SFTPPlus Release 4.13.0

Mon 30 August 2021 | general release

We are happy to account the latest release of SFTPPlus version 4.13.0.

A major update with this release is the addition of the SMB client-side protocol. This allows SFTPPlus to connect to any standard SBM/CIFS server like a Windows Share, Samba or Azure Files.

The Azure File REST API is now fully supported for both push and pull transfers.

This release include an import defect fix for SharePoint Online Authentication. The Microsoft login service was updated at the end of August 2021 breaking any previously released SFTPPlus version.

Security Fixes

  • Python libraries were updated to fix CVE-2021-23336, addressing a web cache poisoning issue reported in urllib.parse.parse_qsl(). SFTPPlus is not using urllib.parse.parse_qsl() and was never vulnerable to this security issue. If you are explicitly calling urllib.parse.parse_qsl() as part of a custom SFTPPlus Python extension, update to this version to fix CVE-2021-23336. [#5682]

New Features

  • You can now use Azure Files as a source location for a transfer. [client-side][http] [#5016]
  • You can now configure a SMB (Windows Share, Azure Files, Samba) location as the source and destination for a transfer. [client-side][smb] [#4701][#5685]
  • Azure Storage API was updated to use API version 2020-04-08. [#3010-1]
  • Azure Files locations can now list directories and get the attributes of items. [client-side][http] [#3010]
  • You can now configure a timeout for the HTTP authentication method. In the previous version, the HTTP authentication connection was closed after a fixed 120 seconds if the server didn't return a response. [server-side] [#5696]
  • The RADIUS authentication method now supports CHAP, MS-CHAP-V1 and MS-CHAP-V2. [server-side] [#5701]
  • The RADIUS authentication method can be configured with a custom NAS-Port number and now has a debug option. [server-side] [#5702]
  • The group_mapping configuration now does case insensitive matching for the attribute names. [server-side][ldap][radius] [#5706-1]
  • You can now configure the RADIUS authentication to continue validating the credentials even when the RADIUS server returned a successful response. This can be used to implement multi-factor authentication for legacy operating system accounts, by sending first the requests to a MFA aware RADIUS server. [server-side] [#5706]
  • You can now configure a transfer using a temporary file name to an Azure Files location destination. [#5022]
  • AIX 7.1 and newer for IBM Power Systems is now a supported platform. AIX packages embed OpenSSL 1.0.2 libraries patched with latest security fixes, up to and including CVE-2020-1971, CVE-2021-23840, CVE-2021-23841. [#5581]
  • Alpine Linux 3.14 on x86_64 is now supported. [#5682]
  • When failing to initialize the data connection the error message now indicates whether a passive or active connection was attempted. In previous versions both passive and active connections had the same error message. [server-side][ftp] [#5681]
  • The data associated with an event will now contain the file extension and the file base name without the extension. [#5686]
  • You can now configure the duration for which SFTPPlus will wait for the RADIUS server to provide a response. In previous versions, a fixed timeout of 10 seconds was used. [server-side][radius] [#5694]

Defect Fixes

  • The SharePoint Online authentication was updated to work with latest Microsoft server changes. [client-side][webdav] [#5710]
  • HTTP and HTTPS file downloads now work with cURL. This was a regression introduced in version 4.12.0. [server-side][http][https] [#5693-1]
  • HTTP and HTTPS file transfer services now support resuming downloads. [server-side][http][https] [#5693]
  • The links and commands to start the Local Manager and documentation pages will now start much faster. [local-manager] [#5677]
  • An extra event with ID 20024 is no longer emitted when failing to initialize the FTP client passive connection. [client-side][ftp][ftps] [#5681-1]
  • An FTP transfer and location no longer fails when the remote directory can't be listed. The error is emitted and the directory listing is retried. [client-side][ftp][ftps] [#5681-2]

Deprecations and Removals

  • Alpine Linux 3.12 is no longer supported. We recommend using Alpine Linux 3.14 on x86_64 for your containerized SFTPPlus deployments. [#5682]
  • The default authentication method for RADIUS is now MS-CHAP-V2. In previous versions the default method was PAP. [server-side] [#5701]

You can check the full release notes here.