Version 10.4.0


<html><body>


<h2><a target="_blank" href="http://www.crushftp.com/crush10wiki/Wiki.jsp?page=CrushFTP10New">What's New?</a></h2>
<br>
<h2>CrushFTP 10.4.0 has been released!</h2><br>Various improvements all around, security improvements, continual minor feature improvements (SSH key types) and additions, and library updates<br/>
<br/>
CrushFTP is not affected by cve-2021-44228 (Log4Shell) or the subsequent vulnerabilities after this.<br/>
<br/>
<b>New since CrushFTP 10.3.0 release:</b><br/>
<b>New:</b><br/>
_0:released<br/>
_0:updated SSH libraries to support PUTTy v3 key type and support for ED448 key types<br/>
_5:added active_jobs_shutdown_wait_secs parameter to allow CrushFTP to wait for jobs to finish before allowing a friendly service shutdown</br>
_20:automatically disabled multi-segmented downloading when memory is low</br>
_21:updated SFTP libraries to latest version<br/>
_21:fix for FTPES uploads to FZ servers because they complain bout TLS closure and disagree with how java does it<br/>
_23:re-wrote the HTTPClient multi-segmented download handling to be more memory safe<br/>
_25:updated sftp libraries to latest version<br/>
_26:updated SMB3 libraries which had various bug fixes (deadlocks and better connection handling)<br/>
_28:validates SQL connections from the pool before using them for looking up user info when using SQL mode<br/>
_29:added ability to reload keystores for internal and dmz by making a local file 'reload_ssl'<br/>
_29:fix for a DOS related to password encryption, credit to Matt Moreschi<br/>
_31:updated JNQ SMB3 library with minor fixes<br/>
_33:triggers GarbageCollection before triggering low_memory level 3 alert...just in case memory really isn't that low<br/>
_35:added VFS items at login log line to help track VFS config in archived logs<br/>
_36:changes default for sftp to not use sftp_transport_blocking to improve compatibility<br/>
_37:updated SMB3 library for minor bug fixes<br/>
_43:added advanced list management capabilities to UserVariable task in Jobs.  See wiki CrushTask Functions<br/>
_44:allow deletion of read-only flagged files on SMB3...the same as Windows SMB allows<br/>
_45:updated to final sftp library update<br/>
_46:updating users with updated expiration date/time is now asynchronous<br/>
_53:support for JKS sharing between cluster nodes with Let'sEncrypt plugin.<br/>
_58:faster directory listings<br/>
_59:additional logging for CrushTask debugging<br/>
_61:added flags for 'ssh_client_*' in prefs.XML to control allowed ciphers, kex, and macs<br/>
<br/>
<b>Fixes:</b><br/>
_1:new memory tracking algorithm for html transfers to better track and fix memory consumption issues<br/>
_2:fix for delete on overwrite with similar named directory paths<br/>
_3:fix for slow memory creep when using multi segmented transfers through DMZ and slow downloads<br/>
_4:fix for sftp rename bug</br>
_6:fix for memory usage not being freed immediately when a multi segmented download transfer fails.<br/>
_7:fix for failing sftp downloads<br/>
_8:fix for failing sftp downloads<br/>
_9:fix for FTPS/FTPES outbound connections potentially having a thread leak<br/>
_10:fix for SFTP not honoring the lack of delete directory permission in some scenarios<br/>
_11:fix for LDAP plugins not properly honoring group membership<br/>
_12:fix for thread leak when running CrushFTP as a SFTP proxy<br/>
_13:CrushTask multi-threading fixes for Delete task and error catching for zip/copy tasks<br/>
_14:fix for DMZ UI not loading preferences<br/>
_15:fix for dmz memory usage for multi-segmented transfer downloads<br/>
_16:fix for dmz memory usage for multi-segmented transfer downloads<br/>
_17:fix for memory not being cleared quickly when an error is encountered on file download<br/>
_18:fix for html5 memory usage on DMZ for slow downloads<br/>
_19:fix for failing dmz downloads created by build _17.<br/>
_21:fix for SCP doubling filename when renaming file<br/>
_22:rolled back SFTP libraries<br/>
_24:fix for non-serializable item getting into areas where it should not have been<br/>
_27:fix for split_prefs and dmz servers for server_list items<br/>
_30:re-implemented window space control for SFTP to allow buggy JSCH implementations to not crash<br/>
_32:fix for memory race condition when allowing multi-segmented chunks download<br/>
_34:fix for job task item URL's loosing their final character<br/>
_37:fix for DMZ quota lookups<br/>
_38:updated sftp libraries for a fix for the 'paramiko' SFTP client<br/>
_39:rolled back sftp libraries..still has fix for paramiko, but not working at high performance level for now<br/>
_40:rolled back sftp libraries to last known stable version...<br/>
_41:updated sftp libraries to a new stable version that protects against a memory issue, and compatibility issues<br/>
_42:fix for Jobs loosing the path to items after their first copy was performed<br/>
_44:fix for an admin bug causing deletion of all users, credit for Jean Calvin Mugabo of Trustwave SpiderLabs<br/>
_47:fix for sharepoint VFS client<br/>
_48:fix for ignoring errors during a Move task<br/>
_49:fix for uploads not showing speed on dashboard<br/>
_50:added additional full disk protection for job scheduler<br/>
_51:fix for potential socket getting stuck in DMZv5 mode and all other sockets stuck behind it.<br/>
_52:fix for limited admin and using @AutoHost on server ports<br/>
_54:honors the hidden flag on SMB/SMB3 servers now<br/>
_55:fixed bug with proxy protocol v1/v2 and SFTP server ports hanging sometimes<br/>
_56:fix for routing connections through DMZ<br/>
_57:fix for SFTP public key auth with disabled user manager users<br/>
_58:fix for @AutoDomain limited administrators in the UserManager<br/>
_60:bug fix for overlapping settings config in CrushTask scenarios<br/>
_62:fixed issue where ssh_client_* parameters not used for Job configs (was VFS only)<br/>
_63:fixed missing encrypted url support for SQL mode storage of user configurations<br/>
_64:fix for items being lost for events when zipping on the fly with nested folders<br/>
<br/>
<b>New since CrushFTP 10.2.0 release:</b><br/>
_0:released<br/>
_2:more efficient XML cache handling for user.XML loading<br/>
_3:more efficient FindTask execution by processing the filter while building the lists of items<br/>
_4:added support for SAML sub names<br/>
_6:added control for user manager to set 2nd factor requirement.<br/>
_12:CSP (Content Security Policy) improvements and fixes to give better scanning scores<br/>
_13:user session logs now capture session specific debug stack traces too<br/>
_14:SSH sessions track errors in user session logs now too<br/>
_15:support for zip on the fly MD5 calculations in logs<br/>
_17:added automated {heap_dump} capability and additional low memory alert types</br>
_20:DMZ will not start it server ports if the template user is missing or invalid<br/>
_20:updated faster-xml jackson libraries to latest<br/>
_21:DMZ template user is auto generated on first DMZ start</br>
_24:updated SSH libraries to support PUTTy v3 key type and support for ED448 key types<br/>
<br/>
<b>Fixes:</b><br/>
_1:fix for making servers slow if they happened to be missing inheritance.XML or groups.XML as it attempted to search for them<br/>
_3:fix for Find task duplicating items when it runs in a loop waiting for files to appear matching criteria<br/>
_7:fixes for special characters in filenames for azure<br/>
_8:added automatic fallback method for SMTP servers to fallback on TLS versions in case they don't support more modern versions<br/>
_9:fixed issues with saml_assertion_subname to allow differentiating SAML configurations<br/>
_10:fixes for WebInterface login page prepending a slash to usernames or not functioning at all<br/>
_11:Carlo Di Dato and Francesco Gnocchi for Deloitte Risk Advisory Italy discovered an XSS issue that has been fixed.<br/>
_12:fix for SMB3 and non existent file downloads<br/>
_14:fix for spaces in folder names when using certain admin controls<br/>
_16:fix for SFTP port counter growing when using proxy protocol v1/v2.<br/>
_16:fix for SAML not working when going through DMZ<br/>
_18:fix for scan_vfs_for_initial_listing flag causing problems for single file share items<br/>
_19:added fix for same userid opening second session and overwriting file that was in sue in the prior session<br/>
_20:fix for Azure password  char encoding issue<br/>
_22:fix for sockets getting stuck in some scenarios with proxy protocol v1<br/>
_23:fix for ascii PGP uploads getting a PGP trailer for size added on them<br/>
<br>
<b>New since CrushFTP 10.1.0 release:</b><br/>
_0:released<br/>
_0:<a href="https://www.crushftp.com/crush10wiki/Wiki.jsp?page=CrushFTP10New">CrushFTP v10 New Features</a><br/>
_1:added support for chacha20-poly1305@openssh.com cipher and curve25519-sha2@libssh.org for KEX in SFTP<br/>
_1:Updated SFTP libraries to latest<br/>
_2:changed SFTP client to default to doing a "ls" command with blank value instead of ".".  Controlled by pref: sftpclient_ls_dot<br/>
_4:partial white labeling support<br/>
_5:implemented newer SMB3 library version with some additional bug fixes for DFS<br/>
_8:log memory buffering improvements<br/>
_15:added new vfs bad config alert type<br/>
_16:added GROUPBY capability to CrushTask Jump<br/>
_22:added test keystore buttons for AS2 certificates and added SSH character encodings to SFTP sessions control<br/>
_24:changed replication to sue path from the URL and not the entire URL</br>
_25:updated SMB3 library to latest version<br/>
_33:added custom char encoding for outbound SFTP connections<br/>
_36:updated log4j library from 1.2.17 to v2.16 even though it was NOT vulnerable.  This is not a security patch, its just to appease security departments.<br/>
_37:better public key validation when two factor is enabled (more compatible with sftp clients)<br/>
_39:updated log4j libraries to 2.17 due to other issues which don't affect CrushFTP...<br/>
_40:updated jars across various areas to more current versions (letsencrypt,hadoop)<br/>
_41:added ecdsa and ed25519 server host key support for SFTP (defaults to enabled)<br/>
_43:automatically remove invalid or dead linked events when saving a user<br/>
_46:updated log4j to 2.17.1 libraries<br/>
_47:added change phone option and OTP valid for X days<br/>
_48:logging improvements for alerts<br/>
_49:added faster native md5sum calculations on file transfers<br/>
_50:changed update idle behavior to update DMZ first, then update main, and updated log4j to 2.17.1 to appease organizations that don't understand its usage in CrushFTP<br/>
_51:faster Windows UNC dir listings and added created time for listings on FILE:// locations in WebInterface<br/>
_52:end user ability to subscribe to <a href="https://www.crushftp.com/crush10wiki/Wiki.jsp?page=ReverseEvents">reverse event notifications.<a/></br>
_56:added ability to do dual banning mode for hammering passwords, first by username, then by IP.  Separate dual mode items with comma.<br/>
_58:added password blacklist file support<br/>
_59:added additional login frequency failure alert info<br/>
_62:updated PGP libraries for additional key compatibility<br/>
_65:new build of Let'sEncrypt plugin with improved handling of errors<br/>
_66:updated SMB3:// libraries with JNQ<br/>
_67:ldap cache now applies to users and groups<br/>
_70:added performance metrics checking for quotaWorker at startup to reduce server load<br/>
_71:improved thread dumps for HTML5Downlaod transfers<br/>
_73:added support for rename overwrite to HTTPClient to help with multi_journal<br/>
_75:fix for Citrix LoadBalancers not knowing how to properly do ProxyProtocolV1 so CrushFTP has to do magic to make the proxy header come through for SFTP<br/>
_77:speed improvements for Azure and storage class controls for S3<br/>
_79:memory usage throttling for segmented downloads improved</br>
_82:updated SMB3:// libraries to use the latest version.<br/>
<br/>
<b>Fixes:</b><br/>
_2:fixes for OneDrive VFS protocol<br/>
_3:fix for AzureClient<br/>
_6:fix for async quota using a lot of CPU<br/>
_7:fixes for async quota and parent quota dir configurations<br/>
_9:fix for incorrect s3 listings under simultaneous listings from multiple clients<br/>
_10:fix for restart bug on Windows where service did not auto restart (since build_4 roughly)<br/>
_11:fix for sending dmz logs to internal server sometimes stopping<br/>
_12:fix for SMB DFS, to keep it enabled if its ever toggled enabled<br/>
_13:SMB DFS defaults to enabled for "smb://" protocol now.<br/>
_14:fix for PGP encrypt job not detecting failures correctly and zip/unzip tasks not handling dfs_enabled flags.</br>
_16:XSS mitigation for user manager admin accounts<br/>
_17:fix for rename failures with SMB and PGP task, attempts a copy/delete source if encountered<br/>
_18:faster failures through DMZ for bad VFS configurations<br/>
_20:fixes for http errors being relayed to CrushClient<br/>
_21:fixes for async quota calculations and logging more information<br/>
_22:fixes for quota results through DMZ<br/>
_23:fix for AS2 incoming issues due to BouncyCastle jar updates<br/>
_24:fix for AS2 sends to HTTP URLs (only HTTPS) were allowed<br/>
_25:fixed VFS replication URLs to only look at the path of the URL and not compare entire URL<br/>
_26:fix for Radius not working due to missing old library from BouncyCastle<br/>
_27:fix for login failures<br/>
_28:fix for generating SSL keystores not working due to missing old library from BouncyCastle</br>
_29:fix for broken share by reference in certain scenarios<br/>
_30:fix for cached time stamps on newly uploaded files via SFTP<br/>
_31:fix for TEXT mode in SFTP v4 clients<br/>
_32:additional support for custom runtime system properties (proxy for updating, etc)<br/>
_34:fix for outbound ftp client connections in active mode</br>
_35:fix for thread leak in outbound ftp client connections<br/>
_38:fix for LetsEncrypt and log4j issues due to missing jars<br/>
_40:fix for out of sync md5 hashes for CrushClient uploads across multiple threads<br/>
_40:fix for viewing recent jobs on a server that has a different time zone than the browser<br/>
_42:fixed bug with UI not showing ecdsa and ed25519 keys were enabled when they were (enabled by default)</br>
_44:fix for MicrosoftMail being more restrictive on Content-Type headers<br/>
_45:fix for events being deleted when editing a user<br/>
_48:fix for alerts being triggered on hack usernames<br/>
_53:fix for FTP downloads with zip on the fly<br/>
_54:fix for download as zip when going through DMZ and using segmented downloads<br/>
_55:fix for subdir quotas with async_quota enabled<br/>
_57:fixes for variable replacements in alerts<br/>
_58:fix for OTP validation<br/>
_60:fixes for alerts on login frequency<br/>
_61:fix for update when idle for DMZ<br/>
_62:fix for AS2 jobs getting stuck<br/>
_63:fix for PGP private keys for decryption failing<br/>
_64:re-published fix for AS2 jobs getting stuck as build _62 did not publish correctly<br/>
_66:fix for SAML XML signing order of the Signature tag being before the Issuer tag<br/>
_67:fix for html5 transfer memory leak in specific scenarios<br/>
_68:fix for additional html5 download memory leak<br/>
_69:fixes for missing username in some alerts and missing failed port startup log entries<br/>
_72:updated SFTP libraries to fix compatibility with Azure SFTP server<br/>
_73:fixes for Azure client being too slow to handle quick uploads<br/>
_74:fix for case insensitive CSRF token<br/>
_76:fix for plugin based logins not functioning<br/>
_78:fix for proxy protocol v1/v2 with SSL ports<br/>
_80:fixes for Find task logging and logic for skipping 2nd listing, and fix for memory issues in segmented downloads through the DMZ<br/>
_81:fix for alerts triggered in DMZ and relayed through internal server<br/>
_82:fix for ed25519 keys getting auto enabled, and for tomorrow date variable being yesterday instead<br/>
_82:fix for replicated servers and multiple users writing group and inheritance changes at the same time.<br/>
<br>