We are pleased to announce the latest release of SFTPPlus, version 3.21.0.
This fixes a security issue related to the execution of the FTP LIST command for an OS account. This security issue was introduced in 3.17.0.
Users that are on SFTPPlus version 3.17.0 are encouraged to upgrade to the latest version containing the fix, 3.21.0.
Environments that use both OS and application accounts are affected.
Environments that only use SFTP, that only use application accounts or only use OS accounts exclusively are not affected.
Overview of the fix.
When executing the FTP LIST command for an OS account, it will no longer put on hold the whole SFTPPlus process running under that OS account while the LIST command is executed.
In this case, if the command is executed under the OS account and during that command execution, a file is uploaded by the application account, the command is not on hold and subsequently the uploaded file is owned by the application account.
Alternatively, if a command is executed towards an account (such as an FTP LIST command), SFTPPlus is still responsive and can accept new connections and perform other operations. This is the case even if there is a connection timeout configured with the service - the connection (both data and commands) should not be closed as it processes the commands.
In addition, should there be a log rotation occurring during the list process, the log process should also be owned by the SFTPPlus process account and not the OS account.
Upgrading your version of SFTPPlus can be done with very minimal disruption to existing services or users. Please follow the upgrade procedures available in our Documentation.
In this release we have introduced support for FreeBSD 10 on Intel X86_64.
You can now store the server log in CSV format in order to get structured logging.
The following are some of the defect fixes targeted in this release:
- A transfer with a WebDAV source location will no longer fail at runtime if the WebDAV server is temporary unavailable.
- A transfer with a WebDAV source location will no longer fail at runtime if the proxy server is temporary unavailable.
- When failing to close the source or destination file for a transfer, the failure is no longer ignored and the transfer failure is observed.
- The audit message emitted after an account is successfully authenticated now include the correct information about the local path used by that account and whether it is locked.
- When using the FTP LIST command with an explicit path, the member's name in the resulting listing will no longer include the parent path.
You can check the full release notes.