Articles from release category

SFTPPlus Release 3.36.0

Thu 02 August 2018 | general release

We are pleased to announce the latest release of SFTPPlus version 3.36.0.

New Features

  • The Azure File Service of the Azure Storage Account is now available as a location for client-side transfers. [client-side][http] [#4988]
  • It is now possible to define a client-side file transfer that will wait for a signaling filename before it starts transferring the files. [client-side] [#4989]
  • It is now possible to configure transfers which will monitor the source recursively and will then transfer to the same non-recursive destination. [client-side] [#4998]
  • It is now possible to configure a transfer rule which will use a destination file name that is different to the source name. [client-side] [#5007]

Defect Fixes

  • The Windows installer is now signed. [#4794]
  • It is now possible to clear the data attributes and structured fields configuration for an event handler and the allowed groups for an OS authentication mode from the Local Manager. In previous versions saving these configuration changes was generating an error. [#5018]
  • When the local file event handler is rotating the files based on time, it now preserves the file extension. In previous versions the timestamp was used as the file extension. [#5036]

You can check the full release notes here.

• • •

SFTPPlus Release 3.35.0

Tue 03 July 2018 | general release

We are pleased to announce the latest release of SFTPPlus version 3.35.0.

New Features

  • The OpenSSL library used by SFTPPlus on Windows was updated to OpenSSL 1.1.0h. [#4579]
  • It is now possible to define virtual folders that are available to all accounts from a group. These virtual folders can point to directories outside an account's locked home folder. [server-side] [#4928]
  • It is now possible to allow authentication of operating-system accounts only for those belonging to a configured group. [server-side] [#4962]
  • Python version on all supported platforms except HP-UX was updated to 2.7.15. Consequently, the Expat libraries bundled with Python were updated to 2.2.4 on these platforms. [#4579]

Defect Fixes

  • An internal error is no longer raised when a SSH client sends a message for a method which is not supported by the SSH transport. Instead, the client receives a standard SSH not-implemented error. [server-side][sftp] [#4579]
  • The speed of the SSH handshake for the SFTP service has been improved. Previously, there was a noticeable difference for certain customers during the SSH handshake authentication process. [server-side][sftp][#4579]
  • pyOpenSSL was updated on AIX and Solaris to fix CVE-2013-4314. The X509Extension in pyOpenSSL before 0.13.1 does not properly handle a '0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted cert issued by a legitimate Certification Authority. The experimental packages for HP-UX are still vulnerable to this and will to be fixed in a future release.[server-side][#4579]
  • Once set, passwords for locations or email resources are no longer readable from Local Manager. A password can be read only before being set and applied. Afterwards, its value cannot be read, only updated. [security] [#4938]
  • Comma-separated configuration values may now contain comma characters, as long as they are enclosed in double quotation marks. [#4951]
  • The event generated when a peer's certificate validation fails during a TLS/SSL handshake now shows the detailed error message, not just the error code. [#4979]

You can check the full release notes here.

• • •

SFTPPlus Release 3.34.1

Fri 08 June 2018 | general release

We have recently deployed the latest release of SFTPPlus version 3.34.1 which fixes the following defects:

  • The files downloaded using the HTTP file transfer service now have explicit headers to disable caching. [security][http][https] [#4953]
  • The HTTP service no longer returns user input as part of the error messages. [security][http][https][server-side] [#4954]

You can check the full release notes here.

• • •

SFTPPlus Release 3.34.0

Mon 28 May 2018 | general release

We are pleased to announce the latest release of SFTPPlus version 3.34.0.

A number of changes have been made in regards to how permissions are set in SFTPPlus.

If you are planning to upgrade your existing installation and you have custom permissions for SFTPPlus accounts and / or groups, we encourage you to read the changes below as it may affect your configuration.

New Features

  • You can now set up an UNC path or a symbolic link to Windows Shares as home folder for an account. [#4635]
  • The HTTP/HTTPS file transfer service and the Local Manager service now provide the option to configure a set of headers which are sent for all responses. You can use this to set the Strict-Transport-Security header or the use a custom Server header in an attempt to conceal the identity of the server. [security] [#4784]
  • The LDAP authentication method can now connect to LDAP servers using IPv6 address literals. [server-side] [#4824-1]
  • It is now possible to dynamically associate LDAP accounts to SFTPPlus groups based on arbitrary LDAP entry attributes. This is designed to augment the LDAP configuration without requiring any updates to the LDAP database. [server-side] [#4824]
  • We now provide limited support for running SFTPPlus on legacy Windows 2003 Servers. For more details, check the known issues section in our documentation. [#4896]
  • Ubuntu 18.04 LTS on X86_64 is now a supported platform. [#4912]
  • A new permission, allow-traverse, was added to allow viewing only the folder structure without any files. In this way, accounts can traverse the folder hierarchy without seeing what files are already there. [#4931]
  • A new permission allow-list was added to allow configuration of only the folder/directory listing operations. This has no effect for the SCP protocol, as the protocol itself does not support the folder listing operation. [#4932]
  • A new permission allow-rename was added to allow configuration of only the rename operations available in the SFTP and FTP/FTPS file transfer servers. [#4933]
  • The Ban IP for a time interval authentication method is now enabled by default in new installations. [#4934]

Defect Fixes

  • The HTTP/HTTPS file transfer service and the Local Manager service now advertise a set of HTTP headers to mitigate CSRF and XSS attacks. [security] [#4930]
  • The low-level JSON-RPC used by the Local Manager service now explicitly informs the web browser not to cache its POST responses. In the previous version, only GET requests were instructing the web browser not to cache the response. [security] [#4937]
  • The LDAP authentication method no longer accepts credentials with empty passwords. [server-side][security] [#4939-1]
  • When receiving a request which is authenticated via SSH key or SSL/X.509 certificates, the LDAP authentication method now emits a message informing that only password credentials are supported. [server-side] [#4939]

Deprecations and Removals

  • The allow-read permission will no longer allow listing the content of a folder. If you want to allow folder listing, you will need to update the configuration and add the new explicit allow-list permission. [#4932-1]
  • The error message returned when denying a folder listing operation was changed to include allow-list instead of the previous allow-read details. [#4932]
  • The error message returned when denying a rename operation was changed to include allow-rename instead of the previous allow-full-control details. [#4933]

You can check the full release notes here.

• • •

SFTPPlus Release 3.33.0

Mon 23 April 2018 | general release

We are pleased to announce the latest release of SFTPPlus version 3.33.0.

This is a significant release in that it supports the Internet's next generation protocol, IPv6, for all server-side functionalities.

As we begin to hit the upper limit of IPv4 addresses, the current standard, what matters to us is to enable our customers and their businesses to set up their services on IPv6 with SFTPPlus.

In addition to IPv6 support, the following are new features and defect fixes associated with this release.

New Features

  • A new authentication method was added which allows the server to read application accounts from a separate file. [server-side] [#1056]
  • It is now possible to configure the supported ciphers for an SFTP location using the ssh_cipher_list configuration option. [#4619]
  • The FTP and FTPS file transfer services now support IPv6 as specified in RFC 2428. [server-side][ftp][ftps] [#4823-1]
  • The HTTP and HTTPS file transfer services now support IPv6. [server-side][http][https] [#4823]
  • The event with ID 30011 now contains details about the encryption used by the SFTP and SCP connections. [server-side][sftp][scp] [#4850]

Defect fixes

  • A defect was fixed in the SFTP service for the chmod operation. In previous versions, the chmod was ignored and always returned a success result. [server-side][sftp] [#4338]
  • The HTTP PUT method of the file transfer service now returns a correct code when the HTTP request contains Expect: 100-continue and the request fails to be authenticated. [server-side][http][https] [#4856]
  • When uploading files into an empty folder using a web browser which has Javascript enabled, you will now see the uploaded file in the folder listing. This issue was introduced in 3.31.0. This was not an issue for web browsers with Javascript disabled. [server-side][http][https] [#4865]
  • The HTTP file transfer service will now force any file to be downloaded by the browser. Previously, it was displaying HTML or images inside the browser without forcing a download. [server-side][http][https][security] [#4877-1]
  • The HTTP file transfer service and the Local Manager service were updated to prevent cross-site request forgery (CSRF / XSRF) attacks by validating the Origin and Referer headers against the Host header. [server-side][http][https][security] [#4877]
  • The HTTP file transfer service will now set the session cookie using the httpOnly and 'sameSite' options. [server-side][http][https][security] [#4881]
  • The error messages in the HTTP service were updated to prevent cross site scripting attacks (XSS). [server-side][http][https] [#4884]

You can check the full release notes here.

• • •