Articles and news

SFTPPlus Team is pleased to announce the latest release of SFTPPlus Server, version 2.2.0.

This version add support for IBM AIX operating system starting with version 5.3 , os level 6.

It also add support for authenticating global accounts inside SFTPPlus WebAdmin using SSH keys.

For more details please see the full release notes.

SFTPPlus Team is pleased to announce the latest release of SFTPPlus Server, version 2.1.0

Main new features are:

• A graphical user interface for managing the SFTPPlus Server.
• Support for FTP APPE command. For more details consult the IETF RFC 959.
• Globbing for FTP NLST and LIST commands. Globbing support is limited to Unix Shell wildchars * , ? , [ and ].
• Add –-generate-uuid command line options to generate UUIDs.
• Add --validate command line options to server-commands to validate server configuration.
• Add –key-comment command line options to server-commands to allow specifying a comment for the generated SSH public key.
• Allow sending log entries to remote HTTP server using HTTP Post requests.
• Use a generic HTTP POST request for sending logs to legacy SFTPPlus WebAdmin.
• Add support for storing server logs inside a database. MySQL and SQLite are supported.
• Allow configuring an arbitrary number of log handlers, including multiple log handlers of the same type.

There is no cost for the upgrade software as it is included with customers Support and Maintenance package. We will provide full support for each customer to migrate to latest version and explain the new features.

We would encourage you to plan a migration at the earliest opportunity.

While we have not placed an ‘end of life’ date for support on older versions we would like to plan for that as soon as practical and would like to work with you to plan the migration.

We suggest you might initially install the new version on a test/trial basis and we will be happy to assist with an online session for that as well.

The new documentation will explain and describe all new features, but we also welcome feedback from customers to improve the documentation so that we cover differing knowledge levels as well as differing requirements.

The roadmap includes further development and we welcome your input and feedback so that we can decide features, enhancements and functionality that may be included.

Monday, 22 April 2013 - we have discovered a security vulnerability affecting SFTPPlus Server version 1.6, 1.7 and 1.8.

Due to an error in checking the SSH key signature, when SSH key authentication is used for a SFTP transfer, a user can obtain server access by using only the public part of the SSH key.

Access with only a public SSH key is still restricted to the specific account for which the public key is enabled. Full server access is not granted.

To exploit this security issue a 3rd party needs to hold a copy of the public SSH key and use it together with a modified SFTP client which allows initiating a SFTP session without requiring a private SSH key.

This does not affect SFTP transfers for which SSH key authentication is not enabled.

This does not affect FTP or FTPS transfers.

This does not affect SFTPPlus Server version 1.5 and below.

This does not affect SFTPPlus Client at any version.

Last week a bug was discovered in all OpenSSL version. This bug can cause various security issues.

More information about the original vulnerability report for OpenSSL can be found from National Cyber Awareness System

A fix was already provided by the OpenSSL team as of 24 of April 2012.

Please note that the bug only affects products using OpenSSL for reading client or server certificates stored in DER format and which were generated by an untrusted Certificate Authority.

The vulnerability does not apply in the case of using certificates stored in PEM format.

The vulnerability only affects the FTPS and HTTPS transfers from SFTPPlus products, since SFTPPlus Client and SFTPPLus Server reads client and server certificates from various formats, including DER format. If the DER certificates was generated by a trustworthy Certificate Authority, there are no security vulnerabilities caused by this bug.

The vulnerability can be more easy exploited on Intel X86 and X86_64 CPU architectures, as the other CPU architectures have various security mechanism to prevent this type of security vulnerabilities.

We found it appropriate to let you know about this security issue, while we are working at including the fix into latest SFTPPlus products.

New releases for latest versions of SFTPPlus products will be available in the near future and will include a fix for the security issue described above.

In case you are handling untrusted .DER certificates together with an older version of SFTPPlus products and cannot upgrade to latest version, please let us know and we will provide a security update for the version used in your deployment.

Following the success and increasing sales of SFTPPlus, Pro:Atria decides to focus entirely on SFTPPlus and cease distributing other products.

Distribution of other products ceases over the following 2 years as customers and suppliers are supported with migration to new distributors etc.