﻿
####################### V 1.7.4.3:

Corrections:
	Socat crashed with SIGSEGV when peer presented a certificate without
	(or empty?) subject.
	Thanks to Martin Dorey for reporting this issue and sending a patch.

	Socat 1.7.4.2 did not compile on OmniOS (and probably other OpenSolaris
	distributions)
	Thanks to Andy Fiddaman for sending a patch.

	Socat since 1.7.4.0 did not compile on Solaris and its derivatives
	because the getprotobynumber_r() function prototype differ from the
	Linux version.
	configure now checks for the variant.
	Thanks to Robert Zybeck for reporting this issue.

	The variable for the no-sni option was not initialized and could thus
	break OpenSSL certificate verification. E.g., test OPENSSL_SNI on some
	platform succeeded with -g but failed with -O compiler option.
	Thanks to valgrind for quickly finding the cause.

Porting:
	Again porting Socat to AIX (7.1) - Fixed configure and compile issues:
	Adapted include requirements for IPv6
	Guarded MSG_DONTWAIT

	Continued porting Socat to AIX-7.1 - Fixed some runtime errors:
	UNIX domain sockets of type SEQPACKET are not available.
	Connecting to UNIX datagram socket fails with EPROTONOSUPPORT (vs.
	EPROTOTYPE on most other OSes).
	Streams: Must not push ldterm when it is already active (hangs).

Building:
	Socats build date and time may now be set externally with environment
	variable SOURCE_DATE_EPOCH.
	Thanks to Viktor Kleinik for sending a patch.

	Building Socat in a sub directory failed.
	Now the following works even for the docu parts:
	mkdir -p myos; cd myos; ../configure && make; cd ..
	Thanks to Jon Ringle for sending a patch.

Testing:
	test.sh: many corrections for AIX's older shell utilities, e.g.sleep(1)
	does not allow fractions of seconds, grep does not understand '\<';
	OpenIndiana/SunOS netstat format;
	many more functional and cosmetic code corrections.

Documentation:
	The socktype option was documented unspecifically as type option.
	Thanks to Jonas Metzger for the hint.

####################### V 1.7.4.2:

Corrections:
	The per address parameters for OpenSSL overlapped in memory with socket
	parameters. Magically this did not seem to cause problems except on
	MacOS Catalina that reported errors like:
	socat[3458] E Select(7, &0x80, NULL, NULL, {140392884396544.000000}):
	Invalid argument
	Test: OPENSSL_PARA_OVERLAP
	Thanks to Ryo Ota for reporting this bug.

	Fixed a few minor coding issues

	A VSOCK warning message was generated with all listening addresses
	instead of only with VSOCK-LISTEN

	When an OPENSSL-CONNECT client presented a certificate with IPv6
	subject alternate name and the OPENSSL-LISTEN server had no commonname
	option, the server crashed with SIGSEGV in xioip6_pton().
	Test: OPENSSL_CLIENT_IP6_CN
	Red Hat bug 1981308
	Thanks to Vlad Slepukhin for reporting this issue and providing a patch

	Corrected a typo in configure.ac that broke option --enable-openssl-base
	Thanks to john1doe for reporting this issue.

	Socat looped endlessly, not responding to SIGTERM, when a service name
	(for port) could not be resolved.
	Test: BAD_SERVICE

	Using options of NAMED group, e.g.chown, with abstract UNIX domain
	sockets, produced errors because the function was applied with a normal
	file system related call, e.g.chown(), using file "" (empty name). Instead of
	chown(), Socat now uses fchown() on the file descriptor. However, such
	a call usually has no real effect.	
	Test: ABSTRACT_USER
	Thanks to Andreas Fink for reporting this issue.

	Option -R did not only dump ("sniff") right-to-left, but also
	left-to-right traffic to the given file.
	Test: SNIFF_RIGHT_TO_LEFT
	Thanks to 1314 gsf for reporting this bug and sending a patch.

	Options -r and -R, when opening a named pipe that has no actual reader,
	failed with "No such device or address". To solve this problem, Socat
	now opens the pipe in rw-Mode.
	Thanks to Cody J.Soultz for sending a patch.

	The call "socat -r - PIPE" traced to file ./- instead of issuing a
	syntax error.

	Print a message when readbytes option causes EOF

	The ip-recverr option had no effect. Corrected and improved its
	handling of ancilliary messages, so it is able to analyze ICMP error
	packets (Linux only?)

	Setgui(), Setuid() calls in xio-progcall.c were useless.

Testing:
	Prevent the TIMESTAMP tests from sporadically failing due do seconds
	overflow

	Fixed in test.sh a few issues reported by shellcheck

Documentation:
	Added missing docu of OpenSSL options min-proto-version,
	max-proto-version.

	Added missing closing parenthesis in socat.yo.
	Thanks to Emanuele Torre for reporting this issue.

	Corrected more typos and added missing bug info to CHANGES, performed
	some non functional corrections.

Porting:
	Corrected building when clock_gettime() not available, with or without
	gettimeofday().

####################### V 1.7.4.1:

Corrections:
	Socat 1.7.4.0 failed to compile especially on 32 bit systems.
	Thanks to Wang Mingyu and others for sending a patch or reporting this
	issue.

	Under certain conditions OpenSSL stream connections, in particular bulk
	data transfer in unidirectional mode, failed during transfer or near
	its with Connection reset by peer on receiver side.
	This happened with Socat versions 1.7.3.3 to 1.7.4.0. Reasons were
	lazy SSL shutdown handling on the sender side in combination with
	SSL_MODE_AUTO_RETRY turned off.
	Fix: After SSH_shutdown but before socket shutdown call SSL_read()
	Test: OPENSSL_STREAM_TO_SERVER
	Fixes Red Hat issue 1870279.

####################### V 1.7.4.0:

Security:
	Buffer size option (-b) is internally doubled for CR-CRLF conversion,
	but not	checked for integer overflow. This could lead to heap based
	buffer overflow, assuming the attacker could provide this parameter.
	Test: BLKSIZE_INT_OVERFL
	Thanks to Lê Hiếu Bùi for reporting this issue and sending an
	example exploit.

Corrections:
	Socats address parser read over end of string when there were unbalanced
	quotes
	Test: UNBALANCED_QUOTE

	Removed unused usleep() call from sycls.c

	Unsetenv() was conditional in sysutils.c but not in xio-openssl.c thus
	building failed on Solaris 9.
	Thanks to Greg Earle for reporting this issue and providing a patch.

	Mitigated race condition of quickly terminating SYSTEM or EXEC child
	processes.

	Option o-direct might require alignment of read/write buffer to, e.g.,
	512 bytes, Socat now takes care of this when allocating the buffer.
	With this fix read() succeeds, however, write() still might fail when
	not writing complete pages.
	Test: O_DIRECT

	There was a race condition in the way Socat UDP-RECVFROM and similar
	addresses with option fork prevents one packet from triggering
	multiple processes. The symptom was that Socat master process seemed to
	hang and did not process further packets. The fix makes use of
	pselect() system call.
	Thanks to Fulvio Scapin for reporting this issue.

	UNIX domain client addresses applied file system entry options (group
	NAMED) to the server socket instead of the client (bind) socket entry.
	Tests: UNIX_SENDTO_UNLINK UNIX_CONNECT_UNLINK
	Thanks to Nico Williams for reporting this major issue.

	Length of single address options was limited to 511 bytes. This value
	is now increased to 2047 bytes.
	Change suggested by Mario Camou.

	Addresses of type RECVFROM with option fork looped with an error
	message in case that the second address failed before consuming the
	packet. The fix makes RECVFROM drop the packet when the second address
	failed before reading it. Use retry or forever option with the second
	address if you want to avoid data loss.
	Fixes Red Hat bug 1907718
	Thanks to Chunmei Xu for reporting this issue and proving the patch.

	Socats DTLS implementation has been reworked and appears to work now
	reasonably over UDP.
	New addresses: OPENSSL-DTLS-SERVER (DTLS-L),
		OPENSSL-DTLS-CLIENT (DTLS)
	Tests: OPENSSL_DTLS_CLIENT OPENSSL_DTLS_SERVER
		OPENSSL_METHOD_DTLS1 OPENSSL_METHOD_DTLS1.2
	Thanks to Brandon Carpenter, Qing Wan, and Pavel Nakonechnyi for
	sending patches.

	filan did not output the socket protocol.
	filan -s assumed each stream socket to be TCP and each datagram socket
	to be UDP. Now it uses SO_PROTOCOL and getprotoent() for correct output.

	Help text showed two parameters for UDP4-RECVFROM address, but only
	<port> is allowed.
	Thanks to John the Scott for reporting this issue.

	Error messages from SSL_read() and SSL_write() sometimes stated
	SSL_connect instead of originating function name.

	Fixed some more non functional minor issues.

Porting:
	In gcc version 10 the default changed from -fcommon to -fno-common.
	Consequently, linking filan and procan failed with error
	"multiple definition of `deny_severity'" and `allow_severity'
	Fixed by removing definitions in filan.c and procan.c
	Debian issue 957823
	Thanks to László Böszörményi and others for reporting this issue.

	Solaris 9 does not provide strndup(); added substitute code.
	Thanks to Greg Earle for providing a patch.

	Added configure option --enable-openssl-base to specify the location of
	a non-OS OpenSSL installation

	There are systems whose kernel understands SCTP but getaddrinfo does
	not. As workaround after EIA_SOCKTYPE on name and service resolution
	fall back to ai_socktype=0; if it fails with EAI_SERVICE, set
	ai_protocol=0 and try again
	Test: SCTP_SERVICENAME

	Per file filesystem options were still named ext2-* and depended on
	<linux/ext2_fs.h>. Now they are called fs-* and depend on <linux/fs.h>.
	These fs-* options are also available on old systems with ext2_fs.h

	New options openssl-min-proto-version (min-version) and
	openssl-max-proto-version (max-version) give access to the related
	OpenSSL set-macros and substitute deprecated version-specific methods.
	Test: OPENSSL_MIN_VERSION

	With OpenSSL use OPENSSL_init_SSL when available, instead of deprecated
	SSL_library_init.

	With OPENSSL_API_COMPAT=0x10000000L the files openssl/dh.h, openssl/bn.h
	must explicitely be included.
	Thanks to Rosen Penev for reporting and sending a patch.

Testing:
	test.sh now produces a list of tests that could not be performed for
	any reason. This helps to analyse these cases.

	OpenSSL s_server appearently started to neglect TCPs half close feature.
	Test OPENSSL_TCP4 has been changed to tolerate this.

	OpenSSL changed its behaviour when connection is rejected. Tests
	OPENSSLCERTSERVER, OPENSSL_CN_CLIENT_SECURITY, and
	OPENSSL_CN_SERVER_SECURITY now tolerate this.

	OpenSSL no longer allows explicit renegotiation with TLSv1.3, thus the
	appropriate tests failed.
	Fix: use TLSv1.2 for renegotiation tests
	Tests: OPENSSLRENEG1 OPENSSLRENEG2

	Ubuntu 20.04 requires 2048 bit certificates with OpenSSL

	Archlinux 2020 has not which command; its ip,ss commands have modified
	version strings

	More testing issues solved:
	* ss to pipe might omit column separator
	* UDP6MULTICAST_UNIDIR fails on newer Linux kernels
	* do not use sort -V
	* renamed testaddrs() to testfeats(), and introduced new testaddrs()

New features:
	GOPEN and UNIX-CLIENT addresses now support sockets of type SEQPACKET.
	Test: GOPENUNIXSEQPACKET
	Feature suggested by vi0oss.

	The generic setsockopt-int and related options are, in case of
	listening/accepting addresses, applied to the connected socket(s). To enable
	setting options on the listening socket, a new option setsockopt-listen
	has been implemented. See the documentation for info on data types.
	Tests: SETSOCKOPT SETSOCKOPT_LISTEN
	Thanks to Steven Danna and Korian Edeline for reporting this issue.

	Filan option -S gives short description like -s but with improved
	format

	Socat OpenSSL client, when server was specified using IP address, did
	not verify connection on certificates SubjectAltName IP entries.
	Tests: OPENSSL_SERVERALTAUTH OPENSSL_SERVERALTIP4AUTH OPENSSL_SERVERALTIP6AUTH
	Fixes Red Hat bug 1805132

	Added options -r and -R for raw dump of transferred data to files.
	Test: OPTION_RAW_DUMP

	Added option ip-transparent (socket option IP_TRANSPARENT)
	Thanks to Wang Shanker for sending a patch.

	OPENSSL-CONNECT now automatically uses the SNI feature, option
	openssl-no-sni turns it off. Option openssl-snihost overrides the value
	of option openssl-commonname or the server name.
	Tests: OPENSSL_SNI OPENSSL_NO_SNI
	Thanks to Travis Burtrum for providing the initial patch

	New option accept-timeout (listen-timeout)
	Test: ACCEPTTIMEOUT
	Proposed by Roland

	New option ip-add-source-membership
	Feature inspired by Brian (b f31415)

	INCOMPATIBLE CHANGE: Address UDP-DATAGRAM now does not check peerport
	of replies, as it did up to version 1.7.3.4. Use option sourceport when
	you need the old behaviour.
	Test: UDP_DATAGRAM_SOURCEPORT
	Feature inspired by Hans Bueckler for SSDP inquiry (for UPnP)

	New option proxy-authorization-file reads PROXY-CONNECT credentials
	from file and makes it possible to hide this data from the process
	table.
	Test: PROXYAUTHFILE
	Thanks to Charles Stephens for sending an initial patch.

	Added AF_VSOCK support with VSOCK-CONNECT and VSOCK-LISTEN addresses.
	Developed by Stefano Garzarella.

Coding:
	Added printf formats for uint16_t etc.

Documentation:
	Address UDP-RECV does not support option fork.
	Thanks to Fulvio Scapin for reporting that mistake in docu.

	TUN address documentation showed TCP for backend which may merge
	consecutive packets which causes data loss.
	Thanks to Tomasz Lakota for reporting this issue.

####################### V 1.7.3.4:

Corrections:
	Header of xiotermios_speed() declared parameter unsigned int instead of
	speed_t, thus compiling failed on MacOS
	Thanks to Joe Strout and others for reporting this bug.
	Thanks to Andrew Childs and others for sending a patch.

	Under certain circumstances, termios options of the first address were
	applied to the second address, resulting in error
	"Inappropriate ioctl for device" 
	This affected version 1.7.3.3 only.
	Test: TERMIOS_PH_ALL
	Thanks to Ivan J. for reporting this issue.

	Socat failed to compile when no poll() system call was found by
	configure.
	Thanks to Jason White for sending a patch.

	Due to use of SSL_CTX_clear_mode() Socat failed to compile on old
	systems with, e.g., OpenSSL-0.9.8. Thanks to Simon Matter and Moritz B.
	for reporting this problem and sending initial patches.

	getaddrinfo() in IP4-SENDTO and IP6-SENDTO addresses failed with
	"ai_socktype not supported" when protocol 6 was addressed.
	The fix removes the possibility to use service names with SCTP.
	Test: IP_SENDTO_6
	Thanks to Sören for sending an initial patch.

	Under certain circumstances, Socat printed the "socket ... is at EOF"
	multiple times.
	Test: MULTIPLE_EOF

	Newer parts of test.sh used substitutions ${x,,*} or ${x^^*} that are
	not implemented in older bash versions.

####################### V 1.7.3.3:

Corrections:
	Makefile.in did not specify dependencies of filan on vsnprintf_r.o
	and snprinterr.o
	Added definition of FILAN_OBJS
	Thanks to Craig Leres, Clayton Shotwell, and Chris Packham for
	providing patches.

	configure option --enable-msglevel did not work with numbers

	The autoconf mechanism for determining SHIFT_OFFSET did not work when
	cross compiling.
	Thanks to Max Freisinger from Gentoo for sending a patch.

	Socat still depended on obsolete gethostbyname() function, thus
	compiling with MUSL libc failed.
	Problem reported by Kennedy33.

	The async signal safe diagnostic system used FDs 3 and 4 internally, so
	use of appropriate fdin or fdout led to failures.
	Test: DIAG_FDIN
	Problem reported by Onur Sentürk.

	The socket based mechanism for passing messages and signal information
	from signal handler to process could reach and kill the wrong process.
	Introduces functions diag_sock_pair(), diag_fork()
	Thanks to Darren Zhao for analysing and reporting this problem.

	Option ipv6-join-group did not work because it was applied in the wrong
	phase
	Test: UDP6MULTICAST_UNIDIR
	Thanks to Angus Gratton for sending a patch.

	Setting ispeed and ospeed failed for some serial devices because the
	two settings were applied with two different get/set cycles, Thanks to
	Alexandre Fenyo for providing an initial patch.
	However, the actual fix is part of a conceptual change of the termios
	module that aims for applying all changes in a single tcsetaddr call.
	Fixes FreeBSD Bug 198441

	Termios options TAB0,TAB1,TAB2,TAB3, and XTABS did not have an effect.
	Thanks to Alan Walters for reporting this bug.

	Substituted cumbersom ISPEED_OFFSET mechanism for cfsetispeed() calls

	With TCP6-LISTEN and the other passive IPv6 addresses the range option
	just failed: due to a bug in the syntax parser and two more bugs in
	the xiocheckrange_ip6() function.
	The syntax has now been changed from "[::1/128]" to "[::1]/128"!
	Thanks Leah Neukirchen for sending an initial fix.

	For name resolution Socat only checked the first character of the host
	name to decide if it is an IPv4 address. This was not RFC conform. This
	fix removes the possibility for use of IPv4 addresses with IPv6, e.g.
	TCP6:127.0.0.1:80
	Debian issue 695885
	Thanks to Nicolas Fournil for reporting this issue.

	Print a useful error message when single character options appear to be
	merged in Socat invocation
        Test: SOCAT_OPT_HINT

	Fixed some docu typos.
	Thanks to Travis Wellman, Thomas <tjps636>, Dan Kenigsberg,
	Julian Zinn, and Simon Matter

Porting:
	OpenSSL functions TLS1_client_method() and similar are 
	deprecated. Socat now uses recommended TLS_client_method(). The old
	functions and dependend option openssl-method can still be
	used when configuring socat with --enable-openssl-method

	Shell scripts in socat distribution are now headed with:
	#! /usr/bin/env bash
	to make them better portable to systems without /bin/bash
	Thanks to Maya Rashish for sending a patch

	RES_AAONLY, RES_PRIMARY are deprecated. You can still enable them with
	configure option --enable-res-deprecated.

	New versions of OpenSSL preset SSL_MODE_AUTO_RETRY which may hang socat.
	Solution: clear SSL_MODE_AUTO_RETRY when it is set.

	Renamed configure.in to configure.ac and set an appropriate symlink for
	older environments.
	Related Gentoo bug 426262: Warning on configure.in
	Thanks to Francesco Turco for reporting that warning.

	Fixed new IPv6 range code for platforms without s6_addr32 component.

Testing:
	test.sh: Show a warning when phase-1 (insecure phase) of a security
	test fails

	OpenSSL tests failed on actual Linux distributions. Measures:
	Increased key lengths from 768 to 1024 bits
	Added test.sh option -C to delete temp certs from prevsious runs
	Provide DH-parameter in certificate in PEM
	OpenSSL s_server option -verify 0 must be omitted
	OpenSSL authentication method aNULL no longer works
	Failure of cipher aNULL is not a failure
	Failure of methods SSL3 and SSL23 is desired

	test.sh depended on ifconfig and netstat utilities which are no longer
	availabie in some distributions. test.sh now checks for and prefers
	ip and ss.
	Thanks to Ruediger Meier for reporting this problem.

	More corrections to test.sh:
	Language settings could still influence test results
	netstat was still required
	Suppress usleep deprecated messag
	Force use of IPv4 with some certificates
	Set timeout for UDPxMAXCHILDREN tests

Git:
	Added missing Config/Makefile.DragonFly-2-8-2,
	Config/config.DragonFly-2-8-2.h
	Removed testcert.conf (to be generated by test.sh)

Cosmetics:
	Simplified handling of missing termios defines.

New features:
	Permit combined -d options as -dd etc.

porting:
	ext2 options are now fs options.
	
####################### V 1.7.3.2:

corrections:
	SIGSEGV and other signals could lead to a 100% CPU loop

	Failing name resolution could lead to SIGSEGV
	Thanks to Max for reporting this issue.

	Include <stddef.h> for ptrdiff_t
	Thanks to Jeroen Roovers for reporting this issue.

	Building with --disable-sycls failed due to missing sslcls.h defines

	Socat hung when configured with --disable-sycls.

	Some minor corrections with includes etc.

	Option so-reuseport did not work. Thanks to Some Raghavendra Prabhu
	for sending a patch.

	Programs invoked with EXEC, nofork, and -u or -U had stdin and stdout
	incorrectly assigned
	Test: EXEC_NOFORK_UNIDIR
	Thanks to David Reiss for reporting this problem.

	Socat exited with status 0 even when a program invoked with SYSTEM or
	EXEC failed.
	Tests: SYSTEM_RC EXEC_RC
	Issue reported by Felix Winkelmann.

	AddressSanitizer reported a few buffer overflows (false positives).
	Nevertheless fixed Socat source.
	Issue reported by Hanno Böck.

	Socat did not use option ipv6-join-group.
	Test: USE_IPV6_JOIN_GROUP
	Thanks to Linus Lüssing for sending a patch.

	UDP-LISTEN did not honor the max-children option.
	Test: UDP4MAXCHILDREN UDP6MAXCHILDREN
	Thanks to Leander Berwers for reporting this issue.

	Options so-rcvtimeo and so-sndtimeo do not work with poll()/select()
	and therefore were useless.
	Thanks to Steve Borenstein for reporting this issue.

	Option dhparam was documented as dhparams. Added the alias name
	dhparams to fix this.
	Thanks to Alexander Neumann for sending a patch.

	Options shut-down and shut-close did not work.
	Thanks to Stefan Schimanski for providing a patch.

	There was a bug in printing readline log message caused by a misleading
	indentation.
	Thanks to Paul Wouters for reporting.

	The internal vsnprintf_r function looped or crashed on size parameter
	with hexadecimal output.

	Ignore exit code of child process when it was killed by master due to
	EOF

	Corrected byte order on read of IPV6_TCLASS value from ancillary
	message

	Fixed type of the bool element in options. This had bug caused failures
	e.g. of ignoreeof on big-endian systems when bool was not based on int.

	On systems with predefined bool type whose size differs from int some
	IPv6 and TCP options (per setsockopt()) failed.

	Length of integral data in ancillary messages varies (TOS: 1 byte,
	TTL: 4 bytes), the old implementation failed for TTL on big-endian
	hosts.

	Fixed an issue in options processing: TUN and DNS flags had failed on
	big-endian systems and the NO- forms had probable never worked.

porting:
	Type conflict between int and sig_atomic_t between declaration and
	definition of diag_immediate_type and diag_immediate_exit broke
	compilation on FreeBSD 10.1 with clang. Thanks to Emanuel Haupt for
	reporting this bug.

	Socat failed to compile on platforms with OpenSSL without
	DTLSv1_client_method or DTLSv1_server_method.
	Thanks to Simon Matter for sending a patch.

	NuttX OS headers do not provide struct ip, thus socat did not compile.
	Made struct ip subject to configure.
	Thanks to SP for reporting this issue.

	Socat failed to compile with OpenSSL version 1.0.2d where
	SSLv3_server_method and SSLv3_client_method are no longer defined.
	Thanks to Mischa ter Smitten for reporting this issue and providing
	a patch.

	configure checked for OpenSSL EC_KEY assuming it is a define but it
	is a type, thus OpenSSL ECDHE ciphers failed even on Linux.
	Thanks to Andrey Arapov for reporting this bug.

	Changes to make socat compile with OpenSSL 1.1. 
	Thanks to Sebastian Andrzej Siewior e.a. from the Debian team for
	providing the base patch.
	Debian Bug#828550

	Make Socat compatible with BoringSSL.
	Thanks to Matt Braithwaite for providing a patch.

	OpenSSL: Use RAND_status to determine PRNG state
	Thanks to Adam Langley for providing a patch

	AIX-7 uses an extended O_ACCMODE that does not fit socat's internal
	requirements. Thanks to Garrick Trowsdale for providing a patch

	LibreSSL support: check for OPENSSL_NO_COMP
	Thanks to Bernard Spil for providing a patch

testing:
	socks4echo.sh and socks4a-echo.sh hung with new bash with read -n

	test.sh: stderr; option -v (verbose); FDOUT_ERROR description

	improved proxy.sh - it now also takes hostnames

	A few corrections in test.sh

	DTLS1 test hangs on some distributions. Test is now only performed
	with OpenSSL 1.0.2 or higher.

	More corrections to test.sh that reveal a mistake with IPV6_TCLASS

docu:
	Corrected source of socat man page to correctly show man references
	like socket(2); removed obseolete entries from See Also

	Docu and some comments mentioned addresses SSL-LISTEN and SSL-CONNECT
	that do not exist (OPENSSL-LISTEN, SSL-L; and OPENNSSL-CONNECT, SSL
	are correct).
	Thanks to Zhigang Wang for reporting this issue.

	Fixed a couple of English spelling and grammar mistakes.
	Thanks to Jakub Wild for sending the patches.

	NOEXPAND() was not resolved 2 times.

	More minor docu corrections

legal:
	Added contributors to copyright notices. Suggested by Matt Braithwaite.

####################### V 1.7.3.1:

security:
	Socat security advisory 8
	A stack overflow in vulnerability was found that can be triggered when
	command line arguments (complete address specifications, host names,
	file names) are longer than 512 bytes.
	Successful exploitation might allow an attacker to execute arbitrary
	code with the privileges of the socat process.
	This vulnerability can only be exploited when an attacker is able to
	inject data into socat's command line.
	A vulnerable scenario would be a CGI script that reads data from clients
	and uses (parts of) this data as hostname for a Socat invocation.
	Test: NESTEDOVFL
	Credits to Takumi Akiyama for finding and reporting this issue.

	Socat security advisory 7
	MSVR-1499
	In the OpenSSL address implementation the hard coded 1024 bit DH p
	parameter was not prime. The effective cryptographic strength of a key
	exchange using these parameters was weaker than the one one could get by
	using a prime p. Moreover, since there is no indication of how these
	parameters were chosen, the existence of a trapdoor that makes possible
	for an eavesdropper to recover the shared secret from a key exchange
	that uses them cannot be ruled out.
	Futhermore, 1024bit is not considered sufficiently secure.
	Fix: generated a new 2048bit prime.
	Thanks to Santiago Zanella-Beguelin and Microsoft Vulnerability
	Research (MSVR) for finding and reporting this issue.

####################### V 1.7.3.0:

security:
	Socat security advisory 6
	CVE-2015-1379: Possible DoS with fork
	Fixed problems with signal handling caused by use of not async signal
	safe functions in signal handlers that could freeze socat, allowing
	denial of service attacks.
	Many changes in signal handling and the diagnostic messages system were
	applied to make the code async signal safe but still provide detailled
	logging from signal handlers:
	Coded function vsnprintf_r() as async signal safe incomplete substitute
	of libc vsnprintf()
	Coded function snprinterr() to replace %m in strings with a system error
	message
	Instead of gettimeofday() use clock_gettime() when available
	Pass Diagnostic messages from signal handler per unix socket to the main
	program flow
	Use sigaction() instead of signal() for better control
	Turn off nested signal handler invocations
	Thanks to Peter Lobsinger for reporting and explaining this issue.

	Red Hat issue 1019975: add TLS host name checks
	OpenSSL client checks if the server certificates names in
	extensions/subjectAltName/DNS or in subject/commonName match the name
	used to connect or the value of the openssl-commonname option.
	Test: OPENSSL_CN_CLIENT_SECURITY

	OpenSSL server checks if the client certificates names in
	extensions/subjectAltNames/DNS or subject/commonName match the value of
	the openssl-commonname option when it is used.
	Test: OPENSSL_CN_SERVER_SECURITY

	Red Hat issue 1019964: socat now uses the system certificate store with
	OPENSSL when neither options cafile nor capath are used

	Red Hat issue 1019972: needs to specify OpenSSL cipher suites
	Default cipherlist is now "HIGH:-NULL:-PSK:-aNULL" instead of empty to
	prevent downgrade attacks

new features:
	OpenSSL addresses set couple of environment variables from values in
	peer certificate, e.g.: 
	SOCAT_OPENSSL_X509_SUBJECT, SOCAT_OPENSSL_X509_ISSUER,
	SOCAT_OPENSSL_X509_COMMONNAME, 
	SOCAT_OPENSSL_X509V3_SUBJECTALTNAME_DNS
	Tests: ENV_OPENSSL_{CLIENT,SERVER}_X509_*

	Added support for methods TLSv1, TLSv1.1, TLSv1.2, and DTLS1
	Tests: OPENSSL_METHOD_*

	Enabled OpenSSL server side use of ECDHE ciphers. Feature suggested
	by Andrey Arapov.

	Added a new option termios-rawer for ptys.
	Thanks to Christian Vogelgsang for pointing me to this requirement

corrections:
	Bind with ABSTRACT commands used non-abstract namespace (Linux).
	Test: ABSTRACT_BIND
	Thanks to Denis Shatov for reporting this bug.

	Fixed return value of nestlex()

	Option ignoreeof on the right address hung.
	Test: IGNOREEOF_REV
	Thanks to Franz Fasching for reporting this bug.

	Address SYSTEM, when terminating, shut down its parent addresses,
	e.g. an SSL connection which the parent assumed to still be active.
	Test: SYSTEM_SHUTDOWN

	Passive (listening or receiving) addresses with empty port field bound
	to a random port instead of terminating with error.
	Test: TCP4_NOPORT

	configure with some combination of disable options produced config
	files that failed to compile due to missing IPPROTO_TCP.
	Thanks to Thierry Fournier for report and patch.

	fixed a few minor bugs with OpenSSL in configure and with messages

	Socat did not work in FIPS mode because 1024 instead of 512 bit DH prime
	is required. Thanks to Zhigang Wang for reporting and sending a patch.

	Christophe Leroy provided a patch that fixes memory leaks reported by
	valgrind

	Help for filan -L was bad, is now corrected to:
	"follow symbolic links instead of showing their properties"

	Address options fdin and fdout were silently ignored when not applicable
	due to -u or -U option. Now these combinations are caught as errors.
	Test: FDOUT_ERROR
	Issue reported by Hendrik.

	Added option termios-cfmakeraw that calls cfmakeraw() and is preferred
	over option raw which is now obsolote. On SysV systems this call is
	simulated by appropriate setting.
	Thanks to Youfu Zhang for reporting issue with option raw.

porting:
	Socat included <sys/poll.h> instead of POSIX <poll.h>
	Thanks to John Spencer for reporting this issue.

	Version 1.7.2.4 changed the check for gcc in configure.ac; this
	broke cross compiling. The particular check gets reverted.
	Thanks to Ross Burton and Danomi Manchego for reporting this issue.

	Debian Bug#764251: Set the build timestamp to a deterministic time:
	support external BUILD_DATE env var to allow to build reproducable
	binaries

	Joachim Fenkes provided an new adapted spec file.

	Type bool and macros Min and Max are defined by socat which led to
	compile errors when they were already provided by build framework.
	Thanks to Liyu Liu for providing a patch.

	David Arnstein contributed a patch for NetBSD 5.1 including stdbool.h
	support and appropriate files in Config/

	Lauri Tirkkonen contributed a patch regarding netinet/if_ether.h
	on Illumos

	Changes for Openindiana: define _XPG4_2, __EXTENSIONS__,
	_POSIX_PTHREAD_SEMANTICS; and minor changes

	Red Hat issue 1182005: socat 1.7.2.4 build failure missing
	linux/errqueue.h
	Socat failed to compile on on PPC due to new requirements for
	including <linux/errqueue.h> and a weakness in the conditional code.
	Thanks to Michel Normand for reporting this issue.

doc:
	In the man page the PTY example was badly formatted. Thanks to
	J.F.Sebastian for sending a patch.

	Added missing CVE ids to security issues in CHANGES

testing:
	Do not distribute testcert.conf with socat source but generate it
	(and new testcert6.conf) during test.sh run.

####################### V 1.7.2.4:

corrections:
	LISTEN based addresses applied some address options, e.g. so-keepalive,
	to the listening file descriptor instead of the connected file
	descriptor
	Thanks to Ulises Alonso for reporting this bug

	make failed after configure with non gcc compiler due to missing
	include. Thanks to Horacio Mijail for reporting this problem

	configure checked for --disable-rawsocket but printed
	--disable-genericsocket in the help text. Thanks to Ben Gardiner for
	reporting and patching this bug

	In xioshutdown() a wrong branch was chosen after RECVFROM type addresses.
	Probably no impact.
	Thanks to David Binderman for reporting this issue.

	procan could not cleanly format ulimit values longer than 16 decimal
	digits. Thanks to Frank Dana for providing a patch that increases field
	width to 24 digits.

	OPENSSL-CONNECT with bind option failed on some systems, eg.FreeBSD, with
	"Invalid argument"
	Thanks to Emile den Tex for reporting this bug.

	Changed some variable definitions to make gcc -O2 aliasing checker happy
	Thanks to Ilya Gordeev for reporting these warnings

	On big endian platforms with type long >32bit the range option applied a
	bad base address. Thanks to hejia hejia for reporting and fixing this bug.

	Red Hat issue 1022070: missing length check in xiolog_ancillary_socket()

	Red Hat issue 1022063: out-of-range shifts on net mask bits

	Red Hat issue 1022062: strcpy misuse in xiosetsockaddrenv_ip4()

	Red Hat issue 1022048: strncpy hardening: corrected suspicious strncpy()
	uses

	Red Hat issue 1021958: fixed a bug with faulty buffer/data length
	calculation in xio-ascii.c:_xiodump()

	Red Hat issue 1021972: fixed a missing NUL termination in return string
	of sysutils.c:sockaddr_info() for the AF_UNIX case

	fixed some typos and minor issues, including:
	Red Hat issue 1021967: formatting error in manual page

	UNIX-LISTEN with fork option did not remove the socket file system entry
	when exiting. Other file system based passive address types had similar
	issues or failed to apply options umask, user e.a.
	Thanks to Lorenzo Monti for pointing me to this issue

porting:
	Red Hat issue 1020203: configure checks fail with some compilers.
	Use case: clang

	Performed changes for Fedora release 19

	Adapted, improved test.sh script

	Red Hat issue 1021429: getgroupent fails with large number of groups;
	use getgrouplist() when available instead of sequence of calls to
	getgrent()

	Red Hat issue 1021948: snprintf API change;
	Implemented xio_snprintf() function as wrapper that tries to emulate C99
	behaviour on old glibc systems, and adapted all affected calls
	appropriately

	Mike Frysinger provided a patch that supports long long for time_t,
	socklen_t and a few other libc types.

	Artem Mygaiev extended Cedril Priscals Android build script with pty code

	The check for fips.h required stddef.h
	Thanks to Matt Hilt for reporting this issue and sending a patch

	Check for linux/errqueue.h failed on some systems due to lack of
	linux/types.h inclusion. Thanks to Michael Vastola for sending a patch.

	autoconf now prefers configure.ac over configure.in
	Thanks to Michael Vastola for sending a patch.

	type of struct cmsghdr.cmsg is system dependend, determine it with
	configure; some more print format corrections

docu:
	libwrap always logs to syslog

	added actual text version of GPLv2

####################### V 1.7.2.3:

security:
	Socat security advisory 5
	CVE-2014-0019: socats PROXY-CONNECT address was vulnerable to a buffer
	overflow with data from command line (see socat-secadv5.txt)
	Credits to Florian Weimer of the Red Hat Product Security Team

####################### V 1.7.2.2:

security:
	Socat security advisory 4
	CVE-2013-3571:
	after refusing a client connection due to bad source address or source
	port socat shutdown() the socket but did not close() it, resulting in
	a file descriptor leak in the listening process, visible with lsof and
	possibly resulting in EMFILE Too many open files. This issue could be
	misused for a denial of service attack.
	Full credits to Catalin Mitrofan for finding and reporting this issue.

####################### V 1.7.2.1:

security:
	Socat security advisory 3
	CVE-2012-0219:
	fixed a possible heap buffer overflow in the readline address. This bug
	could be exploited when all of the following conditions were met:
	1) one of the addresses is READLINE without the noprompt and without the
	prompt options.
	2) the other (almost arbitrary address) reads malicious data (which is
	then transferred by socat to READLINE).
	Workaround: when using the READLINE address apply option prompt or
	noprompt.
	Full credits to Johan Thillemann for finding and reporting this issue.

####################### V 1.7.2.0:

corrections:
	when UNIX-LISTEN was applied to an existing file it failed as expected
	but removed the file. Thanks to Bjoern Bosselmann for reporting this
	problem

	fixed a bug where socat might crash when connecting to a unix domain
	socket using address GOPEN. Thanks to Martin Forssen for bug report and
	patch.

	UDP-LISTEN would alway set SO_REUSEADDR even without fork option and
	when user set it to 0. Thanks to Michal Svoboda for reporting this bug.

	UNIX-CONNECT did not support half-close. Thanks to Greg Hughes who
	pointed me to that bug

	TCP-CONNECT with option nonblock reported successful connect even when
	it was still pending

	address option ioctl-intp failed with "unimplemented type 26". Thanks
	to Jeremy W. Sherman for reporting and fixing that bug

	socat option -x did not print packet direction, timestamp etc; thanks
