Version 10.8.0

What's New?

CrushFTP 10.8.0 has been released!

Various improvements all around, security improvements, continual minor feature improvements (SSH key types) and additions, and library updates
10.8.0 patches a vulnerability for authenticated admin users and XSS exploits to do hidden actions.

_0:Vulnerability patches for two different XSS exploits. DMZ users are not affected by one of them. CVE details will come later
_0:One XSS was related to a stored XSS vulnerability where an admin may trigger javascript at a later time, resulting in hidden changes being done from admin session
_0:2nd XSS was related to having a user click a specially crafted link...and if they were an admin, then hidden changes could be done from the admin session
_0:Updated SMB3 libraries for additional compatibility and bug fixes

10.6.1 / 10.7.1:
_0:released with important security updates for SSH
_0:cbc and chacha20poly1305 ciphers disabled by default, can be re-enabled via prefs.XML flags: sftp_allow_cbc_ciphers,sftp_allow_chacha_ciphers
_0:updated SSH libraries, removed chacha20poly1305 and cbc ciphers for outbound SFTP connections.
_5:changed default QR code generator to be a local system instead of the google API as theirs is being deprecated
_7:added support for Let'sEncrypt to handle proxy protocol HTTPS port and http redirect to HTTPS port issues. Also allow ignoring http header error.
_13:added support for experimental distributed jobs engine
_15:updated SFTP library to final version
_16:added prefer_ipv6 prefs flag to make Crush prefer resolving to ipv6 instead of ipv4 for DNS
_25:jar file cleanup, updated javamail to latest, SMB3 libraries to latest, streamlined SAML plugin to not require custom java JVM flags
_29:re-written ServerBeat logic to handle more complex scenarios, as many priorities as needed, and as many servers as needed.
_32:updated BouncyCastel jars and SFTP libraries
_33:removed offending "bcprov-ext-jdk18on-1.78.jar" jar causing encryption to fail (LetsEncrypt, PGP, SFTP, AS2, etc.)
_34:VULNERABILITY PATCH FOR UNAUTHENTICATED SESSIONS. DMZ users unaffected for now, but still should update immediately!

_0: KEX changes, and Cipher changes to mitigate, as well as supporting the new KEX protocol (CVE-2023-48795)
_0:LDAP references to home folders that utilize the login password are ignored during SFTP SSH public key lookups now
_1:fix for very slow memory leak with DMZ communication channel
_2:workaround for reset password being blocked for some scenarios
_3:updated SMB3 library with some auth fixes
_4:fix for dir listing bug in WebInterface
_6:fix for proxy_protocol_ftp_pasv and ssl
_7:fix for XSS vulnerability in a specially crafted link for an already authenticated user. Credit: Code Guardian
_8:fix for OTP working through DMZ scenario
_9:fix for ssl port and proxy_protocol_ftp_pasv
_10:updated SSH libraries with a fix for StrictKEX and some old server implementations (terrapin regression fix)
_11:rolled back sftp libraries due to StrictKex issues
_12:updated SFTP libraries again to fix the terrapin StrictKex compatibility issue on the server
_14:fixes for azure double encoding sisues for special characters
_17:fixed bugs related to S3Client headers
_18:fixed bug with LDAPS not finding a required class
_19:fixed bug with StatsDB, SyncDB, SQLUsers...all not finding their JDBC driver class
_20:fix for s3 not properly tracking new folders and allowing access to new folders
_21:fix for share links having invalid encrypted URLs
_22:fixed recursive deletes on folders on certain SMB3 servers
_23:fix for pgp passwords stored in an old format
_24:updated SFTP libraries to fix some StrictKex compatibility issues and case sensitive username issue
_26:fix for Let'sEncrypt log errors filling up the logs (regardless of the fact if you use it or not)
_27:removed old google charts API for QR codes
_28:cleanup of old beta code
_30:fix for ServerBeat bug in _29 preventing jobs from running
_31:fix for no serverbeat configured blocking jobs/letsencrypt
_34:fixed the restore user menu in the UserManager for difference User Connection Groups scenarios
_35:fix for some admin areas not allowing saves
_36:fix for some jobs not allowing saves
_37:fixed Radius plugin so it works gain
_38:fixed bug with SSL not loading due to a typo in the BouncyCastle library names
_39:changed how Radius plugin loads to prevent conflicts with LetsEncrypt and PGP
_40:fix for Radius based logins
_41:fix for share window on web browser not being able to submit the share due to a javascript bug
_42:fixed bug with S3Crush segmented downloads missing their last segment and downloads hanging
_43:fix issue with WebInterface not loading in _42
_44:rolled back password fixes for Java 21 that were causing problems for DMZ server connections
_45:fix for IPs not always being tracked correctly in HTTP session
_46:rolled back IP cookie changes
_47:fixed on remote job runs in managed agent, fix for sharepoint cache, rename retries for cut/paste, posix fix on VFS permissions, and renaming job fix for running jobs
_48:updated SFTP libraries to fix compatibility for some clients, fix for attaching files from remote locations in jobs, and fix for SMB3:// not being able to set modified time on files

Update Info
New since CrushFTP 10.5.0_0 release:
_0:released with important fixes for SMB3 library compatibility
_14:improvements to hack username checks for immediate bans
_15:enhancements to the OneDrive protocol to improve upload speeds
_16:DB drivers can no longer be dynamically loaded and must be part of your plugins/lib folder (change for upcoming CVE)
_23:more efficient multithreaded asynchronous quota workers
_24:10.5.3:updated SFTP libraries for client and server components. Updated SMB3 libraries to latest.
_33:async quota workers share between replicated servers their work
_36:added flag to force proxy protocol on FTP pasv ports too
_37:added config control for "max_ftp_auth_secs" and default changed from 120 to 20
_44:10.5.6 has updated SSH libraries to patch an SSH vulnerability. (not Crush, but same effect in the end.)
_49:sftp session logs now get tied to the user's session individually making debugging issues much much well as the global log for tracking issues

_1:fixed missing thread names on PGP encrypt/decrypt streams
_2:fix for blocked thread on replication of prefs/users/jobs/reports/etc preventing future updates
_3:new pgp library to fix speed issues with pgp ascii armor
_4:fix for starting up job schedules when there are lots of jobs scheduled for the same minute
_5:fix for a rare scenario where a FILE item gets treated as a folder during a Copy task
_6:fix for job scheduler possibly skipping a minute when under extremely super high load
_7:fix for security issue awaiting disclosure.10.5.0 and 10.5.1 are the same, just version bump for notifications. Credit Ryan Emmons
_8:performance improvement for many jobs running at the same time
_9:job scheduling fix for daily/weekly/monthly jobs skipping a day/month/week potentially
_10:updated SFTP libraries to fix private key loading issue for very old key formats using sshtools
_11:another fix for weekly job runs to calculate the correct next run time on new saves of a job
_12:fix for multi-segmented transfers and PGP instream changes
_13:fix for Azure connections that don't get cleaned up until logout of a client which uses memory when they uploads lots of little files
_17:fix for connecting to statisticsDB when not using Derby (builtin)
_18:fix for zipstream uploads not extracting correctly with corrupted files
_19:fix for when SFTP clients open many channels on one connection and logout before all file transfers are finished
_20:fixes for share button in WebInterface not showing, and additional log details for CrushTasks of protocol errors
_21:fix for SMB3 not using the correct ModifiedTime on files and causing issues for Find tasks in jobs
_22:fix for replication on a new server that doens't have a groups.XML or a inheritance.XML file
_24:fixes for kerberos and NTLM auth issues related to SMB3 servers
_25:fixed 1st bug with memory leak on async quota and remote VFS items
_26:fixed 2nd bug with memory leak on async quota and remote VFS items
_27:fixed bug with memory leak with bad S3 VFS items
_28:10.5.4 fixes a bug related to alerts where a server admin could execute a local process in an unexpected way (there are other allowed ways, so this isn't a vulnerability)
_29:fix for WebInterface index.html cache and slow DMZ login page loading for some people, and possible memory leak for SFTP connections
_30:fix for SAML bug where the plugin's logging was disabled
_31:possible memory leak fix for certain sftp scenarios
_32:same as #31, different approach
_34:fix for dmz not responding with failed login response when the internal server wouldn't even honor the request for bad logins (fake admin)
_35:fix for File VFS items instead of folder VFS items in the User Manager
_37:10.5.5 release with three critical vulnerability fixes: Credit to: The UK's National Cyber Security Centre (NCSC). Details will follow soon.
_40:fixed some missing variables in FTP responses
_41:fix for SFTP logins timing out
_42:implemented fix for multiple SFTP ports and race conditions for logins being tied to the wrong server port
_43:fix for password encryption breaking the save button in the Jobs area
_44:fixes DMZ user issues
_45:updated SSH libraries to fix a library compatibility issue causing RSA keys not to work for some people
_46:fix for password lookups with multiple User COnnection Groups configured
_47:potential fix for AS2 MDN async responses
_48:removed SSH session timeouts as its already handled by the user idle timeout of the User Manager (and this fixes bad SFTP clients)

New since CrushFTP 10.4.0_0 release:
_0:updated SFTP, SMB3, PGP libraries
_4:updated BouncyCastle libraries to latest 1.72 (used for PGP)
_5:changed how PGP encrypt/decrypt task works in a job for S3 locations to avoid any rename situations and just output the actual file
_8:updated SFTP libraries to improve KEX compatibility
_9:AzureClient now attempts multiple retries in case there i a temporary server issue, and added {0group}, {1gorup}, {group0} variables for user info
_16:SMB3 library updated to latest with improved kerberos support
_19:finished support for SOCKS5 protocol support. user/pass auth, logging flag, and protocol control in user manager
_22:major improvements to job info caching and job monitoring, flag to disable job summary lookup on dashboard job_summary_on_dashboard
_24:removed some jars used for JMS, if you use JMS, you need to manually re-add some jars to keep JMS support. This was required due to prior vulnerabilities in the older JMS jars. See wiki.
_25:significantly sped up the Jobs viewer when dealing with thousands of Jobs. Both in editing and saving jobs and in viewing prior run jobs
_32:added ability to do multiple jobs in testJobSchedule and changeJobStatus

_0:new SMB3 library fixes issues with Amazon FSX servers
_1:fix for some Tectia SSH servers and outbound SFTP connections from CrushFTP
_2:fix for ip restrictions and public key auth with SFTP
_3:2nd fix for ip restrictions and public key auth with SFTP
_6:fix for CopyTask bug with S3 locations and SFTP client not liking null characters in folder names
_7:fix for CopyTask bug with S3 locations
_10:fix bug related to expire users inheriting from group user
_11:fix for jobs not running at their scheduled time when the system was too overloaded with job schedules to process
_12:fixed bugs related to Move task with folder structures and being on the same disk
_13:fixed bug with Move task when absolute paths had been used in Find task
_14:fixed bug with Move task related to certain event scenarios
_15:fix for merged VFS items now showing when out of sync with SMB/SMB3
_16:fix for multi-threaded Move task handling folder creations
_17:fix for move task leaving behind folders when the source was a FTP server location
_18:fix for WebInterface when using SQL user mode
_20:socks4/socks5 auth fixes
_21:fix for uploads failing with WebInterface
_22:fixes for search process with bad directories in the memCache
_23:fix for remote agentRegistration in a HA environment
_25:fix for broken java -jar CrushFTP.jar scenario due to a malformed file. java -jar plugins/lib/CrushFTPJarProxy.jar was unaffected and still worked fine
_26:fix for connection pooling in CrushTask/Jobs with Copy/move steps not always doing pooling
_27:fixes for change password email delays
_28:minor SMB3 library update with some bug fixes
_29:fix for merged VFS download all items failing in certain scenarios
_30:socket usage improvements for Azure client protocol
_31:connections fixes for azure client
_33:rolled back JNQ SMB3 Library to prior version due to some connectivity issues for a customers
_34:fixed merged VFS scenario where all VFS items had different root names and zip download failed
_35:fix for failing dir listings caused by _34
_36:updated PGP supporting libraries to fix a PGP zipexception error on decrypt
_37:fix for DMZ server not allowing uploads for local accounts (pass through to internal was fine.)

New since CrushFTP 10.3.0_0 release:
_0:updated SSH libraries to support PUTTy v3 key type and support for ED448 key types
_5:added active_jobs_shutdown_wait_secs parameter to allow CrushFTP to wait for jobs to finish before allowing a friendly service shutdown
_20:automatically disabled multi-segmented downloading when memory is low
_21:updated SFTP libraries to latest version
_21:fix for FTPES uploads to FZ servers because they complain bout TLS closure and disagree with how java does it
_23:re-wrote the HTTPClient multi-segmented download handling to be more memory safe
_25:updated sftp libraries to latest version
_26:updated SMB3 libraries which had various bug fixes (deadlocks and better connection handling)
_28:validates SQL connections from the pool before using them for looking up user info when using SQL mode
_29:added ability to reload keystores for internal and dmz by making a local file 'reload_ssl'
_29:fix for a DOS related to password encryption, credit to Matt Moreschi
_31:updated JNQ SMB3 library with minor fixes
_33:triggers GarbageCollection before triggering low_memory level 3 alert...just in case memory really isn't that low
_35:added VFS items at login log line to help track VFS config in archived logs
_36:changes default for sftp to not use sftp_transport_blocking to improve compatibility
_37:updated SMB3 library for minor bug fixes
_43:added advanced list management capabilities to UserVariable task in Jobs. See wiki CrushTask Functions
_44:allow deletion of read-only flagged files on SMB3...the same as Windows SMB allows
_45:updated to final sftp library update
_46:updating users with updated expiration date/time is now asynchronous
_53:support for JKS sharing between cluster nodes with Let'sEncrypt plugin.
_58:faster directory listings
_59:additional logging for CrushTask debugging
_61:added flags for 'ssh_client_*' in prefs.XML to control allowed ciphers, kex, and macs

_1:new memory tracking algorithm for html transfers to better track and fix memory consumption issues
_2:fix for delete on overwrite with similar named directory paths
_3:fix for slow memory creep when using multi segmented transfers through DMZ and slow downloads
_4:fix for sftp rename bug
_6:fix for memory usage not being freed immediately when a multi segmented download transfer fails.
_7:fix for failing sftp downloads
_8:fix for failing sftp downloads
_9:fix for FTPS/FTPES outbound connections potentially having a thread leak
_10:fix for SFTP not honoring the lack of delete directory permission in some scenarios
_11:fix for LDAP plugins not properly honoring group membership
_12:fix for thread leak when running CrushFTP as a SFTP proxy
_13:CrushTask multi-threading fixes for Delete task and error catching for zip/copy tasks
_14:fix for DMZ UI not loading preferences
_15:fix for dmz memory usage for multi-segmented transfer downloads
_16:fix for dmz memory usage for multi-segmented transfer downloads
_17:fix for memory not being cleared quickly when an error is encountered on file download
_18:fix for html5 memory usage on DMZ for slow downloads
_19:fix for failing dmz downloads created by build _17.
_21:fix for SCP doubling filename when renaming file
_22:rolled back SFTP libraries
_24:fix for non-serializable item getting into areas where it should not have been
_27:fix for split_prefs and dmz servers for server_list items
_30:re-implemented window space control for SFTP to allow buggy JSCH implementations to not crash
_32:fix for memory race condition when allowing multi-segmented chunks download
_34:fix for job task item URL's loosing their final character
_37:fix for DMZ quota lookups
_38:updated sftp libraries for a fix for the 'paramiko' SFTP client
_39:rolled back sftp libraries..still has fix for paramiko, but not working at high performance level for now
_40:rolled back sftp libraries to last known stable version...
_41:updated sftp libraries to a new stable version that protects against a memory issue, and compatibility issues
_42:fix for Jobs loosing the path to items after their first copy was performed
_44:fix for an admin bug causing deletion of all users, credit for Jean Calvin Mugabo of Trustwave SpiderLabs
_47:fix for sharepoint VFS client
_48:fix for ignoring errors during a Move task
_49:fix for uploads not showing speed on dashboard
_50:added additional full disk protection for job scheduler
_51:fix for potential socket getting stuck in DMZv5 mode and all other sockets stuck behind it.
_52:fix for limited admin and using @AutoHost on server ports
_54:honors the hidden flag on SMB/SMB3 servers now
_55:fixed bug with proxy protocol v1/v2 and SFTP server ports hanging sometimes
_56:fix for routing connections through DMZ
_57:fix for SFTP public key auth with disabled user manager users
_58:fix for @AutoDomain limited administrators in the UserManager
_60:bug fix for overlapping settings config in CrushTask scenarios
_62:fixed issue where ssh_client_* parameters not used for Job configs (was VFS only)
_63:fixed missing encrypted url support for SQL mode storage of user configurations
_64:fix for items being lost for events when zipping on the fly with nested folders

New since CrushFTP 10.2.0_0 release:
_2:more efficient XML cache handling for user.XML loading
_3:more efficient FindTask execution by processing the filter while building the lists of items
_4:added support for SAML sub names
_6:added control for user manager to set 2nd factor requirement.
_12:CSP (Content Security Policy) improvements and fixes to give better scanning scores
_13:user session logs now capture session specific debug stack traces too
_14:SSH sessions track errors in user session logs now too
_15:support for zip on the fly MD5 calculations in logs
_17:added automated {heap_dump} capability and additional low memory alert types
_20:DMZ will not start it server ports if the template user is missing or invalid
_20:updated faster-xml jackson libraries to latest
_21:DMZ template user is auto generated on first DMZ start
_24:updated SSH libraries to support PUTTy v3 key type and support for ED448 key types

_1:fix for making servers slow if they happened to be missing inheritance.XML or groups.XML as it attempted to search for them
_3:fix for Find task duplicating items when it runs in a loop waiting for files to appear matching criteria
_7:fixes for special characters in filenames for azure
_8:added automatic fallback method for SMTP servers to fallback on TLS versions in case they don't support more modern versions
_9:fixed issues with saml_assertion_subname to allow differentiating SAML configurations
_10:fixes for WebInterface login page prepending a slash to usernames or not functioning at all
_11:Carlo Di Dato and Francesco Gnocchi for Deloitte Risk Advisory Italy discovered an XSS issue that has been fixed.
_12:fix for SMB3 and non existent file downloads
_14:fix for spaces in folder names when using certain admin controls
_16:fix for SFTP port counter growing when using proxy protocol v1/v2.
_16:fix for SAML not working when going through DMZ
_18:fix for scan_vfs_for_initial_listing flag causing problems for single file share items
_19:added fix for same userid opening second session and overwriting file that was in sue in the prior session
_20:fix for Azure password char encoding issue
_22:fix for sockets getting stuck in some scenarios with proxy protocol v1
_23:fix for ascii PGP uploads getting a PGP trailer for size added on them

New since CrushFTP 10.1.0 release:
_0:CrushFTP v10 New Features
_1:added support for cipher and for KEX in SFTP
_1:Updated SFTP libraries to latest
_2:changed SFTP client to default to doing a "ls" command with blank value instead of ".". Controlled by pref: sftpclient_ls_dot
_4:partial white labeling support
_5:implemented newer SMB3 library version with some additional bug fixes for DFS
_8:log memory buffering improvements
_15:added new vfs bad config alert type
_16:added GROUPBY capability to CrushTask Jump
_22:added test keystore buttons for AS2 certificates and added SSH character encodings to SFTP sessions control
_24:changed replication to sue path from the URL and not the entire URL
_25:updated SMB3 library to latest version
_33:added custom char encoding for outbound SFTP connections
_36:updated log4j library from 1.2.17 to v2.16 even though it was NOT vulnerable. This is not a security patch, its just to appease security departments.
_37:better public key validation when two factor is enabled (more compatible with sftp clients)
_39:updated log4j libraries to 2.17 due to other issues which don't affect CrushFTP...
_40:updated jars across various areas to more current versions (letsencrypt,hadoop)
_41:added ecdsa and ed25519 server host key support for SFTP (defaults to enabled)
_43:automatically remove invalid or dead linked events when saving a user
_46:updated log4j to 2.17.1 libraries
_47:added change phone option and OTP valid for X days
_48:logging improvements for alerts
_49:added faster native md5sum calculations on file transfers
_50:changed update idle behavior to update DMZ first, then update main, and updated log4j to 2.17.1 to appease organizations that don't understand its usage in CrushFTP
_51:faster Windows UNC dir listings and added created time for listings on FILE:// locations in WebInterface
_52:end user ability to subscribe to reverse event notifications.
_56:added ability to do dual banning mode for hammering passwords, first by username, then by IP. Separate dual mode items with comma.
_58:added password blacklist file support
_59:added additional login frequency failure alert info
_62:updated PGP libraries for additional key compatibility
_65:new build of Let'sEncrypt plugin with improved handling of errors
_66:updated SMB3:// libraries with JNQ
_67:ldap cache now applies to users and groups
_70:added performance metrics checking for quotaWorker at startup to reduce server load
_71:improved thread dumps for HTML5Downlaod transfers
_73:added support for rename overwrite to HTTPClient to help with multi_journal
_75:fix for Citrix LoadBalancers not knowing how to properly do ProxyProtocolV1 so CrushFTP has to do magic to make the proxy header come through for SFTP
_77:speed improvements for Azure and storage class controls for S3
_79:memory usage throttling for segmented downloads improved
_82:updated SMB3:// libraries to use the latest version.

_2:fixes for OneDrive VFS protocol
_3:fix for AzureClient
_6:fix for async quota using a lot of CPU
_7:fixes for async quota and parent quota dir configurations
_9:fix for incorrect s3 listings under simultaneous listings from multiple clients
_10:fix for restart bug on Windows where service did not auto restart (since build_4 roughly)
_11:fix for sending dmz logs to internal server sometimes stopping
_12:fix for SMB DFS, to keep it enabled if its ever toggled enabled
_13:SMB DFS defaults to enabled for "smb://" protocol now.
_14:fix for PGP encrypt job not detecting failures correctly and zip/unzip tasks not handling dfs_enabled flags.
_16:XSS mitigation for user manager admin accounts
_17:fix for rename failures with SMB and PGP task, attempts a copy/delete source if encountered
_18:faster failures through DMZ for bad VFS configurations
_20:fixes for http errors being relayed to CrushClient
_21:fixes for async quota calculations and logging more information
_22:fixes for quota results through DMZ
_23:fix for AS2 incoming issues due to BouncyCastle jar updates
_24:fix for AS2 sends to HTTP URLs (only HTTPS) were allowed
_25:fixed VFS replication URLs to only look at the path of the URL and not compare entire URL
_26:fix for Radius not working due to missing old library from BouncyCastle
_27:fix for login failures
_28:fix for generating SSL keystores not working due to missing old library from BouncyCastle
_29:fix for broken share by reference in certain scenarios
_30:fix for cached time stamps on newly uploaded files via SFTP
_31:fix for TEXT mode in SFTP v4 clients
_32:additional support for custom runtime system properties (proxy for updating, etc)
_34:fix for outbound ftp client connections in active mode
_35:fix for thread leak in outbound ftp client connections
_38:fix for LetsEncrypt and log4j issues due to missing jars
_40:fix for out of sync md5 hashes for CrushClient uploads across multiple threads
_40:fix for viewing recent jobs on a server that has a different time zone than the browser
_42:fixed bug with UI not showing ecdsa and ed25519 keys were enabled when they were (enabled by default)
_44:fix for MicrosoftMail being more restrictive on Content-Type headers
_45:fix for events being deleted when editing a user
_48:fix for alerts being triggered on hack usernames
_53:fix for FTP downloads with zip on the fly
_54:fix for download as zip when going through DMZ and using segmented downloads
_55:fix for subdir quotas with async_quota enabled
_57:fixes for variable replacements in alerts
_58:fix for OTP validation
_60:fixes for alerts on login frequency
_61:fix for update when idle for DMZ
_62:fix for AS2 jobs getting stuck
_63:fix for PGP private keys for decryption failing
_64:re-published fix for AS2 jobs getting stuck as build _62 did not publish correctly
_66:fix for SAML XML signing order of the Signature tag being before the Issuer tag
_67:fix for html5 transfer memory leak in specific scenarios
_68:fix for additional html5 download memory leak
_69:fixes for missing username in some alerts and missing failed port startup log entries
_72:updated SFTP libraries to fix compatibility with Azure SFTP server
_73:fixes for Azure client being too slow to handle quick uploads
_74:fix for case insensitive CSRF token
_76:fix for plugin based logins not functioning
_78:fix for proxy protocol v1/v2 with SSL ports
_80:fixes for Find task logging and logic for skipping 2nd listing, and fix for memory issues in segmented downloads through the DMZ
_81:fix for alerts triggered in DMZ and relayed through internal server
_82:fix for ed25519 keys getting auto enabled, and for tomorrow date variable being yesterday instead
_82:fix for replicated servers and multiple users writing group and inheritance changes at the same time.