Release Notes
Version 3.005.01
Feature Updates
- Support importing and migrating users with PBKDF2 HMAC SHA256 encoded passwords.
- Updates Strict KEX algorithm so it ends at first SSH_MSG_NEWKEYS received and not wait for ours to be sent to.
- AWS Base image upgraded from Amazon Linux 2 to Amazon Linux 2023.
- Upgrade Google Cloud SQL Proxy to v2 to support PSC to connect to database.
- Remove network calls from instance boot to support starting instances in networks with no egress.
- Improve listing speed for Google Cloud Storage.
- Adds boolean property to disable retrieving folder metadata to improve listing speeds.
defaults to features.file-system.ignore-folder-metadata=false
- Specify the number of minimum required characters in each class in password policy.
defaults to:
password.policy.required-upper-count=1
password.policy.required-digit-count=1
password.policy.required-lower-count=1
password.policy.required-special-count=1
password.policy.require-digit=false
password.policy.require-lower=false
password.policy.require-special=false
password.policy.require-upper=false
- Use imdsv2 on AWS for instance metadata.
- Upgrade postgresql 13 to postgresql 15 on ubuntu-based images.
Bug Fixes
- Immediately disconnecting a SFTP Client without closing the connection after a file upload will no longer cause the uploaded file to be deleted.
- Uploading a file with an extension and then uploading a file with the same name without an extension is now allowed.
- Update installation of certbot for lets encrypt.
- Fix logout when using Cognito OIDC so it requires credentials on next login attempt.
- Adjust application memory settings to give more memory to the OS to prevent swap thrashing on high load.
- Allow configuration of HNS enablement when using first cloud connection properties with azure.
Version 3.005.00
Breaking API Changes
- The
/token/revoke
endpoint is replaced with/logout
, which does not need the token as a parameter. - The
/login
endpoint no longer needs to specify a 'scope' value. - The
/password
endpoint is now at/3.0.0/password
. - The OIDC login process now delivers a Single-use token to the front-end when OIDC login completes. The single use token is posted to the
/login
endpoint as acode
parameter with agrant_type
of'urn:ietf:params:oauth:grant-type:single-use-auth'
which returns a usable hybrid token. This change was made to ensure possibly leaked token values through query string parameters would not give an attacker access to an account.
Feature Updates
- Override which SFTP Encryption algorithms are available from the server in the Admin UI.
- Improve Admin UI by removing gutters and spanning the full-width of the browser.
- Upgrade user SSH key generation to produce ECDSA and ED25519 key pairs.
- Add Alibaba OSS as a Cloud Connection type.
- Pre-calculate user permissions and cloud connections to improve SFTP user connection speed.
- Add last login date to users table.
- Show Alibaba Logs in Diagnostics screen when running on Alibaba Cloud.
- Determine password strength while creating passwords using zxcvbn.
- Show password policy adherence while creating passwords.
- Require current admin’s password when changing the password for other admin users.
- Require current password when an admin is changing their own password.
- Add field to Azure Cloud Connections to configure if HNS is enabled or not.
- Increase max memory size for backend Java jar based on memory size of instance.
- AWS base image updated from Amazon Linux 2 to Amazon Linux 2023.
- AWS IMDSv2 now enabled, supported, and required.
- Improved Load Balancer support to get and act on actual Client IP behind a load balancer.
- Default password policy increased min length from 8 to 12.
- Default password policy no longer requires lower case, upper case, digit, and special characters.
- Default password policy uses a built-in word list of 100K prohibited passwords.
Bug Fixes
- Fix issue with failing to upload files larger than 50GB to AWS.
- Limit OIDC “prompt” query string parameter to Google Identity Providers (fixes OIDC to providers like Ping that do not support that parameter).
- Correct encoding of slashes in the base prefix for the Resolved Cloud Path for Azure Cloud Connections.
- Fix issue when importing a backup file with a conflicting name to an existing Cloud Connection.
- Ensure no connection errors when uploading more than 500 simultaneous files.
- Fix issue where many simultaneous connections from the same user could result in a failure to connect due to an ObjectOptimisticLockingFailureException.
- Pre-calculate user permissions and cloud connections to address bug where having many cloud connections could result in a database timeout.
- Ensure SSH Key Names imported from a backup are retained rather than replaced by SFTP username.
- Disable password expiration after a year on Linux root account.
- Show and allow navigation to folders that have a blank name.
- Removes automatic determination of HNS enablement on Azure Storage Accounts because it failed when using a System Assigned Identity. HNS is now specified when creating/editing Azure Cloud Connection.
- Specifying “None” permission on a folder for a user now prevents that user from listing that directory and instead will receive a permission denied message.
- Importing a backup file now supports files with UTF-8 characters.
- Importing a backup file with unsupported characters will now show errors with the line numbers of the unsupported characters.
Other
- Update Java version from 11 to 17.
- Update Spring Security from 5 to 6.
- Update Spring Boot from 2 to 3.
- Update Python2 to Python3.
Version 3.004.06
Security
- Addresses SSH protocol terrapin-attack vulnerability (Terrapin Attack) by providing strict key exchange countermeasure through maverick synergy 3.0.22.
- Addresses bouncycastle-fips CVE-2022-45146 by upgrading library to 1.0.2.4.
Bug Fixes
- Only send “prompt=select_account” extra parameter during identity provider login when identity provider starts with https://accounts.google.com to address compatibility with parameter on other OIDC providers.
Version 3.004.05
- Updated Maverick to 3.0.21 to address Passive SSH Key Compromise
Version 3.004.04
Security
- Address Deserialization vulnerability in Admin api for OIDC that affects versions 3.004.01-3.004.03.
- Address snakeyaml CVE-2022-1471 by updating snakeyaml to 2.x.
- Address cve-2023-34034 by updating Spring Security.
Features
- Handle disconnect during file upload by deleting the partial file from cloud storage.
- Improve performance when many folders are defined for a user.
- Remove “Flagging IP Address” message when default IP Ban feature is disabled.
- Update azure-storage-blob sdk to 12.23.1.
- Update google-cloud-storage sdk to 2.26.0.
- Update aws sdks to 2.20.127 and 1.12.530.
Bug Fixes
- On Azure, the swap partition did not persist on reboot. It is now persisted across reboot.
Version 3.004.03
- List all files (even if more than 1,000) in Google Cloud Storage Buckets.
- Support file and folder names with backslash characters.
Version 3.004.02
Features
- Include Banner Text in exported backup file.
- Allow lack of “s3:ListAllMyBuckets” permission.
- Update Spring Security to address CVE-2023-20862.
Bug Fixes
- Show admin option to change password in admin ui.
- Show import errors when there are conflicts during import of Identity Providers.
- Resolve issue with newer ssh clients where RSA keys are rejected with message: sign_and_send_pubkey: no mutual signature supported.
Version 3.004.01
Features
- Allow access to logs and other diagnostic information via the new Diagnostics tab.
- Enable all SFTP host keys regardless of security level.
- Admin can configure additional OpenID Connect (oidc) scopes on the Identity Provider forms.
Bug Fixes
- Fixed bug that prevented synchronization between HA servers on AWS in v3.4.0.
- Fixed compatibility issue with Azure Monitor Agent.
- Admins can now change the storage account/container on the Azure Cloud Connection form.
- Refreshes Identity providers list on settings screen after backup import.
- Other UI Improvements.
Version 3.004.00
- Adds OIDC login for Web Admin UI.
- Allows configuration of multiple External Identity Providers to allow OIDC login to Web Admin UI.
Version 3.003.06
- Display cloud connection resolved path for a user’s home directory when creating or editing a user.
- Fixed bug that prevented deletion of user with multiple SSH Keys or IPs Allowed.
- Fixed bug that prevented deletion of a directory on Azure when Hierarchical Namespace is enabled on the Storage Account.
- Updated Spring Framework version to 5.3.20 to avoid CVEs from previous versions.
- Updated Cloud Storage SDKs
- Updated AWS SDK to 2.18.28
- Updated Google cloud storage library to 2.15.1
- Updated Azure storage blob library to 12.20.1
Version 3.003.05
- Fixes issue when uploading files over 250 MB to AWS or Azure that pause at 100% and then report a failure. The problem was a timeout between the SFTP Gateway server and the cloud storage locations.
- Normalizes headers in the Admin UI for consistency.
Version 3.003.04
Features
- Improves performance of listing many files in Google Cloud Storage.
- Improves performance of uploading files in AWS S3.
- Adds a user-friendly Admin Landing Page on the http port.
- Adds warning message when Host Keys are not in imported backup file.
- Adds configuration and overrides of UID and GID for a user.
Bug Fixes
- Fixed a file creation bug that caused problems when using SSHFS.
- Fixed issue where the # symbol in filename cuts off the rest of the filename on Azure.
- Fixed issue where the pound sign # in the IP allow list label breaks the export/import process.
Version 3.003.03
Features
- Adds Integrated help system.
- Adds PROXY protocol support to receive client IP address behind a load-balancer.
- Migrate from Ubuntu 20 to Ubuntu 22 on Azure.
- Add Configuration of SFTP banner text to Admin UI.
- SFTP Users will not see existing files when viewing a folder with write-only permission. In previous versions, the users could list, but not download, files in write-only folders.
- SFTP Support for ed448 public and private keys.
- SFTP Support for PuTTY Version 3 Private Key format.
Bug Fixes
- Fixed disconnect issue when having multiple AWS regions configured for a user’s folders.
- Fix the configuration of password policy so requirements can be disabled The following application properties will disable each requirement:
password.policy.require-upper=false
password.policy.require-lower=false
password.policy.require-digit=false
password.policy.require-special=false
- Fixed VM Password support in Azure.
- Fixed issue with renaming folders on AWS where nested folders were not moved to the new name.
- Fixed SFTP v5 attribute flags being sent when using SFTP v4, which was breaking the listing of files in WinSCP in v3.3.2.
Version 3.003.02
- Solved bug where a user logging in at the same time as another user could result in the first user seeing the second user’s folders and files.
- Solved bug on Google Cloud where empty files failed to write.
- Removed errant project sshkey from Google Cloud vm image.
- Solved bug on Google Cloud Connection where empty files failed to write.
- Corrected the test of a Google Cloud Connection so it considers access to a bucket's metadata.
- Fixed issue with passwords imported from SFTPGWv2 not working after initial login.
- Correct bug where disabling automatic IP ban behavior did not work.
- Update local postgres service on Amazon Linux to use postgresql13 from official repository.
- Add support for version 3 of the PuTTY Private Key File Format.
- Add support for ED448 public/private keys.
Version 3.003.01
- Enables SCP support.
- Syncs server SSH host keys across HA instances, similar to the website key and SFTP host keys.
- Updates Spring and other dependencies to resolve possible CVEs.
- Displays the creation date (instead of 0) for folders created by the web admin portal.
- Improves Backup import service when merging Cloud Connection information.
- Adds Highly Available feature on Google Cloud Platform.
- Writes log messages to Google Cloud Platform's Logging service.
- Enables Instance Identity/Attached Service Account usage on Google Cloud Connections.
Version 3.003.00
- Fixes WinSCP issue with subdirectories backed by Folder objects (WinSCP: error decoding sftp packet).
- Fixes compatibility with SFTP client software Panic Transmit.
- Shows whether an SSH public key was generated or was user-provided.
- Shows that the IP filter is disabled when the IP Allow List is empty.
- Shows Folder search results as paths.
- Adds a Test Connection button to the Cloud Connection creation process.
- Adds configuration option to disable automatic IP banning
Version 3.002.01
- Updated SFTP Subsystem Maverick Library from 3.0.5 to 3.0.7
- Fixed bug that did not allow updating Azure Connection String to a new storage account
- Updated log4j api dependency to 2.17.1
- Resolved minor UI issues for Cloud Connection settings screens
- Fixed bug preventing write on an unencrypted S3 Cloud Connection to an encrypted s3 bucket