Articles from release category

SFTPPlus Release 4.13.0

Mon 30 August 2021 | general release

We are happy to account the latest release of SFTPPlus version 4.13.0.

A major update with this release is the addition of the SMB client-side protocol. This allows SFTPPlus to connect to any standard SBM/CIFS server like a Windows Share, Samba or Azure Files.

The Azure File REST API is now fully supported for both push and pull transfers.

This release include an import defect fix for SharePoint Online Authentication. The Microsoft login service was updated at the end of August 2021 breaking any previously released SFTPPlus version.

Security Fixes

  • Python libraries were updated to fix CVE-2021-23336, addressing a web cache poisoning issue reported in urllib.parse.parse_qsl(). SFTPPlus is not using urllib.parse.parse_qsl() and was never vulnerable to this security issue. If you are explicitly calling urllib.parse.parse_qsl() as part of a custom SFTPPlus Python extension, update to this version to fix CVE-2021-23336. [#5682]

New Features

  • You can now use Azure Files as a source location for a transfer. [client-side][http] [#5016]
  • You can now configure a SMB (Windows Share, Azure Files, Samba) location as the source and destination for a transfer. [client-side][smb] [#4701][#5685]
  • Azure Storage API was updated to use API version 2020-04-08. [#3010-1]
  • Azure Files locations can now list directories and get the attributes of items. [client-side][http] [#3010]
  • You can now configure a timeout for the HTTP authentication method. In the previous version, the HTTP authentication connection was closed after a fixed 120 seconds if the server didn't return a response. [server-side] [#5696]
  • The RADIUS authentication method now supports CHAP, MS-CHAP-V1 and MS-CHAP-V2. [server-side] [#5701]
  • The RADIUS authentication method can be configured with a custom NAS-Port number and now has a debug option. [server-side] [#5702]
  • The group_mapping configuration now does case insensitive matching for the attribute names. [server-side][ldap][radius] [#5706-1]
  • You can now configure the RADIUS authentication to continue validating the credentials even when the RADIUS server returned a successful response. This can be used to implement multi-factor authentication for legacy operating system accounts, by sending first the requests to a MFA aware RADIUS server. [server-side] [#5706]
  • You can now configure a transfer using a temporary file name to an Azure Files location destination. [#5022]
  • AIX 7.1 and newer for IBM Power Systems is now a supported platform. AIX packages embed OpenSSL 1.0.2 libraries patched with latest security fixes, up to and including CVE-2020-1971, CVE-2021-23840, CVE-2021-23841. [#5581]
  • Alpine Linux 3.14 on x86_64 is now supported. [#5682]
  • When failing to initialize the data connection the error message now indicates whether a passive or active connection was attempted. In previous versions both passive and active connections had the same error message. [server-side][ftp] [#5681]
  • The data associated with an event will now contain the file extension and the file base name without the extension. [#5686]
  • You can now configure the duration for which SFTPPlus will wait for the RADIUS server to provide a response. In previous versions, a fixed timeout of 10 seconds was used. [server-side][radius] [#5694]

Defect Fixes

  • The SharePoint Online authentication was updated to work with latest Microsoft server changes. [client-side][webdav] [#5710]
  • HTTP and HTTPS file downloads now work with cURL. This was a regression introduced in version 4.12.0. [server-side][http][https] [#5693-1]
  • HTTP and HTTPS file transfer services now support resuming downloads. [server-side][http][https] [#5693]
  • The links and commands to start the Local Manager and documentation pages will now start much faster. [local-manager] [#5677]
  • An extra event with ID 20024 is no longer emitted when failing to initialize the FTP client passive connection. [client-side][ftp][ftps] [#5681-1]
  • An FTP transfer and location no longer fails when the remote directory can't be listed. The error is emitted and the directory listing is retried. [client-side][ftp][ftps] [#5681-2]

Deprecations and Removals

  • Alpine Linux 3.12 is no longer supported. We recommend using Alpine Linux 3.14 on x86_64 for your containerized SFTPPlus deployments. [#5682]
  • The default authentication method for RADIUS is now MS-CHAP-V2. In previous versions the default method was PAP. [server-side] [#5701]

You can check the full release notes here.

• • •

SFTPPlus Release 4.12.0

Tue 06 July 2021 | general release

We are announcing the latest release of SFTPPlus version 4.12.0.

This is an incremental release which included both minor defect fixes and new functionality. Below are the complete changes for this release.

New Features

  • The source_ip_filter configuration option now allows defining a range of allowed IP addresses using the Classless Inter-Domain Routing (CIDR) notation. [#1044]
  • When a new component is created using the Local Manager interface, the component is automatically started if "Launch at startup" is enabled. [local-manager] [#1917]
  • WebDAVS locations now support HTTP Basic Authentication. [client-side][webdavs][https] [#3913]
  • SFTPPlus can now be launched with a read-only configuration file and cache. [server-side] [#5591]
  • Azure Files Locations now support automatic directory creation. [client-side][http] [#5593]
  • The account configuration now contains the account creation time in ISO format. [server-side] [#5635]
  • TOTP multi-factor authentication for LDAP users is now possible even with standard LDAP servers not providing native TOTP support. [#5663]
  • The SFTPPlus download page now has specific entries for Amazon Linux and older Red Hat Enterprise Linux versions. These entries link to the generic Linux SFTPPlus package, which works with any glibc-based Linux distribution. [#5664]

Defect Fixes

  • The "Enabled at startup" configuration option was renamed as "Launch at startup". [local-manager] [#1917]
  • The last login report now only shows the IP address, the port number is no longer shown. This makes it easier to search based on IP only. [#5637]
  • Event with ID 60070 emitted when the destination location is connecting and not yet ready for a transfer, was updated from the failure group to the informational one. [#5643]

Deprecations and Removals

  • SUSE Linux Enterprise Server (SLES) 11 and 12 on X86_64 are no longer supported. Use the generic Linux package on SLES and contact us if you need specific support for SFTPPlus on any version of SUSE Linux Enterprise Server, including using OS-provided OpenSSL libraries instead of our generic ones. [#5664]

You can check the full release notes here.

• • •

SFTPPlus Release 4.11.0

Fri 07 May 2021 | general release

We are announcing the latest release of SFTPPlus version 4.11.0.

This is an incremental release which updates the security libraries together with various defect fixes and adding backward compatible new features.

It included an important change that fixes the display in Internet Explorer of the Authentications page.

Below are the complete changes for this release.

Security Fixes

  • Python has been patched with latest security patches from ActiveState. Fixes CVE-2020-27619, CVE-2020-26116, CVE-2019-20907, CVE-2020-8492. On Linux and macOS, CVE-2021-3177 has also been fixed. [#5600-2]
  • The OpenSSL libraries used for Python's cryptography on Windows, generic Linux, and macOS were updated to version 1.1.1k. Fixes CVE-2020-1971, CVE-2021-23840, CVE-2021-23841, CVE-2021-3449, and CVE-2021-3450. On generic Linux and macOS, same CVEs were fixed for Python's stdlib ssl module. [#5600]

New Features

  • The LDAP authentication method now supports IPv4 LDAP over TLS/SSL, also referred to as LDAPS. [server-side] [#2227]
  • It is now possible to configure the timeout delay for the external commands called during a transfer. In previous versions this was fixed to 15 seconds. [client-side] [#5549]
  • You can now configure the OS authentication method to associate the authenticated accounts to a specific SFTPPlus group or to a SFTPPlus group having the same name as the OS group name. In previous versions, the accounts were associated with the default SFTPPlus group. [server-side] [#5559]
  • The client-side WebDAV location is now configured using a URL. This allows for configuring the connection to WebDAV pages that are not located in the HTTP server's root path. [client-side][webdav] [#5602]
  • The file-dispatcher event handler now supports explicit globbing matching expressions to define a full destination path. In the previous version, when a globbing expression was used, the destination path was defining only the base directory and the file name was always appended to it. [#5604-1]
  • You can now explicitly define a globbing matching expression using the g/EXPRESSION/ format. [#5604]
  • Events with ID 60012 and 60017 emitted on a successful client-side transfer now contain the destination file path as part of the attached data. [client-side] [#5597]

Defect Fixes

  • In the Local Manager, in the list of accounts for a local file authentication method, you will now see the name of the associated group. In previous versions, the group was listed as UNKNOWN. [#2368]
  • The authentications page of the Local Manager web console was fixed to work with Internet Explorer. This was a defect introduced in version 4.10.0. [#5547]
  • Defining configuration options inside the Local Manager using text values containing new lines characters other than the default Unix or Windows characters no longer generates an invalid configuration file. [manager] [#5553]
  • The OS authentication manager will now show an error at startup when no group is configured for allowed users or administrators. In the previous versions, the OS authentication would start just fine and then deny any authentication request. [#5559]
  • On Linux and macOS the OpenPGP event handler now works when the main SFTPPlus process is started as root. [#5592]
  • For a file transfer configured to not transfer duplicated files via the transfer_memory_duration and ignore_duplicate_paths options, when the rename operation fails the full file transfer is retried as a transfer restart. In previous versions the file was not re-transferred after the failed rename operation. [client-side] [#5597]
  • The documentation for the file-dispatcher event handler was updated to include information about variables available when defining the destination path. [#5604]
  • The FTP idle_data_connection_timeout will now use the default value when set to zero or a negative number, as documented. In previous versions, the timeout was disabled when the value was zero. [server-side][ftp] [#5610]

Deprecations and Removals

  • For transfers executed using a temporary file name, the destination_path attribute of the events with ID 60012 now contains the temporary path. This is because, at the time the event is emitted, the file is not yet renamed to the final destination path. In previous versions, it was containing the final destination path. [client-side] [#5597]
  • Specific support for Amazon Linux 2 and Red Hat Enterprise Linux 7.x (including derivatives such as CentOS and Oracle Linux) has been removed due to OpenSSL 1.0.2 no longer being supported by the upstream cryptography project. Use the generic x64 Linux package instead. [#5600]
  • The address and port configuration options for the WebDAV client were removed and replaced with the url configuration. The configuration options are automatically migrated to the url option. [client-side][webdav] [#5602]
  • The default value for connection_retry_interval was increased from 60 seconds to 300 seconds (5 minutes). The default value for connection_retry_count was increased from 2 to 12. This will make a connection for a remote SFTP or FTP location to be retried for 1 hour before stopping the transfers. [client-side] [#5610]

You can check the full release notes here.

• • •

SFTPPlus Release 4.10.0

Wed 17 March 2021 | general release

We are announcing the latest release of SFTPPlus version 4.10.0.

This contains a fix for an important defect preventing SFTPPlus from handling paths containing the single quote (`) character.

New Features

  • You can now configure a recursive transfer to automatically delete the source parent directory of a successfully transferred file. [client-side] [#2594]
  • You can now configure a password history policy in SFTPPlus. [#5406]
  • A new event handler was added to allow publishing audit events to a RabbitMQ AMQP 0-9-1 server. [#5554]
  • SFTPPlus can now authenticate users using an external RADIUS server over the UDP protocol. [#5562]
  • You can now configure the authentication for an account to require both a valid password and a valid SSH key. [server-side][sftp][scp] [#5573]

Defect Fixes

  • Paths containing single quotes are now correctly handled. In previous versions, single quote characters were replaced with path separators, invalidating path requests. [#5585]
  • On Linux and macOS, the GPG external utility required by the OpenPGP event handler is now distributed together with SFTPPlus. [linux][macos] [#5584]

Deprecations and Removals

  • The Microsoft certificate revocation lists were removed from ${MICROSOFT_IT_CRL} placeholder as they are no longer updated. [#5554]

You can check the full release notes here.

• • •

SFTPPlus Release 4.9.0

Fri 05 February 2021 | general release

We are announcing the latest release of SFTPPlus version 4.9.0.

New Features

  • The SSL Certificate Authority configuration now supports validating partial CA chains. This allows for authenticating remote HTTPS connections through self-signed and self-issued certificates. Using a pinned non-CA certificate is also allowed. [#2198-1]
  • The AS2 server can now respond to asynchronous AS2 MDNs. [server-side][as2] [#2198]
  • You can now configure an account to receive files over AS2 without requiring a password. Files received over AS2 still need to be validated for signature and encryption. [server-side][as2] [#5490]
  • HTTP connection requests to HTTPS services such as the Local Manager web administration interface or the HTTPS file transfer service are now automatically redirected to HTTPS. [server-side] [#5512]
  • You can now configure a client-side transfer to operate on files using a temporary prefix. Previous versions only supported a temporary suffix. [client-side] [#5514]
  • The SSH (SFTP/SCP) list of secure ciphers no longer contains CBC mode ciphers. They are no longer enabled by default, although still supported. You can still explicitly enable Cipher Block Chaining modes for aes256-cbc, aes192-cbc, and aes128-cbc using the ssh_cipher_list configuration. [sftp][scp] [#5529-1]
  • The SFTP/SCP file transfer services and locations now support ECDSA SSH keys. Supported SSH key types are ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, and ecdsa-sha2-nistp521. [sftp][server-side][client-side] [#5529]
  • The SFTP/SCP file transfer services and locations now support Ed25519 SSH keys for system using OpenSSL version 1.1.1 or above. Supported SSH key type is ssh-ed25519. [sftp][server-side][client-side] [#5529]
  • SSH host keys for SFTP/SCP server-side services are now configured using a single configuration option named ssh_host_keys. [server-side][sftp] [#5533]

Defect Fixes

  • When transferring concurrent files through multiple transfers, the transfer queue is no longer stalled after the destination location is reconnected. [client-side] [#5519]
  • Components listed on the Local Manager general status page are now sorted in alphabetical order. [manager] [#5537]

Deprecations and Removals

  • The following SSH ciphers are no longer supported: cast128-ctr, blowfish-ctr, and 3des-ctr. The CBC mode for these ciphers are still supported. [sftp] [#5529]
  • The rsa_private_key and dsa_private_key configuration options were removed, being replaced by a single ssh_host_keys configuration option. For backward compatibility, the old configuration options are still supported. [server-side][sftp] [#5533]
  • The SSH (SFTP/SCP) list of secure ciphers no longer contains CBC mode ciphers. Cipher Block Chaining modes aes256-cbc, aes192-cbc, and aes128-cbc were removed for potential security vulnerabilities. [sftp][scp] [#5529-1]

You can check the full release notes here.

• • •