VShell(R) Server 4.9.2 (Official) -- February 27, 2024 Copyright (C) 1995-2024 VanDyke Software, Inc. All rights reserved. This file contains a VShell product history. It includes lists of new features, changes, and bug fixes sorted by release. For a product description, installation notes, registration, and contact information, please refer to readme.txt (downloaded with this package). Changes in VShell 4.9.2 (Official) -- February 27, 2024 ------------------------------------------------------- Vulnerability fix: - Mac: VShell now includes OpenSSL version 3.0.13, which addresses CVE-2023-5363, CVE-2023-5678, CVE-2023-6129, and CVE-2024-0727. Bug fix: - When the AllowSHA-1AlgorithmsForRSAKeys option was enabled in a subconfiguration, RSA SHA-1 keys were not allowed for public-key authentication. Changes in VShell 4.9.1 (Official) -- December 19, 2023 ------------------------------------------------------- Vulnerability fix: - SSH2: For some algorithms, an attacker can manipulate the packets sent during key exchange to cause some packets to be removed, which compromises channel integrity. A "Strict KEX" extension was implemented to address this vulnerability (CVE-2023-48795). In order to use the "Strict KEX" extension, the extension must be supported by both the client and the server. New feature: - Windows: SFTP Virtual Roots can now be used to connect to an Azure Blob SFTP server. Change: - Windows: the Short Thread Pool Size maximum value has been increased to 2048, and the default (minimum) value increased to the larger of 16 or 4 times the number of logical processors. Bug fix: - Windows: When a user disconnects and that user's profile was not loaded during the initial connection, VShell will no longer attempt to enumerate network resources that may have been opened during profile loading, potentially causing a slowdown. Changes in VShell 4.9 (Official) -- June 8, 2023 ------------------------------------------------ No changes. Changes in VShell 4.9 (Beta 3) -- May 2, 2023 --------------------------------------------- Bug fixes: - Windows: When VShell was configured to authenticate against an LDAP server and an incoming connection loaded a subconfiguration, VShell could crash. - Windows: HTTPS: If an unusually long error was displayed when a user attempted to log in, the login page elements may have become misaligned and possibly truncated. Changes in VShell 4.9 (Beta 2) -- April 13, 2023 ------------------------------------------------ Bug fix: - If the deny hosts feature was enabled and the deny hosts file was accessed from multiple threads simultaneously, VShell could crash. Changes in VShell 4.9 (Beta 1) -- March 28, 2023 ------------------------------------------------ New features: - Windows: SFTP Virtual Roots now support public-key authentication. - Windows: Added support for using x509v3-ecdsa-sha2* algorithms from RFC 6187 for keys stored in a .pfx or .p12 file. - Windows: A user's access to a virtual root folder can be tested using a button on the VShell Control Panel. - Windows: Internal user database system user credentials can now be tested using a button on the VShell Control Panel. - Windows: FTPS, HTTPS: improved support for TLS, including the enabling of TLS 1.3 on Windows Server 2022 and Windows 11. Changes: - For public-key authentication attempts, the bit size of the key received from the client is now logged. - The version and serial number are now logged in an info message rather than a debug message. - SSH2: A new option lets the VShell administrator limit the number of channels allowed per SSH2 transport. - HTTPS: The jQuery UI plugin was updated to 1.13.2. - Windows: The VShell Control Panel is now resizable. - Windows: The VShell Monitor now "remembers" any changes made to its column widths and overall size. - Windows: When configuring public-key authentication for an SFTP file transfer trigger or an SFTP virtual root, the public-key fingerprint can now be displayed in several formats. - Windows: The VShell Control Panel now displays a warning when the system account for the user database or LDAP is given permissions for Access Control or Virtual Roots that may result in unintended behavior. - Windows: When logging is set to debug level 1, LsaApLogonTerminated messages are no longer logged. - Windows: SSH2: The VShell Control Panel now displays actual algorithm names for key exchanges, ciphers, and MACs in addition to the user-friendly names. - Windows: SSH2: The VShell Control Panel now displays the host key bit size. - Linux/Mac: Added an option to vshelld, vshell-ftpsd, and vshell-httpsd to display license information. - Mac: Support for BSM auditing was removed. Bug fixes: - With a non-standard configuration, when the server was handling a large number of short-lived incoming connections, memory usage could grow. - When certain options were specified in a subconfiguration, VShell could exhibit a memory leak. - HTTPS: When using single sign on (SSO) for HTTPS authentication, server authentication errors may not have been displayed in the browser. - Windows: VShell could crash when a subconfiguration file specified an alternate log folder. - Windows: When generating a new host key that would overwrite an existing host key, the VShell Control Panel could crash. - Windows: When running the 32-bit version of VShell on a system with an AMD processor, VShell could crash. - Windows: When a Local/UNC virtual root was configured to impersonate another user, then changed to an SFTP virtual root, the user impersonation was unexpectedly maintained. - Windows: When removing an entry from a virtual root's user/group list, if the list contained any internal database or LDAP users or groups, the user or group actually removed may not have been the one selected for removal. - Windows: If the HTTPS server was not installed, some items on the VShell Control Panel's Event Logging Options page may have been misaligned. - Windows: Added missing Windows Properties settings to the vportcheck.exe file. - Windows: SSH2: When an SFTP client set permissions on a file, the modify date of the file would be changed incorrectly. - Windows: HTTPS: When a user was connected using Internet Explorer and Single Sign On authentication was enabled, disconnecting and reconnecting could result in a crash. - Linux/Mac: If there were a very large number of users specified in an access control list, a reload of the config would take an abnormally long time, during which connections would not be accepted. - Mac: When downloading a large number of files from VShell FTPS, a number of vshell-ftpsd processes could have been left running with their CPU usage at 100%.