We are announcing the latest release of SFTPPlus version 4.11.0.

This is an incremental release which updates the security libraries together with various defect fixes and adding backward compatible new features.

It included an important change that fixes the display in Internet Explorer of the Authentications page.

Below are the complete changes for this release.

Security Fixes

  • Python has been patched with latest security patches from ActiveState. Fixes CVE-2020-27619, CVE-2020-26116, CVE-2019-20907, CVE-2020-8492. On Linux and macOS, CVE-2021-3177 has also been fixed. [#5600-2]
  • The OpenSSL libraries used for Python's cryptography on Windows, generic Linux, and macOS were updated to version 1.1.1k. Fixes CVE-2020-1971, CVE-2021-23840, CVE-2021-23841, CVE-2021-3449, and CVE-2021-3450. On generic Linux and macOS, same CVEs were fixed for Python's stdlib ssl module. [#5600]

New Features

  • The LDAP authentication method now supports IPv4 LDAP over TLS/SSL, also referred to as LDAPS. [server-side] [#2227]
  • It is now possible to configure the timeout delay for the external commands called during a transfer. In previous versions this was fixed to 15 seconds. [client-side] [#5549]
  • You can now configure the OS authentication method to associate the authenticated accounts to a specific SFTPPlus group or to a SFTPPlus group having the same name as the OS group name. In previous versions, the accounts were associated with the default SFTPPlus group. [server-side] [#5559]
  • The client-side WebDAV location is now configured using a URL. This allows for configuring the connection to WebDAV pages that are not located in the HTTP server's root path. [client-side][webdav] [#5602]
  • The file-dispatcher event handler now supports explicit globbing matching expressions to define a full destination path. In the previous version, when a globbing expression was used, the destination path was defining only the base directory and the file name was always appended to it. [#5604-1]
  • You can now explicitly define a globbing matching expression using the g/EXPRESSION/ format. [#5604]
  • Events with ID 60012 and 60017 emitted on a successful client-side transfer now contain the destination file path as part of the attached data. [client-side] [#5597]

Defect Fixes

  • In the Local Manager, in the list of accounts for a local file authentication method, you will now see the name of the associated group. In previous versions, the group was listed as UNKNOWN. [#2368]
  • The authentications page of the Local Manager web console was fixed to work with Internet Explorer. This was a defect introduced in version 4.10.0. [#5547]
  • Defining configuration options inside the Local Manager using text values containing new lines characters other than the default Unix or Windows characters no longer generates an invalid configuration file. [manager] [#5553]
  • The OS authentication manager will now show an error at startup when no group is configured for allowed users or administrators. In the previous versions, the OS authentication would start just fine and then deny any authentication request. [#5559]
  • On Linux and macOS the OpenPGP event handler now works when the main SFTPPlus process is started as root. [#5592]
  • For a file transfer configured to not transfer duplicated files via the transfer_memory_duration and ignore_duplicate_paths options, when the rename operation fails the full file transfer is retried as a transfer restart. In previous versions the file was not re-transferred after the failed rename operation. [client-side] [#5597]
  • The documentation for the file-dispatcher event handler was updated to include information about variables available when defining the destination path. [#5604]
  • The FTP idle_data_connection_timeout will now use the default value when set to zero or a negative number, as documented. In previous versions, the timeout was disabled when the value was zero. [server-side][ftp] [#5610]

Deprecations and Removals

  • For transfers executed using a temporary file name, the destination_path attribute of the events with ID 60012 now contains the temporary path. This is because, at the time the event is emitted, the file is not yet renamed to the final destination path. In previous versions, it was containing the final destination path. [client-side] [#5597]
  • Specific support for Amazon Linux 2 and Red Hat Enterprise Linux 7.x (including derivatives such as CentOS and Oracle Linux) has been removed due to OpenSSL 1.0.2 no longer being supported by the upstream cryptography project. Use the generic x64 Linux package instead. [#5600]
  • The address and port configuration options for the WebDAV client were removed and replaced with the url configuration. The configuration options are automatically migrated to the url option. [client-side][webdav] [#5602]
  • The default value for connection_retry_interval was increased from 60 seconds to 300 seconds (5 minutes). The default value for connection_retry_count was increased from 2 to 12. This will make a connection for a remote SFTP or FTP location to be retried for 1 hour before stopping the transfers. [client-side] [#5610]

You can check the full release notes here.