2016 Archive

We are pleased to announce the latest release of SFTPPlus, version 3.18.0.

It includes support for listening on port below 1024 using Unix special capabilities and permissions.

The server-side home folder creation capabilities were improved to allow creating a set of directories and subdirectories after an account is successfully authenticated.

Here is the list of adder minor improvements:

• It is now possible for event handlers to filter an event based on the UUID of the component which has generated the event.
• It is now possible to configure a template for generating the body of the email sent by the email-sender event handler.
• The audit message for loading a CRL was updated to include the date and time at which the CRL will be reloaded together with information about the date and time advertised by the CRL for the next publish and next update.

This release also comes with a few defect fixes. Here are the most important defect fixes:

• On Linux and Unix systems, when the SFTP server-side creates new files, their permissions are filtered against the configured umask. This was a regression introduced in version 2.8.0, in which the umask value was not used for the newly created files.
• Monitoring/watching a location is no longer stopped when a file is quickly moved then removed, moved then create another file with the same name or moved and then modify the moved file.

You can check the full release notes.

We are pleased to announce the latest release of SFTPPlus, version 3.17.0.

It includes a fix for the FTPS connection not being successfully closed in the case in which the FTP client issues the QUIT command. This affects only the server-side functionality and only the implicit and explicit FTPS protocols. The FTP protocol is not affected.

The FTP and FTPS server-side protocol implementations were update to no longer block when listing directories with many many members.

This release adds support for configuring the LDAP attribute associated with the username when the BIND DN is created for the authentication request.

You can check the full release notes.

SFTPPlus version 3.13.1 was release as a bugfix release on top of 3.13.0.

It includes a security fix in which the transfer scripts were previously executed a root, even if the process was configured to run under a non-root account.

If possible we recommend upgrading to version 3.16.0 as the security fix is also included in that version, together with many other new functionalities and minor bug fixes.

You can check the full release notes.

SFTPPlus Team announces a new release of SFTPPlus Client, version 1.5.64.

In this version we fixed FTPS transfers for Linux/Unix operating systems.

A new transfer setting was added, maxfileage, which can be used in GET transfers to skip files on the remote server that are older than a specified amount in seconds.

For the Windows distribution we've updated the bundled cURL version to 7.50.1 and the PuTTY one to 0.67.

For more details, please see the full release notes.

SFTPPlus version 3.11.1 was release as a bugfix release on top of 3.11.0.

It includes a security fix in which the transfer scripts were previously executed a root, even if the process was configured to run under a non-root account.

If possible we recommend upgrading to version 3.16.0 as the security fix is also included in that version, together with many other new functionalities and minor bug fixes.

You can check the full release notes.

We are pleased to announce the latest release of SFTPPlus, version 3.16.0.

It includes a security fix in which the transfer scripts were previously executed a root, even if the process was configured to run under a non-root account. This affects only the client-side functionality. As long as only server-side functionality was used, you are not affected by this security issue.

This release adds support for the FTP REST, MFMT, SITE UTIME commands, as well as allowing to set the modified time using the MDTM command.

Here is the list of some other defect fixes included in this release:

• Monitoring/watching a location is no longer stopped when a file is quickly moved to overwrite an existing file.
• An internal error is no longer generated for STOR and APPE FTP commands when failing to open the requested file due to a generic error.

You can check the full release notes.

We are pleased to announce the latest release of SFTPPlus, version 3.15.0.

The release was done to address an intercompatiblity issue of SFTPPlus FTPS server-side when interacting with the WinSCP FTPS client.

Beside fixing the above mentioned issue, starting with this release you can configure the FTP/FTPS services to not advertise the product name and version as port of the FTP banner / welcome message.

You can check the full release notes.

We are pleased to announce the latest release of SFTPPlus, version 3.14.0.

It adds support for the Next CRL Publish extension used to schedule the automatic refresh of a CRL.

You can check the full release notes.

We are pleased to announce the latest release of SFTPPlus, version 3.13.0.

This release adds support for authenticating account stored in LDAP

Beside many other small improvements, in this release we have added support for FTPS client-side functionality, implicit and explicit. This is in a preview state and is not production ready. We are working on testing the client-side functionality with the major implementation to be production ready for the next release.

Here is the list of the most important defects fixed in this release:

• The user account is now correctly registered in the Account Activity Report.
• On Solaris 10 is it now possible to authenticate FTPS clients using an SSL/X.509 certificate generated by latest CAs and using UTF8STRING. In previous releases, Solaris 10 was expecting that UTF-8 values are stored in BMPSTRING fields.

You can also check the full release notes.

We are pleased to announce the latest release of SFTPPlus, version 3.12.0.

This release adds a couple of security related functionalities and security related defect fixes.

Here is the list with the main new features:

• Support was added for validating certificate revocation lists (CRL) based on the distribution points extension advertised by the peer's certificate.
• It is now possible to use the fips configuration value in the ssh_cipher_list configuration option to allow using only FIPS 140-2 compliant ciphers and algorithms for the SSH based services.
• Accounts authenticated using the HTTP authentication method can now be configured to be associated with any group defined in SFTPPlus. In previous implementation they were always associated with the default group.
• You can now authenticate legacy SFTPPlus WebAdmin accounts as operating system accounts using the "User Alias" configuration option defined by the WebAdmin.

Here is the list of the most important defects fixed in this release:

• Certificates signed by unknown certificate authorities are now rejected right away, without being first checked for revocation.
• Home folder path configuration can no longer be defined with empty values. This prevents accidental configuration in which the account is given access to the application's installation folder.
• Home folder path configuration is now enforced to absolute paths. This prevents accidental configuration in which the account is given access to the application's installation folder.
• An internal server error is no longer generated when an invalid path is configured as a home folder.
• An internal server error is no longer emitted when a response from the Local Manager is produced after the Local Manager page was closed or refreshed.
• Transfers will no longer fail shortly after being started or resumed when the source locations fails. The transfers enter the suspended stated and will automatically resume once the source is available.
• Rotating files base on size will now keep all rotated files when rotate_count is set to 0.
• The HTTP/HTTPS service will now request the web browser to download files with unknown mime types (extensions) rather than trying to display them as HTML files.

You can also check the full release notes.

SFTPPlus Team announces a new release of SFTPPlus Client, version 1.5.63.

In this version we have fixed FTPS get/put transfers for Windows when the product is installed in a folder path containing spaces.

The configuration file (global.conf) is no longer overwritten on upgrades thus avoiding accidental configuration losses.

For more details, please see the full release notes.

We are pleased to announce the latest release of SFTPPlus, version 3.11.0.

This release adds SUSE Linux Enterprise Server (SLES) 10 to the list of supported SUSE versions.

The support for certificate revocation list was extended in this version to support loading CRLs over HTTP and supporting multiple CRLs for a single service.

Here is the list with the main new features:

• It is now possible to configure a list of ciphers used by the SSH based services. You can now configure the accepted symmetric encryption, key exchange and MAC algorithms. [sftp][scp]
• It is now possible to load CRLs from local filesystem in both PEM and DER format. Previously only the PEM format was supported.

Here is the list of the most important defects fixed in this release:

• Database event handlers will now resume once the associated database becomes available again.
• The state of a transfer is now correctly reported as stopped, when the transfer was stopped while in the stalled state.

You can also check the full release notes.

We are pleased to announce the latest release of SFTPPlus, version 3.10.1. This is a bug fix only release, no new features were added.

We continue to focus on improving the quality of SFTPPlus by fixing any defect which is know to us, big or small:

• Account activity audit database is indexed for improved performance.
• Fixed an internal server error encountered when stopping a location and/or transfer.
• Files that are being kept open by other processes are skipped by transfers until they are closed by all other processes.

For more details, including the full list of changes, please see the full release notes.

We are pleased to announce the latest release of SFTPPlus, version 3.10.0.

In this release we have improved the FTP implementation to allow configuring the default data type used by FTP/FTPS transfers.

In SFTPPlus, the default data type is IMAGE/binary, but for compatibility with the FTP RFC, you can configure the ASCII/text data type as the default type.

You can also check the full release notes.

We are announcing that SFTPlus Server version 1.8 has reached end of life.

As described in our Product Life Cycle page, SFTPPlus version 1.8 was released on 03/10/2012.

The end of life was reached on 08/04/2016, 3 years after version 2 was released.

Security and other features have been updated in later versions and new functionality added under our development programme. An upgrade is recommended in order to take advantage of all such updates and enhancements. The upgrade is free of charge and fully supported.

Customers can continue to use SFTPPlus Server version 1.8 as there is no limitation build in SFTPPlus which prevent using the product past its end of life.

Customers which require extended support for SFTPPus Server version 1.8 can get in touch with us to arrange the extended support.

SFTPPlus Server version 2 continues to be supported until 17/09/2018.

No end of life is announced yet for SFTPPlus version 3, but it will supported for at least another 3 years after a end of life date is announced.

We are pleased to announce the latest release of SFTPPlus, version 3.9.0.

In this release we improved the fault-tolerant capabilities for the client-side transfers.

Another important change is the usage of database indexes for the audit/log entries stored in a database. This result in fast navigation and search of log entries with a huge number of entries.

Here is the list of the important new functionalities:

• Allow configuring rules for re-trying failed connection to a location. This will result in a fault-tolerant location.
• Add configuration option to filter an event based on account names.
• It is now possible to configure the FTP and FTPS services to pretend that ASCII data type is supported, while the actual data is transferred in IMAGE mode.

We continue to focus on improving the quality of SFTPPlus by fixing any defect which is know to us, big or small. Here is the list of the main defects fixed in this release:

• Log entries stored in databases are indexed for improved performance.
• Transfers for which the source location has failed are now entering the Stalled state and will be automatically resumed once the location is available.

These are just the highlights of this release. For more details, including the full list of changes, please see the full release notes.

We are pleased to announce the latest release of SFTPPlus, version 3.8.0.

In this release we expanded the list of supported Linux distribution to include Ubuntu 16.04 LTS on X86_64. We have also added an experimental Linux build for hardened distribution build with an OpenSSL without SSLv3.

Here is the list of the important new functionalities:

• Event with ID 10042 is now emitted for all FTP command channels which are not closed in a clean way. [ftp][ftps]
• Add support for Syslog over TCP as documented in RFC 6587. [syslog]

This release was focused on reducing the number of known defects and improving the quality of the product. Here is the list of the main defects fixed in this release:

• Transfers that process multiple files in distinct batches are working now.
• Syslog messages are now formatted according to RFC 3164 also known as syslog-bsd.
• Fix new line delimiter conversion for server-side FTP downloads in ASCII mode.]

These are just the highlights of this release. For more details, including the full list of changes, please see the full release notes.

We are pleased to announce the latest release of SFTPPlus, version 3.7.0.

Here is the list of the important new functionalities:

• The OpenSSL version distributed in our Windows version was updated to OpenSSL 1.0.2g.
• The SSH protocol was updated to support hmac-sha2-256, diffie-hellman-group14-sha1, and diffie-hellman-group-exchange-sha256.
• SFTP and SCP server-side file close operations now emit dedicated event ids. In this way you can filter file upload or download operations based on a specific event ID. The previous event with ID 30017 is now used only when the file was not opened in read-only or write-only mode. [SFTP][SCP]
• Allow simple negation of the regular expression used in source filter. In this way you don't need to use look-around zero-length assertion regex rules to exclude a certain pattern.

This release was focused on reducing the number of known defects and improving the quality of the product. Here is the list of the main defects fixed in this release:

• The SCP server-side implementation now sends a response for successful SCP initialization, before starting to process the SCP transfer requests. This fixes a bug in which the Cisco SCP client (SSH-1.99-Cisco-1.25 implementation) hangs when SCP is initialized. For example when running copy start scp://10.0.2.1/some-file.
• Allow using the file dispatcher with any event from the file-operation group. Previously only the FTP upload events were supported. [#3366]
• Fix parsing the SCP arguments for client sending command line arguments with leading spaces. This affect the integration with the SCP client available on Cisco ASA and ASAv systems.

These are just the highlights of this release. For more details, including the full list of changes, please see the full release notes.

SFTPPlus Team announces a new release of SFTPPlus Client, version 1.5.61.

In this version we have fixed a regression in which SFTP transfer using absolute inbox path were failing.

In this release we have also added support for running the SFTPPlus client from an installation folder containing space characters.

For more details, please see the full release notes.

We are pleased to announce the latest release of SFTPPlus, version 3.6.0.

Here is the list of the important new functionalities:

• The OpenSSL version used by SFTPPlus is advertised as part of the events generated when starting the SFTPPlus process, as well as in the Local Manager status page.
• Now you can configure the source port used by the FTP and FTPS services to initiate active data connections. [ftp][ftps]
• The matching rules for file dispatching are now applied to the full path, not only to the file name.

This release was focused on reducing the number of known defects and improving the quality of the product. Here is the list of the main defects fixed in this release:

• When a transfer requires multiple files to be transferred, they are now queued so that the files are transferred sequentially, one at a time. [#3131]
• When a location fails to start, it is no longer auto-started by a transfer. Now it needs to be manually started after the failure was investigated. All components/transfer trying to use a location which failed, will also have their operation failed. [#3176]
• Locations are now auto-started in the correct state, emitting an event and not leaving them in a 'restart-required' state. [#3176]
• The file transfer services secured by TLS/SSL and using a CRL will automatically stop/fail if the CRL can not be updated at runtime. In previous versions a warning was raised but the file transfer service continued to operate with a version of CRL which was previously loaded, resulting in an insecure operation. [security] [#3216]
• The files already present on the source location for a transfer are now filtered based on the transfer configuration and processed only after they are stable. [#3223]
• The file dispatcher event handler now no longer enters an infinite loop by handling its own events. [#3261]
• No internal server error is now produced when failing to remove the remote file after the file was successfully transferred on the local machine. [client] [#3283]
• Starting the Local Manager or the documentation pages from the Windows Start menu or using the command line using the admin-commands manager command, now successfully opens the default browser. [local-manager] [#3295]

These are just the highlights of this release. For more details, including the full list of changes, please see the full release notes.

SFTPPlus Server versions 1.6 and newer are not vulnerable to the DROWN attack.

SFTPPlus versions 3 and newer are also not vulnerable to it.

The DROWN attack targets server-side products, thus SFTPPlus client is not vulnerable to it.

SFTPPlus relies on OpenSSL for the SSL and TLS protocols used in implementing the FTPS and HTTPS protocols. The Unix and Linux versions of SFTPPlus use the OpenSSL libraries provided by the operating system. The Windows versions of SFTPPlus use the included OpenSSL libraries.

However, support for SSL version 2 was never available in SFTPPlus, thus SFTPPlus users are not exposed to any vulnerability related to the use of SSL v2. More so, SSL and TLS security contexts are always configured with NO_SSLv2. So, even if you are using an OpenSSL version with support for SSL v2, version 2 is explicitly denied in SFTPPlus.

The SFTP protocol is based on the SSH protocol and is not affected by SSL or TLS bugs.

We have released version 3.5.1 of SFTPPlus, which is a release containing only defect fixes.

Here is the list of fixes:

• Event with ID 20024 is now emitted for internal errors caused by unhandled runtime errors.
• Include the sample Library_LaunchDaemons_sftpplus.plist file in the distributable archive.
• Documentation was updated to document the filesystem permissions required for the service account.
• Fix SCP protocol interoperability with latest versions of the OpenSSH scp command.

For more details, please see the full release notes.

We are pleased to announce the latest release of SFTPPlus, version 3.5.0.

In this version we added the functionality of dispatching files received by both service side services and client side transfers.

As an experimental feature we have added support to validate received file using the RSA Digital Signature Algorithm PKCS#1 v2.1.

For Windows, the OpenSSL version was upraded to 1.0.2d brining support for latest TLS versions.

These are just the highlights of this release. For more details, including the list of fixed defects, please see the full release notes.