Version 10.3.0

What's New?


CrushFTP 10.3.0 has been released!


Various improvements all around, security improvements, continual minor feature improvements (SSH key types) and additions, and library updates

CrushFTP is not affected by cve-2021-44228 (Log4Shell) or the subsequent vulnerabilities after this.

New since CrushFTP 10.2.0 release:
_0:released
_2:more efficient XML cache handling for user.XML loading
_3:more efficient FindTask execution by processing the filter while building the lists of items
_4:added support for SAML sub names
_6:added control for user manager to set 2nd factor requirement.
_12:CSP (Content Security Policy) improvements and fixes to give better scanning scores
_13:user session logs now capture session specific debug stack traces too
_14:SSH sessions track errors in user session logs now too
_15:support for zip on the fly MD5 calculations in logs
_17:added automated {heap_dump} capability and additional low memory alert types
_20:DMZ will not start it server ports if the template user is missing or invalid
_20:updated faster-xml jackson libraries to latest
_21:DMZ template user is auto generated on first DMZ start
_24:updated SSH libraries to support PUTTy v3 key type and support for ED448 key types

Fixes:
_1:fix for making servers slow if they happened to be missing inheritance.XML or groups.XML as it attempted to search for them
_3:fix for Find task duplicating items when it runs in a loop waiting for files to appear matching criteria
_7:fixes for special characters in filenames for azure
_8:added automatic fallback method for SMTP servers to fallback on TLS versions in case they don't support more modern versions
_9:fixed issues with saml_assertion_subname to allow differentiating SAML configurations
_10:fixes for WebInterface login page prepending a slash to usernames or not functioning at all
_11:Carlo Di Dato and Francesco Gnocchi for Deloitte Risk Advisory Italy discovered an XSS issue that has been fixed.
_12:fix for SMB3 and non existent file downloads
_14:fix for spaces in folder names when using certain admin controls
_16:fix for SFTP port counter growing when using proxy protocol v1/v2.
_16:fix for SAML not working when going through DMZ
_18:fix for scan_vfs_for_initial_listing flag causing problems for single file share items
_19:added fix for same userid opening second session and overwriting file that was in sue in the prior session
_20:fix for Azure password char encoding issue
_22:fix for sockets getting stuck in some scenarios with proxy protocol v1
_23:fix for ascii PGP uploads getting a PGP trailer for size added on them

New since CrushFTP 10.1.0 release:
_0:released
_0:CrushFTP v10 New Features
_1:added support for chacha20-poly1305@openssh.com cipher and curve25519-sha2@libssh.org for KEX in SFTP
_1:Updated SFTP libraries to latest
_2:changed SFTP client to default to doing a "ls" command with blank value instead of ".". Controlled by pref: sftpclient_ls_dot
_4:partial white labeling support
_5:implemented newer SMB3 library version with some additional bug fixes for DFS
_8:log memory buffering improvements
_15:added new vfs bad config alert type
_16:added GROUPBY capability to CrushTask Jump
_22:added test keystore buttons for AS2 certificates and added SSH character encodings to SFTP sessions control
_24:changed replication to sue path from the URL and not the entire URL
_25:updated SMB3 library to latest version
_33:added custom char encoding for outbound SFTP connections
_36:updated log4j library from 1.2.17 to v2.16 even though it was NOT vulnerable. This is not a security patch, its just to appease security departments.
_37:better public key validation when two factor is enabled (more compatible with sftp clients)
_39:updated log4j libraries to 2.17 due to other issues which don't affect CrushFTP...
_40:updated jars across various areas to more current versions (letsencrypt,hadoop)
_41:added ecdsa and ed25519 server host key support for SFTP (defaults to enabled)
_43:automatically remove invalid or dead linked events when saving a user
_46:updated log4j to 2.17.1 libraries
_47:added change phone option and OTP valid for X days
_48:logging improvements for alerts
_49:added faster native md5sum calculations on file transfers
_50:changed update idle behavior to update DMZ first, then update main, and updated log4j to 2.17.1 to appease organizations that don't understand its usage in CrushFTP
_51:faster Windows UNC dir listings and added created time for listings on FILE:// locations in WebInterface
_52:end user ability to subscribe to reverse event notifications.
_56:added ability to do dual banning mode for hammering passwords, first by username, then by IP. Separate dual mode items with comma.
_58:added password blacklist file support
_59:added additional login frequency failure alert info
_62:updated PGP libraries for additional key compatibility
_65:new build of Let'sEncrypt plugin with improved handling of errors
_66:updated SMB3:// libraries with JNQ
_67:ldap cache now applies to users and groups
_70:added performance metrics checking for quotaWorker at startup to reduce server load
_71:improved thread dumps for HTML5Downlaod transfers
_73:added support for rename overwrite to HTTPClient to help with multi_journal
_75:fix for Citrix LoadBalancers not knowing how to properly do ProxyProtocolV1 so CrushFTP has to do magic to make the proxy header come through for SFTP
_77:speed improvements for Azure and storage class controls for S3
_79:memory usage throttling for segmented downloads improved
_82:updated SMB3:// libraries to use the latest version.

Fixes:
_2:fixes for OneDrive VFS protocol
_3:fix for AzureClient
_6:fix for async quota using a lot of CPU
_7:fixes for async quota and parent quota dir configurations
_9:fix for incorrect s3 listings under simultaneous listings from multiple clients
_10:fix for restart bug on Windows where service did not auto restart (since build_4 roughly)
_11:fix for sending dmz logs to internal server sometimes stopping
_12:fix for SMB DFS, to keep it enabled if its ever toggled enabled
_13:SMB DFS defaults to enabled for "smb://" protocol now.
_14:fix for PGP encrypt job not detecting failures correctly and zip/unzip tasks not handling dfs_enabled flags.
_16:XSS mitigation for user manager admin accounts
_17:fix for rename failures with SMB and PGP task, attempts a copy/delete source if encountered
_18:faster failures through DMZ for bad VFS configurations
_20:fixes for http errors being relayed to CrushClient
_21:fixes for async quota calculations and logging more information
_22:fixes for quota results through DMZ
_23:fix for AS2 incoming issues due to BouncyCastle jar updates
_24:fix for AS2 sends to HTTP URLs (only HTTPS) were allowed
_25:fixed VFS replication URLs to only look at the path of the URL and not compare entire URL
_26:fix for Radius not working due to missing old library from BouncyCastle
_27:fix for login failures
_28:fix for generating SSL keystores not working due to missing old library from BouncyCastle
_29:fix for broken share by reference in certain scenarios
_30:fix for cached time stamps on newly uploaded files via SFTP
_31:fix for TEXT mode in SFTP v4 clients
_32:additional support for custom runtime system properties (proxy for updating, etc)
_34:fix for outbound ftp client connections in active mode
_35:fix for thread leak in outbound ftp client connections
_38:fix for LetsEncrypt and log4j issues due to missing jars
_40:fix for out of sync md5 hashes for CrushClient uploads across multiple threads
_40:fix for viewing recent jobs on a server that has a different time zone than the browser
_42:fixed bug with UI not showing ecdsa and ed25519 keys were enabled when they were (enabled by default)
_44:fix for MicrosoftMail being more restrictive on Content-Type headers
_45:fix for events being deleted when editing a user
_48:fix for alerts being triggered on hack usernames
_53:fix for FTP downloads with zip on the fly
_54:fix for download as zip when going through DMZ and using segmented downloads
_55:fix for subdir quotas with async_quota enabled
_57:fixes for variable replacements in alerts
_58:fix for OTP validation
_60:fixes for alerts on login frequency
_61:fix for update when idle for DMZ
_62:fix for AS2 jobs getting stuck
_63:fix for PGP private keys for decryption failing
_64:re-published fix for AS2 jobs getting stuck as build _62 did not publish correctly
_66:fix for SAML XML signing order of the Signature tag being before the Issuer tag
_67:fix for html5 transfer memory leak in specific scenarios
_68:fix for additional html5 download memory leak
_69:fixes for missing username in some alerts and missing failed port startup log entries
_72:updated SFTP libraries to fix compatibility with Azure SFTP server
_73:fixes for Azure client being too slow to handle quick uploads
_74:fix for case insensitive CSRF token
_76:fix for plugin based logins not functioning
_78:fix for proxy protocol v1/v2 with SSL ports
_80:fixes for Find task logging and logic for skipping 2nd listing, and fix for memory issues in segmented downloads through the DMZ
_81:fix for alerts triggered in DMZ and relayed through internal server
_82:fix for ed25519 keys getting auto enabled, and for tomorrow date variable being yesterday instead
_82:fix for replicated servers and multiple users writing group and inheritance changes at the same time.