We are pleased to announce the latest release of SFTPPlus, version 3.21.0.
This fixes a security issue related to the execution of the FTP LIST command for an OS account. This security issue was introduced in 3.17.0.
Users that are on SFTPPlus version 3.17.0 are encouraged to upgrade to the latest version containing the fix, 3.21.0.
Environments that use both OS and application accounts are affected.
Environments that only use SFTP, that only use application accounts or only use OS accounts exclusively are not affected.
Overview of the fix.
When executing the FTP LIST command for an OS account, it will no longer put on hold the whole SFTPPlus process running under that OS account while the LIST command is executed.
In this case, if the command is executed under the OS account and during that command execution, a file is uploaded by the application account, the command is not on hold and subsequently the uploaded file is owned by the application account.
Alternatively, if a command is executed towards an account (such as an FTP LIST command), SFTPlus is still responsive and can accept new connections and perform other operations. This is the case even if there is a connection timeout configured with the service - the connection (both data and commands) should not be closed as it processes the commands.
In addition, should there be a log rotation occurring during the list process, the log process should also be owned by the SFTPPlus process account and not the OS account.
Upgrading your version of SFTPPlus can be done with very minimal disruption to existing services or users. Please follow the upgrade procedures available in our Documentation.
In this release we have introduced support for FreeBSD 10 on Intel X86_64.
You can now store the server log in CSV format in order to get structured logging.
The following are some of the defect fixes targeted in this release:
You can check the full release notes.