VShell(R) Server 4.5.4 (Official) -- September 1, 2020 Copyright (C) 1995-2020 VanDyke Software, Inc. All rights reserved. This file contains a VShell product history. It includes lists of new features, changes, and bug fixes sorted by release. For a product description, installation notes, registration, and contact information, please refer to readme.txt (downloaded with this package). Changes in VShell 4.5.4 (Official) -- September 1, 2020 ------------------------------------------------------- Bug fixes: - SSH2: In the unlikely event that upload or download triggers have not yet been processed and the SFTP channel closes unexpectedly, the server could crash. - Windows, SSH2: Under rare circumstances, when authenticating to the server using RADIUS, the server could crash. - Windows, SSH2: In the unusual case where a system issue prevents the server from impersonating the user when an SFTP connection is closed, the server could crash. Changes in VShell 4.5.3 (Official) -- June 23, 2020 --------------------------------------------------- Bug fixes: - HTTPS: If a connection from a non-browser file transfer client was idle, it would be disconnected after two minutes, regardless of the configured idle timeout period. - Windows: In the VShell Control Panel, particularly with a large number of users, there could be a delay before the Access Control page or Virtual Roots Folder Options page was displayed. - Windows: On Server 2019, attempts by clients to create new directories within a virtual root on a network share could fail. - Linux/Mac: With port forwarding, when a connection was made but no service was listening on the remote port, CPU usage could increase and remain close to 100%. Changes in VShell 4.5.2 (Official) -- January 28, 2020 ------------------------------------------------------ Vulnerabilities addressed: - HTTPS: Given a maliciously crafted URL, VShell was vulnerable to a directory traversal attack using HTTP requests, allowing potentially unauthorized access to the file system. Bug fixes: - Using a non-standard encoding of a file path, an authenticated user could have access to files and folders permitted by the underlying file system, but outside the user's Virtual Root. - Windows: In the VShell Control Panel, changes to the Authentication timeout value were not honored. Changes in VShell 4.5.1 (Official) -- December 17, 2019 ------------------------------------------------------- Changes: - HTTPS: "Host" headers sent by the client are ignored. - SSH2: The default length of newly created RSA host keys has been increased to 3072 bits. - Windows, FTPS: If VShell is unable to look up the authentication package MICROSOFT_AUTHENTICATION_PACKAGE_V1_0, the "Error" topic is now used for the log message. Bug fixes: - Windows: In the VShell Control Panel, changes to the RADIUS authentication order option would not save correctly. Changes in VShell 4.5 (Official) -- October 29, 2019 ---------------------------------------------------- Changes: - Mac OS installers are now notarized by Apple. Changes in VShell 4.5 (Beta 4) -- October 15, 2019 -------------------------------------------------- Changes: - When adding internal database users, if username includes the illegal character "@", an error is now displayed. - HTTPS: Added a robots.txt file containing settings that tell web robots not to visit the site. - HTTPS: In the VShell User Web Interface, minor adjustments were made to meet WCAG 2.0 success criteria. Bug fixes: - HTTPS: When using a logout trigger, the %I (IP address) and %G (source port) parameters could be set to "unknown". - HTTPS: When the HTTP PUT command was used to upload a file that replaced a larger version of the same file, the uploaded file incorrectly retained the previous size. - Windows: In the VShell Control Panel, using the LDAP User/Group Picker would trigger a minor memory leak. - Windows 2019: When Logon access was allowed for a domain level group, members of the group could be denied Logon access when using publickey authentication. - Linux/Mac: The FailedAuthCommand trigger was not executed when a user was prevented from logging in due to account restrictions. - Linux/Mac: vuserdb commands could fail with an error mentioning ciphers, MACs, or key exchange methods specified in the vshelld_config file. - HTTPS: In the VShell User Web Interface, if an invalid URL was entered, the error message could be displayed as XML. Changes in VShell 4.5 (Beta 3) -- September 5, 2019 --------------------------------------------------- Changes: - HTTPS: Secure headers Strict-Transport-Security, Content- Security-Policy, X-XSS-Protection, X-Frame-Options, X-Content- Type-Options, and Cache-Control are now sent. - HTTPS: The "Server" header is no longer sent. - HTTPS: In the VShell User Web Interface, colors of two components were changed to meet WCAG 2.0 success criteria. - Linux/Mac SSH2: The Crypto++ library used by VShell was updated to version 8.2. - Some AIX OpenSSH clients (versions 7.5p1 and later) were disconnected with error "Server received packet unknown userauth packet, which should never be sent by the client". Bug fixes: - HTTPS & FTPS: In the rare case that a client closed the connection immediately after renegotiating SSL parameters, CPU usage could increase and remain close to 100%. Changes in VShell 4.5 (Beta 2) -- August 15, 2019 ------------------------------------------------- New features: - SSH2: Added support for the diffie-hellman-group14-sha256, diffie-hellman-group16-sha512, and diffie-hellman-group18- sha512 key exchange algorithms. - Windows: Added the ability to enable and disable use of specific TLS versions. Bug fixes: - Windows: The VShell Control Panel had three lists of options in which extra lines would appear when an item was selected. Changes in VShell 4.5 (Beta 1) -- July 25, 2019 ----------------------------------------------- New features: - HTTPS: Added support for the WebDAV protocol. - HTTPS: In the VShell User Web Interface, the title text can now be customized. - FTPS: Added support for the MDTM command described in RFC 3659, as well as the MFF and MFMT commands described in draft-somers- ftp-mfxx-04. - Windows: Added support for a folder monitor that can detect creation or copy/move of new files to a specified folder and initiate actions such as automatic transfer to another SFTP server. - Windows: Added a wizard for faster configuration of VShell to receive file uploads from Cisco Unified Communications Manager (CUCM) and similar applications that connect using SFTP. - Linux/Mac: Added support for the HTTPS protocol. - Linux/Mac: Added the ability to specify the maximum number of concurrent connections per user for SSH2 and FTPS connections. - Linux/Mac: Added support for subconfigurations to limit the number of concurrent SSH2 or FTPS connections for a particular user or group. - Linux/Mac: Added the ability to add VShell internal database users from a file. Changes: - VShell Workgroup Edition now allows 25 concurrent connections (previously 10). Bug fixes: - In the rare case that a trigger was configured with a timeout >= 215 seconds and a "run as" user, the trigger would not fire. - When using subconfigurations for both users and groups that both specified a logging destination, a memory leak could occur. - When a new log file was created for the day, it was possible for some of the lines to be written above the header. - In the line logged to indicate the IP address and port on which a service was listening, the address and port were reversed. - When LDAP authentications were performed, a memory leak occurred. - Upon connection by a client that displays a single row in its console such as Remote Desktop Manager by Devolutions, VShell would produce an error and disconnect the client. - HTTPS: In some cases, when VShell HTTPS received a PUT command to upload a 0-byte file, it could return a response with an invalid Content-Range header field. - HTTPS: When a file transfer was interrupted, upload and download triggers did not set the %U (user) and %s (session) parameters. - HTTPS: When the VShell server was configured to disable the HTTPS PUT command, an HTTPS client attempting to upload a file with PUT could hang. - HTTPS: In the VShell User Web Interface, when downloading files the browser did not display its download indicator until the download completed. - HTTPS: In the VShell User Web Interface, when multiple dialogs were displayed at the same time, closing one would close them all. - HTTPS: In the VShell User Web Interface, when using a browser other than Edge or Internet Explorer, you could not download a file with non-ASCII (e.g., Russian) characters in the filename. - FTPS: When FTPS and FTP file uploads are performed using SecureFX, timestamps are now preserved. - FTPS and HTTPS: When a file upload was aborted due to loss of network connectivity, the client being killed or closed, or failure to write the file to disk, upload triggers returned success rather than the error code. - Windows: In the rare case of multiple simultaneous authentication failures when the deny host option was enabled, it was possible for VShell to crash or incorrectly add one of the connecting IPs to the deny host list. - Windows: For file operation triggers set up to fire conditionally for users having access to an SFTP virtual root, the email and command trigger actions did not work. - Windows: On the VShell Control Panel, performing a certain sequence of actions on the Triggers page could incorrectly cause the Add, Edit, and Delete buttons to be enabled. - Windows: When there were a large number of users, or when there was network latency between the domain controller and the VShell server, there could be a delay before displaying the Access Control list, the SFTP commands list, and the Virtual Roots list. - Linux/Mac: When MaximumAuthenticationRetries was set to a value less than DenyHostAfterFailureCount, a host was not denied connection after DenyHostAfterFailureCount authentication failures.