2013 Archive

SFTPPlus Server 2.2.0 Release

Tue 24 December 2013 | server release

SFTPPlus Team is pleased to announce the latest release of SFTPPlus Server, version 2.2.0.

This version add support for IBM AIX operating system starting with version 5.3 , os level 6.

It also add support for authenticating global accounts inside SFTPPlus WebAdmin using SSH keys.

For more details please see the full release notes.

• • •

SFTPPlus Server 2.1.0 Release

Tue 26 November 2013 | server release

SFTPPlus Team is pleased to announce the latest release of SFTPPlus Server, version 2.1.0

Main new features are:

  • A graphical user interface for managing the SFTPPlus Server.
  • Support for FTP APPE command. For more details consult the IETF RFC 959.
  • Globbing for FTP NLST and LIST commands. Globbing support is limited to Unix Shell wildchars * , ? , [ and ].
  • Add –-generate-uuid command line options to generate UUIDs.
  • Add --validate command line options to server-commands to validate server configuration.
  • Add –key-comment command line options to server-commands to allow specifying a comment for the generated SSH public key.
  • Allow sending log entries to remote HTTP server using HTTP Post requests.
  • Use a generic HTTP POST request for sending logs to legacy SFTPPlus WebAdmin.
  • Add support for storing server logs inside a database. MySQL and SQLite are supported.
  • Allow configuring an arbitrary number of log handlers, including multiple log handlers of the same type.

There is no cost for the upgrade software as it is included with customers Support and Maintenance package. We will provide full support for each customer to migrate to latest version and explain the new features.

We would encourage you to plan a migration at the earliest opportunity.

While we have not placed an ‘end of life’ date for support on older versions we would like to plan for that as soon as practical and would like to work with you to plan the migration.

We suggest you might initially install the new version on a test/trial basis and we will be happy to assist with an online session for that as well.

The new documentation will explain and describe all new features, but we also welcome feedback from customers to improve the documentation so that we cover differing knowledge levels as well as differing requirements.

The roadmap includes further development and we welcome your input and feedback so that we can decide features, enhancements and functionality that may be included.

• • •

Security vulnerability for SSH keys authentication

Mon 22 April 2013 | server security

Monday, 22 April 2013 - we have discovered a security vulnerability affecting SFTPPlus Server version 1.6, 1.7 and 1.8.

Due to an error in checking the SSH key signature, when SSH key authentication is used for a SFTP transfer, a user can obtain server access by using only the public part of the SSH key.

Access with only a public SSH key is still restricted to the specific account for which the public key is enabled. Full server access is not granted.

To exploit this security issue a 3rd party needs to hold a copy of the public SSH key and use it together with a modified SFTP client which allows initiating a SFTP session without requiring a private SSH key.

This does not affect SFTP transfers for which SSH key authentication is not enabled.

This does not affect FTP or FTPS transfers.

This does not affect SFTPPlus Server version 1.5 and below.

This does not affect SFTPPlus Client at any version.

Available fix

To fix this error we have released new versions of SFTPPlus Server for all supported release series.

Update for release series 1.8 together with documentation is available at:

http://www.sftpplus.com/downloads/server/1.8.6.html

http://www.sftpplus.com/documentation/server/v/1.8.6/

Update for release series 1.7 together with documentation is available at:

http://www.sftpplus.com/downloads/server/1.7.21.html

http://www.sftpplus.com/documentation/server/v/1.7.21/

Users of version 1.6 are asked to upgrade to latest version 1.8.6 . Beside the latest security fix, upgrading to 1.8.6 will also provide other fixed and new features.

In case you are not able to upgrade to one of the latest supported versions, please let us know and we will work together in making sure this security error is fixed for your production servers.

We apologize for any inconvenience that may occur as a result of these changes!

• • •