address option shut-null socat sends an empty packet to the peer
to indicate EOF
option null-eof changes the behaviour of sockets that receive an empty
packet to see EOF instead of ignoring it
introduced option names substuser-early and su-e, currently equivalent
to option substuser (thanks to Mike Perry for providing the patch)
corrections:
fixed some typos and improved some comments
V 1.7.0.1:
corrections:
fixed possible SIGSEGV in listening addresses when a new connection was
reset by peer before the socket addresses could be retrieved. Thanks to
Mike Perry for sending a patch.
fixed a bug, introduced with version 1.7.0.0, that let client
connections with option connect-timeout fail when the connections
succeeded. Thanks to Bruno De Fraine for reporting this bug.
option end-close "did not apply" to addresses PTY, SOCKET-CONNECT,
and most UNIX-* and ABSTRACT-*
half close of EXEC and SYSTEM addresses did not work for pipes and
sometimes socketpair
help displayed for some option a wrong type
under some circumstances shutdown was called multiple times for the
same fd
2008/10/15: socat version 1.7.0.0 brings support for SCTP stream, raw
interface, and generic sockets. New option escape allows to interrupt raw
terminal connections. Listening and receiving sockets can set a couple of
environment variables. Added base control of System V STREAMS. Lots of
corrections were performed. socat compiles on Mac OS X again.
Patch from Leonardo Taccari
Some new features/corrections include:
* new addresses IP-DATAGRAM and UDP-DATAGRAM allow versatile broadcast
and multicast modes
* range option supports form address:mask with IPv4
* changed behaviour of SSL-LISTEN to require and verify client
certificate per default
* filan (and socat -D) could hang when a socket was involved
See: http://www.dest-unreach.org/socat/doc/CHANGES for all the details
new features:
new datagram modes for udp, rawip, unix domain sockets
socat option -T specifies inactivity timeout
rewrote lexical analysis to allow nested socat calls
addresses tcp, udp, tcp-l, udp-l, and rawip now support IPv4 and IPv6
socat options -4, -6 and environment variables SOCAT_DEFAULT_LISTEN_IP,
SOCAT_PREFERRED_RESOLVE_IP for control of protocol selection
addresses ssl, ssl-l, socks, proxy now support IPv4 and IPv6
option protocol-family (pf), esp. for openssl-listen
range option supports IPv6 - syntax: range=[::1/128]
option ipv6-v6only (ipv6only)
new tcp-wrappers options allow-table, deny-table, tcpwrap-etc
FIPS version of OpenSSL can be integrated - initial patch provided by
David Acker. See README.FIPS
support for resolver options res-debug, aaonly, usevc, primary, igntc,
recurse, defnames, stayopen, dnsrch
options for file attributes on advanced filesystems (ext2, ext3,
reiser): secrm, unrm, compr, ext2-sync, immutable, ext2-append, nodump,
ext2-noatime, journal-data etc.
option cool-write controls severeness of write failure (EPIPE, ECONNRESET)
option o-noatime
socat option -lh for hostname in log output
traffic dumping provides packet headers
configure.in became part of distribution
socats unpack directory now has full version, e.g. socat-1.5.0.0/
corrected docu of option verify
corrections:
fixed tcpwrappers integration - initial fix provided by Rudolf Cejka
exec with pipes,stderr produced error
setuid-early was ignored with many address types
some minor corrections
> ####################### V 1.4.3.1:
>
> corrections:
> PROBLEM: UNIX socket listen accepted only one (or a few) connections.
> FIX: do not remove listening UNIX socket in child process
>
> PROBLEM: SIGSEGV when TCP part of SSL connect failed
> FIX: check ssl pointer before calling SSH_shutdown
>
> In debug mode, show connect client port even when connect fails
>
> ####################### V 1.4.3.0:
>
> new features:
> socat options -L, -W for application level locking
>
> options "lockfile", "waitlock" for address level locking
> (Stefan Luethje)
>
> option "readbytes" limits read length (Adam Osuchowski)
>
> option "retry" for unix-connect, unix-listen, tcp6-listen (Dale Dude)
> socat options -L, -W for application level locking
>
> options "lockfile", "waitlock" for address level locking
> (Stefan Luethje)
>
> option "readbytes" limits read length (Adam Osuchowski)
>
> option "retry" for unix-connect, unix-listen, tcp6-listen (Dale Dude)
>
> pty symlink, unix listen socket, and named pipe are per default removed
> after use; option unlink-close overrides this new behaviour and also
> controls removal of other socat generated files (Stefan Luethje)
>
> corrections:
> option "retry" did not work with tcp-listen
>
> EPIPE condition could result in a 100% CPU loop
>
> further changes:
> support systems without SHUT_RD etc.
> handle more size_t types
> try to find makedepend options with gcc 3 (richard/OpenMacNews)
new features:
option "connect-timeout" limits wait time for connect operations
(requested by Giulio Orsero)
option "dhparam" for explicit Diffie-Hellman parameter file
corrections:
support for OpenSSL DSA certificates (Miika Komu)
create install directories before copying files (Miika Komu)
when exiting on signal, return status 128+signum instead of 1
on EPIPE and ECONNRESET, only issue a warning (Santiago Garcia
Mantinan)
-lu could cause a core dump on long messages
further changes:
modifications to simplify using socats features in application
new features:
option "wait-slave" blocks open of pty master side until a client
connects, "pty-intervall" controls polling
option -h as synonym to -? for help (contributed by Christian Lademann)
filan prints formatted time stamps and rdev (disable with -r)
redirect filan's output, so stdout is not affected (contributed by Luigi Iotti)
filan option -L to follow symbolic links
filan shows termios control characters
corrections:
proxy address no longer performs unsolicited retries
filan -f no longer needs read permission to analyze a file (but still
needs access permission to directory, of course)
porting:
Option dsusp
FreeBSD options noopt, nopush, md5sig
OpenBSD options sack-disable, signature-enable
HP-UX, Solaris options abort-threshold, conn-abort-threshold
HP-UX options b900, b3600, b7200
Tru64/OSF1 options keepinit, paws, sackena, tsoptena
further corrections:
address pty now uses ptmx as default if openpty is also available
in the process. (More information on tech-pkg.)
Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.
Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.
- Change to my NetBSD email address
####################### V 1.4.0.2:
corrections:
exec'd write-only addresses get a chance to flush before being killed
error handler: print notice on error-exit
filan printed wrong file type information
####################### V 1.4.0.1:
corrections:
socks4a constructed invalid header. Problem found, reported, and fixed
by Thomas Themel, by Peter Palfrader, and by rik
with nofork, don't forget to apply some process related options
(chroot, setsid, setpgid, ...)
####################### V 1.4.0.0:
new features:
simple openssl server (ssl-l), experimental openssl trust
new options "cafile", "capath", "key", "cert", "egd", and "pseudo" for
openssl
new options "retry", "forever", and "intervall"
option "fork" for address TCP improves `gender changer´
options "sigint", "sigquit", and "sighup" control passing of signals to
sub process (thanks to David Shea who contributed to this issue)
readline takes respect to the prompt issued by the peer address
options "prompt" and "noprompt" allow to override readline's new
default behaviour
readline supports invisible password with option "noecho"
socat option -lp allows to set hostname in log output
socat option -lu turns on microsecond resolution in log output
corrections:
before reading available data, check if writing on other channel is
possible
tcp6, udp6: support hostname specification (not only IP address), and
map IP4 names to IP6 addresses
openssl client checks server certificate per default
support unidirectional communication with exec/system subprocess
try to restore original terminal settings when terminating
test.sh uses tmp dir /tmp/$USER/$$ instead of /tmp/$$
socks4 failed on platforms where long does not have 32 bits
(thanks to Peter Palfrader and Thomas Seyrat)
hstrerror substitute wrote wrong messages (HP-UX, Solaris)
proxy error message was truncated when answer contained multiple spaces
porting:
compiles with AIX xlc, HP-UX cc, Tru64 cc (but might not link)
and slightly modified by me.
socat is a relay for bidirectional data transfer between two
independent data channels. Each of these data channels may be a file,
pipe, device (serial line etc. or a pseudo terminal), a socket (UNIX,
IP4, IP6 - raw, UDP, TCP), an SSL socket, proxy CONNECT connection, a
file descriptor (stdin etc.), the GNU line editor, a program, or a
combination of two of these. These modes include generation of
"listening" sockets, pipes and pseudo terminals.
