2014 Archive

SFTPPlus Server 2.9.0 Release

Tue 09 December 2014 | general server

We are pleased to announce the latest release of SFTPPlus Server, version 2.9.0 which simplifies account's SSH key based authentication and provides a web based tool for generating new SSH keys and converting existing keys in OpenSSH, SSH.com or PuTTY format to be used in SFTP and SCP file transfer servers. The new SSH keys management tool replaces the external PuTTYgen tool.

To prevent creating huge log files, starting with this version the default configuration creates a log file which is automatically rotated at the end of the day.

The FTP and FTPS service was updated to work behind a NAT even with legacy FTP clients which don't support the EPSV (RFC 2428) command, by advertising an explicit IP address in PASV responses.

This release contains a fix for removing files which are marked as read-only in Windows

These are just the highlights of this release. For more details please see the full release notes.

• • •

SFTPPlus Client 1.5.51 Release

Fri 28 November 2014 | general client

SFTPPlus Team announce release of SFTPPlus Client, version 1.5.51 which fix sending recursive files over SFTP when remote folder structure already exists.

For more details please see the full release notes.

• • •

SFTPPlus Server 2.8.0 Release

Fri 24 October 2014 | general server

SFTPPlus Team is pleased to announce the latest release of SFTPPlus Server, version 2.8.0 which was released as a response to SSLv3 POODLE vulnerability.

Starting from this version SSLv3 is no longer enabled by default for FTPS (implicit and explicit), HTTPS and Local Manager protocols.

We have also updated the list of supported operating systems to include the Red Hat Enterprise Linux 7 and CentOS 7 on X86_64 together with Apple OS X 10.8 also on X86_64.

This version fixed a bug affecting the loading of Certificate Revocation Lists for FTPS, HTTPS and Local Manager protocols.

For more details please see the full release notes.

• • •

SFTPPlus Client 1.5.50 Release

Thu 23 October 2014 | general client

SFTPPlus Team is pleased to announce the latest release of SFTPPlus Client, version 1.5.50.

This version was released as a response to SSLv3 POODLE vulnerability.

In this release SSLv3 is disabled by default.

Support for SSLv3 can still be forced by using the useinsecuresslv3 configuration option.

For more details please see the full release notes.

• • •

SSLv3 POODLE vulnerability and SFTPPlus

Wed 22 October 2014 | security server client

Issue

In late September, a team at Google discovered a serious vulnerability in SSL 3.0, known as “POODLE”.

By exploiting this vulnerability, an attacker can gain access to data send over what is supposed to be a secured connection.

Affected protocols

SFTPPlus Server and Client are affected by SSLv3 POODLE vulnerability for FTPS, HTTPS protocols as well as for the HTTPS web based management tool.

SFTP and SCP protocols are not affected.

This is a design flaw within the SSLv3 protocol itself and is not related to SFTPPlus specific implementation or any other vendor’s implementation.

Solution for SFTPPlus Server

As a way to fix this you should disable SSLv3 protocol and only use TLSv1 for FTPS (explicit or implicit) and HTTPS protocols, including the Local Manager web based administration interface.

To disable SSLv3 in SFTPPlus Server this can be done using the ssl_allowed_methods = tlsv1 configuration options for all vulnerable protocols. For more details see ssl_allowed_methods documentation.

The default configuration options support both SSLv3 and TLSv1. SSLv2 was never enabled as the protocol was also proved vulnerable.

In case you still need to use SSLv3 you should disable the CBC based cipher suites. This means enabling only the RC4-SHA cipher as this is the only cipher not using CBC. To do this, set ssl_cipher_list = RC4-SHA . For more details see ssl_cipher_list documentation.

We will soon release a new version of SFTPPlus Server which will disable SSLv3 by default.

Solution for SFTPPlus Client

SFTPPlus Client can also be configured to only use RC4-SHA cipher using the ciphers = 'RC4-SHA' configuration. For more details see ciphers documentation.

We will soon release a new version of SFTPPlus Client which will disable SSLv3 by default.

• • •

SFTPPlus Server 2.7.0 Release

Thu 18 September 2014 | general server

SFTPPlus Team is pleased to announce the latest release of SFTPPlus Server, version 2.7.0.

This version improves the managed file transfer component of the server by adding support for calling external command for monitored paths.

The server now supports more FTP commands like SITE CHMOD. For backward compatibility we have introduced support for the obsolete FTP commands: XCUP, XCWD, XMKD, XPWD, XRMD

Ubuntu 14.04 LTS on X86_64 is now a supported platform.

For more details please see the full release notes.

• • •

New Website

Fri 08 August 2014 | general

We have launched a new website for supporting SFTPPlus products. It includes general product description and documentation as well as support and contact information.

• • •

SFTPPlus Server 2.6.0 Release

Fri 08 August 2014 | general server

SFTPPlus Team is pleased to announce the latest release of SFTPPlus Server, version 2.6.0.

This version adds support for monitoring paths on local file systems and record activity inside the audit trail and a report containing last login date for all accounts.

For more details please see the full release notes.

• • •

SFTPPlus Server 2.5.0 Release

Tue 03 June 2014 | server release

SFTPPlus Team is pleased to announce the latest release of SFTPPlus Server, version 2.5.0.

This version adds support for SCP file transfer protocol on top of SSH protocol. SCP protocol is available for SSH, together with SFTP protocol

For more details please see the full release notes.

• • •

SFTPPlus Server 1.8.10 Release

Fri 25 April 2014 | server release

SFTPPlus Team is pleased to announce the latest release of SFTPPlus Server, version 1.8.10, a maintenance release for server 1.8 release series.

Beside being a maintenance release, this version also adds the following features for FTP protocol:

  • Support for FTP APPE command.
  • Globbing for FTP NLST and LIST commands.

It includes many fixed in FTP/FTPS and SFTP file transfer protocols.

For more details please see the full release notes.

• • •

OpenSSL Heartbleed bug and SFTPPlus

Thu 17 April 2014 | security server

SFTPPlus uses OpenSSL only for FTPS protocol. SFTP protocol is not affected by this bug.

OpenSSL Heartbleed bug and SFTPPlus

On Unix and Linux, SFTPPlus software use the OpenSSL library provided by the operating system. Unix and Linux operating system supported by SFTPPlus (RHEL 4, RHEL5, RHEL6, SLES 11, AIX 5.3) are not affected by this bug as they all use older versions of OpenSSL.

If you use CentOS 6 instead of RHEL 6, you might be affected by this problem and you should update the CentOS 6 system, If you use Ubuntu 12.04 then you should also update the operating system. Security fixes are already available for both CentOS and Ubuntu.

For Windows, SFTPPlus software use OpenSSL version 0.9.8 which is not affected bu this bug.

• • •

SFTPPlus Server 2.4.0 Release

Mon 14 April 2014 | server release

SFTPPlus Team is pleased to announce the latest release of SFTPPlus Server, version 2.4.0.

This version adds support for uploading files with unlimited size over HTTP and HTTPS. This puts HTTP/HTTPS service capabilities in line with SFTP and FTP/FTPS services.

It also add support for symbolic links on Windows. On Unix/Linux symbolic link support was already available.

This release also include many minor bug fixed. For more details please see the full release notes.

• • •

SFTPPlus Server 2.3.0 Release

Mon 17 February 2014 | server release

SFTPPlus Team is pleased to announce the latest release of SFTPPlus Server, version 2.3.0.

This version adds support for HTTP and HTTPS as protocols for file transfer services. The HTTP/HTTPS/HTML implementation is compabitle with any web browser and transfer can be automated using command line clients like cURL or wget.

Starting from this version, the Windows installer will generate an installation log file.

For more details please see the full release notes.

• • •