VShell(R) Server 4.6.3 (Official) -- February 1, 2022 Copyright (C) 1995-2022 VanDyke Software, Inc. All rights reserved. This file contains a VShell product history. It includes lists of new features, changes, and bug fixes sorted by release. For a product description, installation notes, registration, and contact information, please refer to readme.txt (downloaded with this package). Changes in VShell 4.6.3 (Official) -- February 1, 2022 ------------------------------------------------------ Vulnerabilities addressed: - Windows: When a trigger action was configured to run a script that echoed specific parameters, a malicious user could have specified the parameters in such a way as to cause an arbitrary command to be launched on the VShell host machine. - Windows: With certain SFTP clients, an authenticated user could send a maliciously crafted path to VShell on Windows that would allow access to the file system outside the virtual root folder(s), causing folder access to be restricted only by NTFS permissions. Bug fixes: - Windows: When using VShellConfig to export the configuration using the "virtual-roots" include directive and any virtual roots impersonate a user, credentials are no longer exported unless the "saved-credentials" option is specified. - Windows: When importing a configuration with an internal user database, any internal database users/groups were omitted from the imported ACLs. Changes in VShell 4.6.2 (Official) -- July 27, 2021 --------------------------------------------------- Bug fixes: - If an SFTP client did not honor the negotiated maximum packet size, file transfers could fail with an "Invalid packet header" error. - In the unusual case that it fails to retrieve the socket address of an incoming connection, VShell could crash. - FTPS: If the server was shut down while there were incoming connections, in rare circumstances, VShell could crash. - Windows, HTTPS: When a virtual root had read access permissions disabled, the contents of the virtual root folder could not be listed. - Linux/Mac, HTTPS: When a user was restricted ("chrooted") to their home directory, uploads and folder creation were not allowed directly under the home folder when connected via the VShell User Web Interface. Changes in VShell 4.6.1 (Official) -- May 11, 2021 -------------------------------------------------- Bug fixes: - If an incoming RSA public-key packet had the algorithm name set to something other than "ssh-rsa" (in violation of RFC 8332), VShell would fail to load the public key. - Windows: In the rare event that the listening socket for an incoming connection failed, VShell could crash. - Windows: If VShell was configured to use an RSA X.509 certificate as a host key, connections to the server could have failed. - Linux/Mac: During public-key authentication, if the public key failed to load due to an invalid public-key algorithm being specified by the client, VShell could crash. Changes: - Restored the ability to use the SHA1-96 and MD5-96 MACs. Changes in VShell 4.6 (Official) -- February 18, 2021 ----------------------------------------------------- No changes. Changes in VShell 4.6 (Beta 4) -- February 9, 2021 -------------------------------------------------- Bug fixes: - Windows: On the VShell Control Panel Authentication page, some check boxes could not be reached via keyboard shortcuts. Changes: - HTTPS: The jQuery Datatables plug-in was updated to 1.10.23. Changes in VShell 4.6 (Beta 3) -- December 15, 2020 --------------------------------------------------- Bug fixes: - Windows: On a high-DPI monitor scaled at 125%, text was cut off in one of the dialogs in the VShell Control Panel. Changes in VShell 4.6 (Beta 2) -- December 1, 2020 -------------------------------------------------- New features: - A new option to remove duplicate path separators provides compatibility with Cisco ISE, Cisco ACI, and other clients that prepend a "/" to paths. - Windows: Added an option to configure the size of the short thread pool. Changes: - HTTPS: The jQuery Datatables plug-in was updated to 1.10.22. - HTTPS: The jQuery FileUpload plug-in was updated to 10.31.0. - Windows: When an SFTP Transfer trigger action is added, at least one authentication method is now required in order to prevent the trigger from failing. Bug fixes: - Windows: In the VShell Control Panel, under rare circumstances, attempts to remove a key from the list of host keys may have appeared successful but did not remove the key. - Windows, SSH2: In the VShell Control Panel's Authentication Options category, one of the spin controls could become enabled unexpectedly. - Windows, HTTPS: When legacy Edge was used to display the VShell User Web Interface and the idle timeout warning was displayed, the next action would result in an error. Changes in VShell 4.6 (Beta 1) -- November 5, 2020 -------------------------------------------------- New features: - Added new trigger variable for file renaming (Filename) for the filename without the path. - Added new trigger variable for file renaming (FilenameBase) for the filename without the path or the extension. - Added new trigger variable for file renaming (FilenameExtension) for the filename extension. - Added new Logout trigger variable (FilesDownloadedList) for the list of files downloaded during a session. - Added new Logout trigger variable (NumFilesDownloaded) for the number of files downloaded during a session. - Added new Logout trigger variable (FilesUploadedList) for the list of files uploaded during a session. - Added new Logout trigger variable (NumFilesUploaded) for the number of files uploaded during a session. - For host keys and public-key authentication, added support for RSA SHA-256 and SHA-512 algorithms as defined in RFC 8332. - Added an option to prevent clients from using specific characters in file and directory names when uploading, renaming, creating directories, and creating links. - SSH2: For clients that support extension negotiation as specified in RFC 8308, upon request VShell will now send the list of public- key algorithms that it will accept. - HTTPS: Added an option to specify the host to be used when HTTP connections are redirected to HTTPS. - Windows: In the VShell Control Panel, you can now specify the SSH2, FTPS, and HTTPS idle timeouts in both minutes and seconds. - Windows, HTTPS: Added native Windows Single Sign On (SSO) capability to VShell Enterprise Edition with HTTPS. - Linux: Added support for Ubuntu 20.04 LTS. - Linux: Added support for Red Hat Enterprise Server 8 (RHEL 8). Changes: - When a trigger action changes a filename, the new filename is now logged. - Trigger actions now support multi-character alternatives to the single-character command substitution variable names. - SSH2: Removed support for weak ciphers (Blowfish and RC4) and MACs (SHA1-96 and MD5-96). - HTTPS: The jQuery library was updated to version 4.5.1. - HTTPS: Cookies set by VShell now have the "Secure" flag set. - HTTPS: Logs now include the reason why a session has been ended by the server. - Windows: In the VShell Control Panel, the Authentication Options now appear on the Common Server Options page. The bandwidth limit option was moved to the Advanced page. - Windows: A VShellConfig commands file may now include comments. Bug fixes: - When a folder monitor trigger action was configured to run as a different user, VShell could crash when the trigger fired. - Under rare circumstances, when VShell was checking the current user connection count during a new incoming connection, the server could crash. - When logging to a syslog server, the format of single digit days were incorrectly padded with a "0" instead of a space. - Email trigger actions using the %P parameter would return an incorrect value when the filename contained multibyte unicode characters. - HTTPS: When a remote directory name contained a "#" character, attempting to open the directory using the VShell User Web Interface may have failed. - HTTPS: When the VShell User Web Interface was displayed using Firefox and the HTTPS server certificate was not trusted, the server could crash if the Refresh button was clicked repeatedly. - HTTPS: A failed authentication attempt, immediately followed by a successful authentication attempt, could have caused the connection to hang. - HTTPS: The file download trigger would fire whenever a folder listing was performed. - Windows: When the Windows Access Control List (ACL) size limit was exceeded, attempts to add additional users could fail and cause all list entries to be cleared, or VShellConfig could crash. - Windows: When an SFTP trigger action was configured and the user's password contained a quote character, authentication to the remote server would fail. - Windows: When an IP address was added to the deny hosts file using the VShell Control Panel interface, any user specified comments on a line by themselves would be deleted. - Linux/Mac, SSH2: When an invalid cipher or MAC was specified in the vshelld_config file, the warning message's list of valid ciphers and MACs was truncated. - Linux/Mac, HTTPS: In the VShell User Web Interface, after authentication failure due to bad username, a browser restart was necessary for login to succeed. - Mac, SSH2: On certain systems, VShell may not have been able to load the system-provided GSSAPI library (e.g., libgssapi_krb5.dylib), causing Kerberos authentication to be unavailable.