Version 11.4.2

<html>
  <body>
    <h2>
      <a
        target="_blank"
        href="https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CrushFTP11New"
        >What's New?</a
      >
    </h2>
    <br />
    <h2>11.4.2 has UI fixes, and bug fixes.  XML streaming changes.  Protocol changes to ServerBeat, DMZ, Replication, CrushSync.  NOT backwards compatible to versions below 11.4.2.  Update your DMZ *first* before your internal server!</h2>
    <br />
    <h2>Sign up for new version / critical patch notifications on our <a href="https://www.crushftp.com/support.html">Support</a> page.</h2>
    <br />

<h2>CrushFTP 11.4.2 been released!</h2><br>
<br/>
11.4.2<br/>
_0:released.  UI fixes, and bug fixes.  XML streaming changes.  Protocol changes to ServerBeat, DMZ, Replication, CrushSync.  NOT backwards compatible to versions below 11.4.2.  Update your DMZ *first*!<br/>
_0:replication configurations with more then 2 servers may require manually entering in a key for all servers so they can communicate.  for 2x servers, its automatic<br/>
_0:ServerBeat configurations with more then 2 servers may require manually entering in a key for all servers so they can communicate.  for 2x servers, its automatic<br/>
<br/>
11.4.1<br/>
_29:SAML logic improvements and preparing for XML parser changes...disabled for now<br/>
_28:fixed for man in the middle potential scenarios for CrushSync and Managed Agent (via CrushClient) and fixed LetsEncrypt cert generation and login apge UI issues<br/>
_27:fix auto update time checking algorithm<br/>
_26:fixed serverbeat port validation check<br/>
_25:changing binding for JobBroker to make it more secure<br/>
_24:fix for grouping of events across multiple sessions when going through a DMZ<br/>
_23:fix SAML for alternate name formats finding specific keys and redirections without using HTTP-POST<br/>
_22:added serverbeat key to prevent crossover on incorrect serverbeats causing conflicts with others: serverbeat_auth_token<br/>
_21:added replication key to ensure servers doing replication with each other belong together and not some accidental server overwriting settings<br/>
_20:updated log4j libraries further, even though we don't actually use it to stop scanners from detecting potential issues (there were no real issues.)
_19:added workaround flag for bad pop email addresses: mail_mime_address_strict<br/>
_18:connection profiles sanitation fixes<br/>
_17:added flags to control allowance of EPSV and EPRT<br/>
_16:fixed update check for DMZ<br/>
_15:OIDC logging fixes<br/>
_14:unsafe filename character improvements<br/>
_13:improved Agent communication speed for running external jobs, and PGP test fix, and blocked usernames UI on dashboard<br/>
_12:fixes for SHA256 checksums on S3 buckets.  will work with future AWS mistakes<br/>
_11:increased buffer size to especially benefit SMB3 conenction types<br/>
_10:fixed for chmod/chgrp/chown POSIX when config is blank or using non standard syntax<br/>
_9:fixes for PGP replication on keystore changes, and SAMl plugin fixes when the DMZ is using an alternate sub name.<br/>
_8:fixed upload UI issue with web browser when the user doens't have makedir permissions<br/><br/>
_7:fixed issues with speed calculations for download/upload speed limits and improved chmod, chown,chgrp to use Java NIO instead of native commands<br/>
_6:faster user rejection by DMZ, fixed bug with internal share permissions in UI, and fixed bug with linked VFS merging with SQL users<br/> 
_5:fix for DNS resolution in SMB3 connections<br/>
11.4.0<br/>
_4:fix for pgp public key deletion without a private key from our keystore<br/>
_3:workaround for SMB3 DNS resolving bug<br/>
_2:added flag to enable DFS for SMB3 connections<br/>
_1:added controls for update time and day of week allowed for auto updates<br/>
_0:released<br/>
<br/>
11.3.7<br/>
_75:fix for loosing some log messages potentially under high load...may take manual update to CrushFTPJarProxy.jar in plugins/lib folder on Windows machines<br/>
_74:fix for null jobs_summary-cache preventing updates to the cache<br/>
_73:added retry mechanism for logging to disk in the event of issues pushing log data to the disk<br/>
_72:fixed a caching bug on servers with very high load of connections (hundreds to thousands per second)<br/>
_71:changed max_html5_pending_upload_chunks to be global for all sessions, and added max_html5_pending_upload_chunks_ram_mb also for all sessions<br/>
_70:fixes for sharing from tasks in jobs not providing info those tasks may need, and removed a timeout for unknown host lookups when starting the jobs engine<br/>
_69:introducing task templates when adding a new task you can pick from an existing template<br/>
_68:fixed the dashboard to show job transfer speeds on it as well<br/>
_67:fix error with saving user in the User Manager if you didn't include an email.<br/>
_66:added flag "last_user_cache" to allow the server to cache prior usernames and avoid blocking during login if we already know the user profile<br/>
_65:fixed bug with SAML in build _64<br/>
_64:JMS Stomp support in task<br/>
_63:improved WebSocket based uploads and downloads<br/>
_62:fix protocol info on copy task not always beign rpeserved correctly<br/>
_61:added old_update_backup_count config to control number of old updates that are kept in the backup folder.<br/>
_60:improved reliability of server to job engine communication<br/>
_59:more detailed logging during automatic updates<br/>
_58:more detailed logging during automatic updates<br/>
_57:login URL fix and session kicking fix, and a minor HTMLi for reports: CVE-2025-63420<br/>
_56:new DNS safe lookup method for outbound connections from CrushFTP that will timeout if the DNS is not responding correctly<br/>
_55:reverted _54 fix for DNS issues.<br/>
_54:fix to prevent unnecessary DNS lookups are various times which could cause issues if DNS was struggling...<br/>
_53:after you are running _53, there is better validation of CrushTunnel.jar during updates to ensure a complete file is downloaded.<br/>
_52:improvements for websocket uploading with very large files<br/>
_51:improvements to the MicrosoftGraph handling<br/>
_51:improvements to Kafka logging<br/>
_51:improvements to WebSocket based uploads when dealing with very large files<br/>
_51:improvements to Sharepoint/OneDrive with newer API and support for share link<br/>
_51:internal changes to improve dealing with tokens all over<br/>
_50:fix for WebInterface uploads failing on 2nd+ items<br/>
11.3.6<br/>
_49:fix for websockets and reverseProxy<br/>
_48:fix http_token_replication_lookup_allowed to use the replicated hostname instead of the system hostname.<br/>
_47:updated SSH libraries to latest bug fixes<br/>
11.3.5<br/>
_46:better display of pending bytes not yet flushed to disk during uploads<br/>
_45:fix for auto update running even if disabled sometimes, and added test buttons for ServerVariable alerts<br/>
_44:added experimental support for automatic token transfer between servers via http_token_replication_lookup_allowed parameter<br/>
_43:more robust TLS version fallback and defaults<br/>
_42:rolled back change for tls_version defaults<br/>
_41:added "as2_check_compressed_first" parameter to help avoid AS2 issues where a message may appear to not be compressed when in fact it is<br/>
_40:fix a memory leak related to CPU usage and jobs engine for certain scenarios and long running servers<br/>
_40:SAML can now load SSL keystores from remote locations.<br/>
_39:removes old UI files form v11 WebInterface folder<br/>
_38:better handling of file completion closure scenarios in the HTTP WebInterface uploading scenario.<br/>
_37:fix for invalid day of week check breaking logins<br/>
_36:fixed SAML login button which was blocked with newer CSP enhancements<br/>
_35:removes the need for CSP unsafe-inline<br/>
_34:fixed bug with folder names in uploads<br/>
_33:fix for s3 scenarios in a copy task having a trailing slash<br/>
_32:changes to how S3 URLs are resolved to help with scenarios when S3 scenarios don't allow listing the bucket<br/>
_31:fix ipstack API lookup when going through DMZ.<br/>
_30:additional logging for login failures, and a fix for special bad passwords in SMB3.<br/>
_29:fix for pgp cloud cache of file sizes being missing in some scenarios and blocking internal sharing<br/>
_28:defaults TLS DH key sizes to 2048<br/>
_27:simplifies version numbering to know you are patched for CVE-2025-54309<br/>
_27:additional username filtering to theoretically avoid future similar exploit attacks (no current exploit, just future proofing)<br/>
11.3.4<br/>
_20:WebInterface UI fix for jobs not allowing batch updates, SSO login page updates to allow hiding the login form when using SSO methods<br/>
11.3.3<br/>
_19:added cache_pgp_decrypted_size_cloud_storage which handles Azure locations to keep a cache of file sizes when using PGP encrypt/decrypt on the fly<br/>
_18:fix in CrushTask decompression leaking a connection item from the source after every decompress completed.<br/>
_17:additional log messages and attempts to recover in bad ServerBeat networking scenarios<br/>
_16:updated PGP libraries to fix a PGP inspection routine that wasn't detecting all PGP files were in fact PGP data<br/>
_15:supports the usage of /.well-known/security.txt for notifications.  Just place a file, security.txt in your WebInterface folder.<br/>
_14:now supports a newer class loader to make AS2/PGP/Mail actions faster to avoid bugs with Jakarta Mail and its slow classloaders.  Need to manually update CrushFTPJarProxy.jar in plugins/lib/ to get this benefit.<br/>
_13:fix for startup bug with classloader<br/>
_12:fix for bug related to chunked encoding and parsing AS2 messages getting cut off, with more robust fall back method also<br/>
_11:one more PGP library revert<br/>
_10:reverted another PGP library<br/>
_9:reverted PGP library change<br/>
_8:updated SSH libraries for minor fixes<br/>
_7:fixed missing jar file that didn't get published<br/>
_6:released with newer libraries for BouncyCastle, and Jakarta mail<br/>
11.3.2<br/>
_5:fixed bug with loading user profiles<br/>
_4:sftp client enhancements to limits the allowed KEX/MAC/Cipher and not just configure the preferred one<br/>
_3:Indexes for Derby based DB forced on by default.  Reports will run much faster now, and its a one time delay to add them, and usually very quick<br/>
_2:ServerBeat will now fallback to using 'ip' instead of 'ifconfig' if your OS doens't have it.<br/>
_1:fix for dashboard when viewing DMZ stats and graphs not showing<br/>
_0:Updated JNQ library for improved Amazon FsX compatibility<br/>
11.3.1<br/>
_32:fix for ServerBeat getting out of sync when server clocks are off by more then 5 seconds<br/>
_31:TOTP has enhancements to allow for SHA256 instead of SHA1...if you use an authenticator app that uses SHA256 (totp_hash_algorithm in prefs.XML)<br/> 
_30:fix for auto update for all daily builds being ignored<br/>
_29:better error displays for WebSocket upload info, faster canceling of uploads, faster cancel and re-upload of same files in WebInterface, updated jar libraries<br/>
_28:fix for AS2 MDN responses coming through DMZ<br/>
_27:fix for WebSocket downloads that are overwhelming a client browser...now uses dedicated socket for acking chunks<br/>
_26:fix for clearing out all old job engine history after applying an update, faster job engine communication, and WebSocket upload/download stability improvements<br/>
_25:improvements to job engine communication, clearing old objects, and webdav improvements<br/>
_24:fix for ConenctionProfiles and limited admin not understanding an item is a connections profile<br/>
_23:fix for purging expired users and replication...race condition could break groups.XML or inheritance.XML<br/>
_22:fix for single ServerBeat server without any functional pair servers...it will still become master<br/>
_21:fix timeouts on sockets for replication, DMZ, and ServerBeat  not correctly honoring the expected timeout for a failed connection<br/>
_20:fix for uploads not allowing re-upload of the same filename in the same session<br/>
_19:fix for OIDC and OAUTH buttons on login screen not working<br/>
_18:fix for TempAccounts and VFS permissions when using MFA via DMZ<br/>
_17:added ability to do a mass hashing of passwords on users<br/>
_16:increased logging on all cloud protocols and improved error handling on cloud protocols.  (S3,OneDrive,Box,etc)<br/>
_15:improved feedback for slow azure uploads via WebInterface and improved JobEngine connections and closures<br/>
_14:improved job caching to save and reload local cache info avoiding need to re-cache on any restart<br/>
_13:improved job handling by utilizing cached job listing instead of making a new request every time<br/>
_12:fixed how various reports show user information across multiple User Connection Groups<br/>
_11:updated SMB libraries to fix issue with FSX servers and other special cases<br/>
_10:fix for blocking uploads for certain filename patterns that didn't match what we expected<br/>
_9:added support for un-archiving .tar and .tar.gz using the Unzip task<br/> 
_9:added support for .tar, tar.gz, .7z archive creation using the Zip task<br/>
_8:updated Let'sEncrypt HTP connection handling<br/>
_7:added user created date filter for the User Usage report<br/>
_6:authentication fix (Credit:Outpost24) and event path trigger handling fixes<br/>
11.3.0<br/>
_5:updated SFTP library for some minor bug fixes<br/>
_4:s3 engine improvements and kms server side encryption fixes for amazon<br/>
_3:added ability to check encrypted sizes on SMB3:// locations for PGP downloads and reporting accurate size info.  smb3_check_encrypted_header flag<br/>
_2:update thread name with current job info for better debugging<br/>
_1:added file extensions for WebInterface download blocking<br/>
_0:released<br/>
11.2.3<br/>
_27:updated SMB library to latest with many bug fixes and resolves MFA issues with SFTP through DMZ<br/>
_26:removed outdated UniSSO plugin<br/>
_25:fixes for MFA and expired passwords, download restrictions with zips, and limited admin directory navigation when multiple levels deep<br/>
_24:fix for upcoming share expiration notices<br/>
_23:fix for folder listings<br/>
_22:fixed expired passwords for SFTP not allowing client to change password<br/>
_21:fixes issue with double results of items in emails from events (not CrushTask)<br/>
_20:fixes logging bug created in build _19<br/>
_19:added flag daily_check_and_auto_update_on_idle to prefs.XML to allow for automated daily updating<br/>
_18:fixed bug with PGP keys not being loaded from the keystore correctly for the PGP task in jobs<br/>
_17:certificate export now correctly creates a zip of the der and pem encoded files<br/>
_16:supports limited admin utilizing connection profiles for remote VFS items<br/>
_15:better usage of our own hostname for ServerBeat and replicated servers (ignores our own hostname)<br/>
_14:fix for unzip logic and its retries in jobs<br/>
_13:updated apache commons jars to help with compression algorithm updates<br/>
_12:performance fix for webdav connections<br/>
_11:fix for geoip country banning<br/>
_10:various fixes and enhancements for PGP key management (rename, permanent delete, restore, hide deleted, change keystore password)<br/>
_9:added global geoip blocking options for the server<br/>
_8:Initial OIDC support added<br/>
_7:fixes for LinkTask when running on other servers<br/>
_6:fix for allowing jobs to run on the DMZ via a link task from the internal server Job Scheduler<br/>
_5:fix for paste actions in the WebInterface reporting an error<br/>
_4:fix for DMZ not tracking archived dashboard history snapshots<br/>
_3:share reporting fixes<br/>
_2:possible fix for cloudflare HTTP requests that CF destroys the chunked handling on<br/>
_1:improved job engine communication when working with large jobs, much more CPU and memory friendly<br/>
_0:released.  password reset link vulnerability fix (CVE-2024-53552 - credit Stratascale Cyber Research Unit (CRU) team) and (CVE-2024-11986 - credit European Commission, Application Security Testing Services) 11/11/2024<br/>
11.2.2<br/>
_13:fixed bug with job scheduler not always enforcing one job running at a time.
_12:fixed bug related to cookie being tied to source IP<br/>
_11:added ability to re-route socket to another port based on IP banning rules<br/>
_10:attempting to fix version update cache issues with the WebInterface...browsers should stop having issues.<br/>
_9:fix for radius using PAP not giving a proper timeout message when bad credentials are used<br/>
_9:fix for MFA/OTP tokens with SFTP logins<br/>
_8:added sign and digest method to SAML plugin<br/>
_7:fixed automated update system to not leave behind tmp files on windows<br/>
_6:added flag for making SMB3 use old DNS resolution config (smb3_old_resolve_settings)<br/>
_6:added flag for all http connections to sue proxy (use_proxy_setings_for_all_http_call)<br/>
_5:added signing method to SAML plugin, default is still SHA1<br/>
_4:added config for SAML on Canonicalization Method and fixes bug with WinSCP and .filepart extensions for job flows<br/>
_3:fix for MFA tokens when going through DMZ<br/>
_2:improved update system to handle routing through DMZ or Internal server if one side is blocked and simplified the update mechanism<br/>
_1:remote job engines now use SSL for communication<br/>
_0:new version of SMB3 libraries to address slowness in DNS/reverse DNS resolution for shares<br/>
<br/>
11.2.1<br/>
_23:bug with server engine not passing responses to things back to jobs engine<br/>
_22:fixed bug with logging for jobs<br/>
_21:fixed invalid references to {path} variable in events</br>
_20:More improvements to Jobs engines running remotely<br/>
_19:Jobs engine has support for a pool of job servers now, no change for existing users by default, wiki articles coming soon.<br/>
_18:fixed an issue with memory leak of log data not being cleared in jobs engine<br/>
_17:converted update system to use our own HTTPClient mechanism to better support HTTP proxies for outbound connections<br/>
_16:fix for not getting login page but instead getting access denied page when you have a bad cookie<br/>
_15:efficiency improvements to jobs engine communication with server engine<br/>
_14:fixes for HTML emails and Link tasks with async job trigger<br/>
_13:fix for ServerBeat and shutdown process not always releasing the IP<br/>
_12:improvements to job engine to use less CPU when running events and scheduled jobs<br/>
_11:improvements to job engine communication to speed things up and prevent overloading issues<br/>
_10:SMB3 fixes for long delays on login/logoff, reading from zip files, and setting modified time of files<br/>
11.2.0<br/>
_9:fix for # characters in URLs<br/>
_8:added separate prefs controls for s3 uploaded_by and s3 md5<br/>
_7:fix same update popup notifications when there is no update, fix for url encoding of # character<br/>
_6:fix for never ban username not working<br/>
_5:added error checking for checking for updates to notify you if the server can't be reached<br/>
_4:updated SMB3 library with minor bug fixes<br/>
_3:fixes for share customizations and UI display issues<br/>
_2:fix for double url encoding on DMZ listings causing failures<br/>
_1:fix for javascript files not always downloading correctly<br/>
_0:Vulnerability patches for two different XSS exploits.  DMZ users are not affected by one of them.  CVE details will come later<br/>
_0:One XSS was related to a stored XSS vulnerability where an admin may trigger javascript at a later time, resulting in hidden changes being done from admin session<br/>
_0:2nd XSS was related to having a user click a specially crafted link...and if they were an admin, then hidden changes could be done from the admin session<br/>
_0:Updated SMB3 libraries for additional compatibility and bug fixes<br/>
<br/>
11.1.0<br/>
_0:VULNERABILITY PATCH FOR AUTHENTICATED SESSIONS.  DMZ users unaffected for now, but still should update immediately!<br/>
_1:fixed bug with admin actions being blocked<br/>
_2:fix bug with saving some jobs<br/>
_3:improved update status messages<br/>
_4:fixed Radius plugin so it works again<br/>
_5:many UI fixes for WebInterface shares and other minor UI tweaks.<br/>
_6:bug fix for HomeDirectory plugin in v11 not handling the user VFS config, and memory leak fix for Jobs engine<br/>
_7:improvements to Radius logging, and fix for replication allowing many threads to be opened when a replication server is not responding quickly<br/>
_8:fix for Radius based logins<br/>
_9:fix for MFA/OTP codes not displaying for entry on the WebInterface<br/>
_10:added logging for jobs engine communication object sizes<br/>
_11:fix for using DMZ for outbound connections in jobs and WebDAV fixes (reverted recent WebDAV changes)<br/>
_12:fix for using DMZ for outbound connections in jobs<br/>
_13:fix for jobs engine not honoring logging debug level<br/>
_14:fixed bug with S3Crush segmented downloads missing their last segment and downloads hanging<br/>
_15:fix issue with WebInterface not loading in _14<br/>
_16:fixes for URLs with special characters in the password due to changes starting with Java21 and WebInterface old code cleanup<br/>
_17:fix for IPs not always being tracked correctly in HTTP session<br/>
_18:rolled back password fixes for Java 21 that were causing problems for DMZ server connections<br/>
_19:rolled back IP changes for cookies, re-implemented password fixes for Java21<br/>
_20:fixed on remote job runs in managed agent, fix for sharepoint cache, rename retries for cut/paste, posix fix on VFS permissions, and renaming job fix for running jobs<br/>
_21:updated SFTP libraries to fix compatibility for some clients, fix for attaching files from remote locations in jobs, and fix for SMB3:// not being able to set modified time on files<br/>
<br/>
11.0.1<br/>
<b>Changes:</b><br/>
_11:jar file cleanup files<br/>
_12:updated javamail to latest, streamlined how SAML plugin operates to not need custom JVM flags<br/>
_13:updated all BouncyCastle jar files<br/>
_14:updated jQuery 1.12.1 to 1.13.2<br/>
_15:cleaned up old BouncyCastle jar files left over.<br/>
_17:cleanup of old beta code<br/>
_18:added some conditional Job logic capabilities<br/>
_19:re-written ServerBeat logic to handle more complex scenarios, as many priorities as needed, and as many servers as needed.<br/>
_20:updated BouncyCastle jars and SFTP libraries<br/>
_22:removed offending "bcprov-ext-jdk18on-1.78.jar" for being unsigned and causing all encryption activities to fail (Let'sEncrypt, SFTP, PGP, AS2, etc)<br/>
_23:improved Replication to avoid blocks when a server is offline<br/>
_25:the temporary acceptance of v10 codes in Crush v11 is no longer allowed, you must have an upgraded v11 code, not v10 code.<br/>
_26:architectural changes for the Replication with multiple servers and performance improvements for Jobs engine to server communication<br/>
<br/>
<b>Fixes:</b><br/>
_1:fixed recursive deletes on certain SMB3 servers<br/>
_2:fixed issues with WebSocket based transfers<br/>
_3:better logged in active session preservations across updates<br/>
_4:fixes for WebSocket based multiplexed downloads<br/>
_5:many fixes for WebSocket based transfers, and for Jobs engine running on Windows<br/>
_6:fix for pgp passwords stored in an old format<br/>
_7:fixes for WebSocket advanced upload/download and multi-threaded s3 downloads<br/>
_8:updated SFTP libraries to fix some StrictKex compatibility issues<br/>
_9:fixed problem where JOB_BROKER was stealing the update process...prior to _9 you may need to do a full restart</br>
_10:fixed I forgot my Password link not working.  There have also been fixes related to the ad-hoc sharing panel.<br/>
_13:fixed stop/pause/resume button not working on jobs<br/>
_16:fixed bug with email based PGP keys that were imported and had invalid names<br/>
_18:fixed proxy_protocol_ftp_pasv code that was not ported forward from v10<br/>
_21:changed how BouncyCastle is globally loaded<br/>
_24:fixed jobs to preserve sftp private key between find/copy steps<br/>
_27:fixes bug where user variables were not present in events they triggered<br/>
_28:fixes for jobs not running<br/>
_29:fixed some memory leaks related to replication and jobs engine<br/>
_30:fixed the restore user menu in the UserManager for difference User Connection Groups scenarios<br/> 
<br/>
<br/>

  </body>
</html>