Version 10.5.2
CrushFTP 10.5.2 has been released!
Various improvements all around, security improvements, continual minor feature improvements (SSH key types) and additions, and library updates
CRITICAL SECURITY BUG FIXED IN 10.5.1! Update immediately or you are at severe risk of exploitation!
Update Info
New since CrushFTP 10.4.0_0 release:
New:
_0:released
_0:updated SFTP, SMB3, PGP libraries
_4:updated BouncyCastle libraries to latest 1.72 (used for PGP)
_5:changed how PGP encrypt/decrypt task works in a job for S3 locations to avoid any rename situations and just output the actual file
_8:updated SFTP libraries to improve KEX compatibility
_9:AzureClient now attempts multiple retries in case there i a temporary server issue, and added {0group}, {1gorup}, {group0} variables for user info
_16:SMB3 library updated to latest with improved kerberos support
_19:finished support for SOCKS5 protocol support. user/pass auth, logging flag, and protocol control in user manager
_22:major improvements to job info caching and job monitoring, flag to disable job summary lookup on dashboard job_summary_on_dashboard
_24:removed some jars used for JMS, if you use JMS, you need to manually re-add some jars to keep JMS support. This was required due to prior vulnerabilities in the older JMS jars. See wiki.
_25:significantly sped up the Jobs viewer when dealing with thousands of Jobs. Both in editing and saving jobs and in viewing prior run jobs
_32:added ability to do multiple jobs in testJobSchedule and changeJobStatus
Fixes:
_0:new SMB3 library fixes issues with Amazon FSX servers
_1:fix for some Tectia SSH servers and outbound SFTP connections from CrushFTP
_2:fix for ip restrictions and public key auth with SFTP
_3:2nd fix for ip restrictions and public key auth with SFTP
_6:fix for CopyTask bug with S3 locations and SFTP client not liking null characters in folder names
_7:fix for CopyTask bug with S3 locations
_10:fix bug related to expire users inheriting from group user
_11:fix for jobs not running at their scheduled time when the system was too overloaded with job schedules to process
_12:fixed bugs related to Move task with folder structures and being on the same disk
_13:fixed bug with Move task when absolute paths had been used in Find task
_14:fixed bug with Move task related to certain event scenarios
_15:fix for merged VFS items now showing when out of sync with SMB/SMB3
_16:fix for multi-threaded Move task handling folder creations
_17:fix for move task leaving behind folders when the source was a FTP server location
_18:fix for WebInterface when using SQL user mode
_20:socks4/socks5 auth fixes
_21:fix for uploads failing with WebInterface
_22:fixes for search process with bad directories in the memCache
_23:fix for remote agentRegistration in a HA environment
_25:fix for broken java -jar CrushFTP.jar scenario due to a malformed manifest.mf file. java -jar plugins/lib/CrushFTPJarProxy.jar was unaffected and still worked fine
_26:fix for connection pooling in CrushTask/Jobs with Copy/move steps not always doing pooling
_27:fixes for change password email delays
_28:minor SMB3 library update with some bug fixes
_29:fix for merged VFS download all items failing in certain scenarios
_30:socket usage improvements for Azure client protocol
_31:connections fixes for azure client
_33:rolled back JNQ SMB3 Library to prior version due to some connectivity issues for a customers
_34:fixed merged VFS scenario where all VFS items had different root names and zip download failed
_35:fix for failing dir listings caused by _34
_36:updated PGP supporting libraries to fix a PGP zipexception error on decrypt
_37:fix for DMZ server not allowing uploads for local accounts (pass through to internal was fine.)
New since CrushFTP 10.3.0_0 release:
New:
_0:released
_0:updated SSH libraries to support PUTTy v3 key type and support for ED448 key types
_5:added active_jobs_shutdown_wait_secs parameter to allow CrushFTP to wait for jobs to finish before allowing a friendly service shutdown
_20:automatically disabled multi-segmented downloading when memory is low
_21:updated SFTP libraries to latest version
_21:fix for FTPES uploads to FZ servers because they complain bout TLS closure and disagree with how java does it
_23:re-wrote the HTTPClient multi-segmented download handling to be more memory safe
_25:updated sftp libraries to latest version
_26:updated SMB3 libraries which had various bug fixes (deadlocks and better connection handling)
_28:validates SQL connections from the pool before using them for looking up user info when using SQL mode
_29:added ability to reload keystores for internal and dmz by making a local file 'reload_ssl'
_29:fix for a DOS related to password encryption, credit to Matt Moreschi
_31:updated JNQ SMB3 library with minor fixes
_33:triggers GarbageCollection before triggering low_memory level 3 alert...just in case memory really isn't that low
_35:added VFS items at login log line to help track VFS config in archived logs
_36:changes default for sftp to not use sftp_transport_blocking to improve compatibility
_37:updated SMB3 library for minor bug fixes
_43:added advanced list management capabilities to UserVariable task in Jobs. See wiki CrushTask Functions
_44:allow deletion of read-only flagged files on SMB3...the same as Windows SMB allows
_45:updated to final sftp library update
_46:updating users with updated expiration date/time is now asynchronous
_53:support for JKS sharing between cluster nodes with Let'sEncrypt plugin.
_58:faster directory listings
_59:additional logging for CrushTask debugging
_61:added flags for 'ssh_client_*' in prefs.XML to control allowed ciphers, kex, and macs
Fixes:
_1:new memory tracking algorithm for html transfers to better track and fix memory consumption issues
_2:fix for delete on overwrite with similar named directory paths
_3:fix for slow memory creep when using multi segmented transfers through DMZ and slow downloads
_4:fix for sftp rename bug
_6:fix for memory usage not being freed immediately when a multi segmented download transfer fails.
_7:fix for failing sftp downloads
_8:fix for failing sftp downloads
_9:fix for FTPS/FTPES outbound connections potentially having a thread leak
_10:fix for SFTP not honoring the lack of delete directory permission in some scenarios
_11:fix for LDAP plugins not properly honoring group membership
_12:fix for thread leak when running CrushFTP as a SFTP proxy
_13:CrushTask multi-threading fixes for Delete task and error catching for zip/copy tasks
_14:fix for DMZ UI not loading preferences
_15:fix for dmz memory usage for multi-segmented transfer downloads
_16:fix for dmz memory usage for multi-segmented transfer downloads
_17:fix for memory not being cleared quickly when an error is encountered on file download
_18:fix for html5 memory usage on DMZ for slow downloads
_19:fix for failing dmz downloads created by build _17.
_21:fix for SCP doubling filename when renaming file
_22:rolled back SFTP libraries
_24:fix for non-serializable item getting into areas where it should not have been
_27:fix for split_prefs and dmz servers for server_list items
_30:re-implemented window space control for SFTP to allow buggy JSCH implementations to not crash
_32:fix for memory race condition when allowing multi-segmented chunks download
_34:fix for job task item URL's loosing their final character
_37:fix for DMZ quota lookups
_38:updated sftp libraries for a fix for the 'paramiko' SFTP client
_39:rolled back sftp libraries..still has fix for paramiko, but not working at high performance level for now
_40:rolled back sftp libraries to last known stable version...
_41:updated sftp libraries to a new stable version that protects against a memory issue, and compatibility issues
_42:fix for Jobs loosing the path to items after their first copy was performed
_44:fix for an admin bug causing deletion of all users, credit for Jean Calvin Mugabo of Trustwave SpiderLabs
_47:fix for sharepoint VFS client
_48:fix for ignoring errors during a Move task
_49:fix for uploads not showing speed on dashboard
_50:added additional full disk protection for job scheduler
_51:fix for potential socket getting stuck in DMZv5 mode and all other sockets stuck behind it.
_52:fix for limited admin and using @AutoHost on server ports
_54:honors the hidden flag on SMB/SMB3 servers now
_55:fixed bug with proxy protocol v1/v2 and SFTP server ports hanging sometimes
_56:fix for routing connections through DMZ
_57:fix for SFTP public key auth with disabled user manager users
_58:fix for @AutoDomain limited administrators in the UserManager
_60:bug fix for overlapping settings config in CrushTask scenarios
_62:fixed issue where ssh_client_* parameters not used for Job configs (was VFS only)
_63:fixed missing encrypted url support for SQL mode storage of user configurations
_64:fix for items being lost for events when zipping on the fly with nested folders
New since CrushFTP 10.2.0_0 release:
_0:released
_2:more efficient XML cache handling for user.XML loading
_3:more efficient FindTask execution by processing the filter while building the lists of items
_4:added support for SAML sub names
_6:added control for user manager to set 2nd factor requirement.
_12:CSP (Content Security Policy) improvements and fixes to give better scanning scores
_13:user session logs now capture session specific debug stack traces too
_14:SSH sessions track errors in user session logs now too
_15:support for zip on the fly MD5 calculations in logs
_17:added automated {heap_dump} capability and additional low memory alert types
_20:DMZ will not start it server ports if the template user is missing or invalid
_20:updated faster-xml jackson libraries to latest
_21:DMZ template user is auto generated on first DMZ start
_24:updated SSH libraries to support PUTTy v3 key type and support for ED448 key types
Fixes:
_1:fix for making servers slow if they happened to be missing inheritance.XML or groups.XML as it attempted to search for them
_3:fix for Find task duplicating items when it runs in a loop waiting for files to appear matching criteria
_7:fixes for special characters in filenames for azure
_8:added automatic fallback method for SMTP servers to fallback on TLS versions in case they don't support more modern versions
_9:fixed issues with saml_assertion_subname to allow differentiating SAML configurations
_10:fixes for WebInterface login page prepending a slash to usernames or not functioning at all
_11:Carlo Di Dato and Francesco Gnocchi for Deloitte Risk Advisory Italy discovered an XSS issue that has been fixed.
_12:fix for SMB3 and non existent file downloads
_14:fix for spaces in folder names when using certain admin controls
_16:fix for SFTP port counter growing when using proxy protocol v1/v2.
_16:fix for SAML not working when going through DMZ
_18:fix for scan_vfs_for_initial_listing flag causing problems for single file share items
_19:added fix for same userid opening second session and overwriting file that was in sue in the prior session
_20:fix for Azure password char encoding issue
_22:fix for sockets getting stuck in some scenarios with proxy protocol v1
_23:fix for ascii PGP uploads getting a PGP trailer for size added on them
New since CrushFTP 10.1.0 release:
_0:released
_0:CrushFTP v10 New Features
_1:added support for chacha20-poly1305@openssh.com cipher and curve25519-sha2@libssh.org for KEX in SFTP
_1:Updated SFTP libraries to latest
_2:changed SFTP client to default to doing a "ls" command with blank value instead of ".". Controlled by pref: sftpclient_ls_dot
_4:partial white labeling support
_5:implemented newer SMB3 library version with some additional bug fixes for DFS
_8:log memory buffering improvements
_15:added new vfs bad config alert type
_16:added GROUPBY capability to CrushTask Jump
_22:added test keystore buttons for AS2 certificates and added SSH character encodings to SFTP sessions control
_24:changed replication to sue path from the URL and not the entire URL
_25:updated SMB3 library to latest version
_33:added custom char encoding for outbound SFTP connections
_36:updated log4j library from 1.2.17 to v2.16 even though it was NOT vulnerable. This is not a security patch, its just to appease security departments.
_37:better public key validation when two factor is enabled (more compatible with sftp clients)
_39:updated log4j libraries to 2.17 due to other issues which don't affect CrushFTP...
_40:updated jars across various areas to more current versions (letsencrypt,hadoop)
_41:added ecdsa and ed25519 server host key support for SFTP (defaults to enabled)
_43:automatically remove invalid or dead linked events when saving a user
_46:updated log4j to 2.17.1 libraries
_47:added change phone option and OTP valid for X days
_48:logging improvements for alerts
_49:added faster native md5sum calculations on file transfers
_50:changed update idle behavior to update DMZ first, then update main, and updated log4j to 2.17.1 to appease organizations that don't understand its usage in CrushFTP
_51:faster Windows UNC dir listings and added created time for listings on FILE:// locations in WebInterface
_52:end user ability to subscribe to reverse event notifications.
_56:added ability to do dual banning mode for hammering passwords, first by username, then by IP. Separate dual mode items with comma.
_58:added password blacklist file support
_59:added additional login frequency failure alert info
_62:updated PGP libraries for additional key compatibility
_65:new build of Let'sEncrypt plugin with improved handling of errors
_66:updated SMB3:// libraries with JNQ
_67:ldap cache now applies to users and groups
_70:added performance metrics checking for quotaWorker at startup to reduce server load
_71:improved thread dumps for HTML5Downlaod transfers
_73:added support for rename overwrite to HTTPClient to help with multi_journal
_75:fix for Citrix LoadBalancers not knowing how to properly do ProxyProtocolV1 so CrushFTP has to do magic to make the proxy header come through for SFTP
_77:speed improvements for Azure and storage class controls for S3
_79:memory usage throttling for segmented downloads improved
_82:updated SMB3:// libraries to use the latest version.
Fixes:
_2:fixes for OneDrive VFS protocol
_3:fix for AzureClient
_6:fix for async quota using a lot of CPU
_7:fixes for async quota and parent quota dir configurations
_9:fix for incorrect s3 listings under simultaneous listings from multiple clients
_10:fix for restart bug on Windows where service did not auto restart (since build_4 roughly)
_11:fix for sending dmz logs to internal server sometimes stopping
_12:fix for SMB DFS, to keep it enabled if its ever toggled enabled
_13:SMB DFS defaults to enabled for "smb://" protocol now.
_14:fix for PGP encrypt job not detecting failures correctly and zip/unzip tasks not handling dfs_enabled flags.
_16:XSS mitigation for user manager admin accounts
_17:fix for rename failures with SMB and PGP task, attempts a copy/delete source if encountered
_18:faster failures through DMZ for bad VFS configurations
_20:fixes for http errors being relayed to CrushClient
_21:fixes for async quota calculations and logging more information
_22:fixes for quota results through DMZ
_23:fix for AS2 incoming issues due to BouncyCastle jar updates
_24:fix for AS2 sends to HTTP URLs (only HTTPS) were allowed
_25:fixed VFS replication URLs to only look at the path of the URL and not compare entire URL
_26:fix for Radius not working due to missing old library from BouncyCastle
_27:fix for login failures
_28:fix for generating SSL keystores not working due to missing old library from BouncyCastle
_29:fix for broken share by reference in certain scenarios
_30:fix for cached time stamps on newly uploaded files via SFTP
_31:fix for TEXT mode in SFTP v4 clients
_32:additional support for custom runtime system properties (proxy for updating, etc)
_34:fix for outbound ftp client connections in active mode
_35:fix for thread leak in outbound ftp client connections
_38:fix for LetsEncrypt and log4j issues due to missing jars
_40:fix for out of sync md5 hashes for CrushClient uploads across multiple threads
_40:fix for viewing recent jobs on a server that has a different time zone than the browser
_42:fixed bug with UI not showing ecdsa and ed25519 keys were enabled when they were (enabled by default)
_44:fix for MicrosoftMail being more restrictive on Content-Type headers
_45:fix for events being deleted when editing a user
_48:fix for alerts being triggered on hack usernames
_53:fix for FTP downloads with zip on the fly
_54:fix for download as zip when going through DMZ and using segmented downloads
_55:fix for subdir quotas with async_quota enabled
_57:fixes for variable replacements in alerts
_58:fix for OTP validation
_60:fixes for alerts on login frequency
_61:fix for update when idle for DMZ
_62:fix for AS2 jobs getting stuck
_63:fix for PGP private keys for decryption failing
_64:re-published fix for AS2 jobs getting stuck as build _62 did not publish correctly
_66:fix for SAML XML signing order of the Signature tag being before the Issuer tag
_67:fix for html5 transfer memory leak in specific scenarios
_68:fix for additional html5 download memory leak
_69:fixes for missing username in some alerts and missing failed port startup log entries
_72:updated SFTP libraries to fix compatibility with Azure SFTP server
_73:fixes for Azure client being too slow to handle quick uploads
_74:fix for case insensitive CSRF token
_76:fix for plugin based logins not functioning
_78:fix for proxy protocol v1/v2 with SSL ports
_80:fixes for Find task logging and logic for skipping 2nd listing, and fix for memory issues in segmented downloads through the DMZ
_81:fix for alerts triggered in DMZ and relayed through internal server
_82:fix for ed25519 keys getting auto enabled, and for tomorrow date variable being yesterday instead
_82:fix for replicated servers and multiple users writing group and inheritance changes at the same time.