Articles from release category

SFTPPlus Release 3.34.1

Fri 08 June 2018 | general release Written by SFTPPlus

We have recently deployed the latest release of SFTPPlus version 3.34.1 which fixes the following defects:

  • The files downloaded using the HTTP file transfer service now have explicit headers to disable caching. [security][http][https] [#4953]
  • The HTTP service no longer returns user input as part of the error messages. [security][http][https][server-side] [#4954]

You can check the full release notes here.

• • •

SFTPPlus Release 3.34.0

Mon 28 May 2018 | general release Written by SFTPPlus

We are pleased to announce the latest release of SFTPPlus version 3.34.0.

A number of changes have been made in regards to how permissions are set in SFTPPlus.

If you are planning to upgrade your existing installation and you have custom permissions for SFTPPlus accounts and / or groups, we encourage you to read the changes below as it may affect your configuration.

New Features

  • You can now set up an UNC path or a symbolic link to Windows Shares as home folder for an account. [#4635]
  • The HTTP/HTTPS file transfer service and the Local Manager service now provide the option to configure a set of headers which are sent for all responses. You can use this to set the Strict-Transport-Security header or the use a custom Server header in an attempt to conceal the identity of the server. [security] [#4784]
  • The LDAP authentication method can now connect to LDAP servers using IPv6 address literals. [server-side] [#4824-1]
  • It is now possible to dynamically associate LDAP accounts to SFTPPlus groups based on arbitrary LDAP entry attributes. This is designed to augment the LDAP configuration without requiring any updates to the LDAP database. [server-side] [#4824]
  • We now provide limited support for running SFTPPlus on legacy Windows 2003 Servers. For more details, check the known issues section in our documentation. [#4896]
  • Ubuntu 18.04 LTS on X86_64 is now a supported platform. [#4912]
  • A new permission, allow-traverse, was added to allow viewing only the folder structure without any files. In this way, accounts can traverse the folder hierarchy without seeing what files are already there. [#4931]
  • A new permission allow-list was added to allow configuration of only the folder/directory listing operations. This has no effect for the SCP protocol, as the protocol itself does not support the folder listing operation. [#4932]
  • A new permission allow-rename was added to allow configuration of only the rename operations available in the SFTP and FTP/FTPS file transfer servers. [#4933]
  • The Ban IP for a time interval authentication method is now enabled by default in new installations. [#4934]

Defect Fixes

  • The HTTP/HTTPS file transfer service and the Local Manager service now advertise a set of HTTP headers to mitigate CSRF and XSS attacks. [security] [#4930]
  • The low-level JSON-RPC used by the Local Manager service now explicitly informs the web browser not to cache its POST responses. In the previous version, only GET requests were instructing the web browser not to cache the response. [security] [#4937]
  • The LDAP authentication method no longer accepts credentials with empty passwords. [server-side][security] [#4939-1]
  • When receiving a request which is authenticated via SSH key or SSL/X.509 certificates, the LDAP authentication method now emits a message informing that only password credentials are supported. [server-side] [#4939]

Deprecations and Removals

  • The allow-read permission will no longer allow listing the content of a folder. If you want to allow folder listing, you will need to update the configuration and add the new explicit allow-list permission. [#4932-1]
  • The error message returned when denying a folder listing operation was changed to include allow-list instead of the previous allow-read details. [#4932]
  • The error message returned when denying a rename operation was changed to include allow-rename instead of the previous allow-full-control details. [#4933]

You can check the full release notes here.

• • •

SFTPPlus Release 3.33.0

Mon 23 April 2018 | general release Written by SFTPPlus

We are pleased to announce the latest release of SFTPPlus version 3.33.0.

This is a significant release in that it supports the Internet's next generation protocol, IPv6, for all server-side functionalities.

As we begin to hit the upper limit of IPv4 addresses, the current standard, what matters to us is to enable our customers and their businesses to set up their services on IPv6 with SFTPPlus.

In addition to IPv6 support, the following are new features and defect fixes associated with this release.

New Features

  • A new authentication method was added which allows the server to read application accounts from a separate file. [server-side] [#1056]
  • It is now possible to configure the supported ciphers for an SFTP location using the ssh_cipher_list configuration option. [#4619]
  • The FTP and FTPS file transfer services now support IPv6 as specified in RFC 2428. [server-side][ftp][ftps] [#4823-1]
  • The HTTP and HTTPS file transfer services now support IPv6. [server-side][http][https] [#4823]
  • The event with ID 30011 now contains details about the encryption used by the SFTP and SCP connections. [server-side][sftp][scp] [#4850]

Defect fixes

  • A defect was fixed in the SFTP service for the chmod operation. In previous versions, the chmod was ignored and always returned a success result. [server-side][sftp] [#4338]
  • The HTTP PUT method of the file transfer service now returns a correct code when the HTTP request contains Expect: 100-continue and the request fails to be authenticated. [server-side][http][https] [#4856]
  • When uploading files into an empty folder using a web browser which has Javascript enabled, you will now see the uploaded file in the folder listing. This issue was introduced in 3.31.0. This was not an issue for web browsers with Javascript disabled. [server-side][http][https] [#4865]
  • The HTTP file transfer service will now force any file to be downloaded by the browser. Previously, it was displaying HTML or images inside the browser without forcing a download. [server-side][http][https][security] [#4877-1]
  • The HTTP file transfer service and the Local Manager service were updated to prevent cross-site request forgery (CSRF / XSRF) attacks by validating the Origin and Referer headers against the Host header. [server-side][http][https][security] [#4877]
  • The HTTP file transfer service will now set the session cookie using the httpOnly and 'sameSite' options. [server-side][http][https][security] [#4881]
  • The error messages in the HTTP service were updated to prevent cross site scripting attacks (XSS). [server-side][http][https] [#4884]

You can check the full release notes here.

• • •

SFTPPlus Release 3.32.0

Thu 05 April 2018 | general release Written by SFTPPlus

We are pleased to announce the latest release of SFTPPlus version 3.32.0.

New Features

  • SFTP and SCP file transfer services can now listen on IPv6 addresses and accept connections from IPv6 clients. [server-side][sftp][scp] [#1924]
  • The HTTP and HTTPS service now accepts creating new folders with the HTTP PUT and WebDAV MKCOL methods. [server-side][http][https] [#4828-1]
  • The HTTP and HTTPS service now accepts deleting folders and files with the HTTP DELETE method. [server-side][http][https] [#4828-2]
  • The HTTP and HTTPS service now accepts file uploads using the HTTP PUT method. [server-side][http][https] [#4828]

Defect fixes

  • FTP and FTPS client side transfer can now transfer files larger than a few bytes from a remote FTP/FTPS server and to the local filesystem. This issue was introduced in SFTPPlus version 3.20.0. This defect was not affecting uploading / pushing files to a remote FTP/FTPS server. [client-side][ftp][ftps] [#4754]
  • The Developer Documentation for the HTTP authentication method was updated to make it clear the expected repose codes for the authentication server. [server-side] [#4758]
  • The JavaScript UI for the HTTP and HTTPS file transfer services no longer limit the file size to 256MB. This defect was introduced in 3.31.0. [server-side][http][https] [#4815]

Deprecations and Removals

  • The default secure ssl_cipher_list configuration was updated to HIGH:!PSK:!RSP:!eNULL:!aNULL:!RC4:!MD5:!DES:!3DES:!aDH:!kDH:!DSS. The previous value was ALL:!RC4:!DES:!3DES:!MD5:!EXP. In this way, when updating the OpenSSL library you will automatically get an update in the list of secure ciphers, without the need to update SFTPPlus. [security][ftps][https][client-side][server-side] [#4748]
  • The event (ID 40025) that was emitted when an unknown error was generated by the HTTP service during a JSON API request was removed. It has been replaced with event ID 40003. [server-side][http][https] [#4828]

You can check the full release notes here.

• • •

SFTPPlus Release 3.31.0

Tue 20 February 2018 | general release Written by SFTPPlus

We are pleased to announce the latest release of SFTPPlus version 3.31.0.

New Features

  • The option to enforce unique names for uploaded files is now available for the HTTP and HTTPS file transfer services. [server-side] [#4465]
  • A SOCKS version 5 (SOCKS5) proxy without authentication can now be used to connect to remote SFTP and SCP servers. [client-side][sftp][scp] [#4546]
  • A new event handler option is added in order to send filtered events to standard output. This can be used when running SFTPPlus in Docker or with other process supervisors. [#4645]
  • The option to enforce unique names for uploaded files is now available for the FTP, Implicit FTPS and Explicit FTPS protocols. [server-side] [#4650]
  • The file-dispatcher event handler can now be configured to automatically create destination folders. [#4652]
  • The close event description for SFTP and SCP client-side and server-side connection now contains the encryption used to protect connection. [client-side][server-side][sftp][scp] [#4668]
  • The HTTP and HTTPS file transfer services now allow uploading multiple files and adding files via drag and drop. [server-side][http][https] [#4673]
  • Support for Red Hat Enterprise Linux versions 7.0 to 7.3 with OpenSSL 1.0.1 was readded alongside support for RHEL 7.4 and newer using OpenSSL 1.0.2. [#4691]
  • A new secure configuration value is available for the ssl_cipher_list and ssh_cipher_list as part of the FTPS, SFTP, SCP, and HTTPS file transfer services. [security][client-side][server-side] [#4727]

Defect fixes

  • The transfer for SFTP and SCP locations is no longer interrupted when the remote server is requesting a SSH re-key exchange. This was affecting client-side transfers of files bigger than 1GB, as this is the point where some servers are re-keying. This is when either side forces the other to run the key-exchange phase which changes the encryption and integrity keys for the session. [client-side] [#4302]
  • It is now possible to stop the client shell at any time by pressing the Ctrl+C key combination. In previous versions this was not available while an operation was in progress. [#4626]
  • The AIX 7.1 build of SFTPPlus was updated to work with older OpenSSL versions. Previous versions of SFTPPlus (from 3.27.0 to 3.30.0) on AIX 7.1 required OpenSSL 1.0.2k or newer. [#4696]
  • SFTP and SCP client and server side can now handle key exchange process even for peers which advertise their SSH version string with trailing spaces. This can happen for Bitvise SSHD Server when configured to omit its version. [client-side][server-side][sftp][scp] [#4718]
  • The documentation for expression matching was updated to explain that regular expression matching is done as a search operation. For an exact match, use the start and end regex anchors. [#4724]

Deprecations and Removals

  • Events with ID 40015 and 40016 were replaced by already existing event with ID 40022. Event 40022 is now the only one emitted when there are errors during an upload operation. [server-side][http] [#4465]
  • The default configuration for SFTP, SCP, FTPS, and HTTPS connections was updated to exclude the 3DES cipher in order to prevent SWEET32 attacks. To not break backward compatibility for existing installations, this change affects only new installations. Existing installations will need to be manually updated to exclude the 3DES based ciphers. [#4727]

You can check the full release notes.

• • •