Version 10.7.1
CrushFTP 10.6.1 has been released!
Various improvements all around, security improvements, continual
minor feature improvements (SSH key types) and additions, and library
updates
CRITICAL SECURITY BUG FIXED IN 10.7, 10.5.1, 10.5.5! Update immediately or you
are at severe risk of exploitation!
CrushFTP had vulnerabilities in earlier versions, as did SSH in general
Updates and regular patching is a requirement!
Update Info
New since CrushFTP 10.5.0_0 release:
_0:released with important fixes for SMB3 library compatibility
_14:improvements to hack username checks for immediate bans
_15:enhancements to the OneDrive protocol to improve upload speeds
_16:DB drivers can no longer be dynamically loaded and must be part of your
plugins/lib folder (change for upcoming CVE)
_23:more efficient multithreaded asynchronous quota workers
_24:10.5.3:updated SFTP libraries for client and server components. Updated
SMB3 libraries to latest.
_33:async quota workers share between replicated servers their work
_36:added flag to force proxy protocol on FTP pasv ports too
_37:added config control for "max_ftp_auth_secs" and default changed from
120 to 20
_44:10.5.6 has updated SSH libraries to patch an SSH vulnerability. (not
Crush, but same effect in the end.) https://eprint.iacr.org/2023/1711.pdf
_49:sftp session logs now get tied to the user's session individually making
debugging issues much much easier..as well as the global log for tracking
issues
Fixes:
_1:fixed missing thread names on PGP encrypt/decrypt streams
_2:fix for blocked thread on replication of prefs/users/jobs/reports/etc
preventing future updates
_3:new pgp library to fix speed issues with pgp ascii armor
_4:fix for starting up job schedules when there are lots of jobs scheduled
for the same minute
_5:fix for a rare scenario where a FILE item gets treated as a folder during
a Copy task
_6:fix for job scheduler possibly skipping a minute when under extremely
super high load
_7:fix for security issue awaiting disclosure.10.5.0 and 10.5.1 are the
same, just version bump for notifications. Credit Ryan Emmons
_8:performance improvement for many jobs running at the same time
_9:job scheduling fix for daily/weekly/monthly jobs skipping a
day/month/week potentially
_10:updated SFTP libraries to fix private key loading issue for very old key
formats using sshtools
_11:another fix for weekly job runs to calculate the correct next run time
on new saves of a job
_12:fix for multi-segmented transfers and PGP instream changes
_13:fix for Azure connections that don't get cleaned up until logout of a
client which uses memory when they uploads lots of little files
_17:fix for connecting to statisticsDB when not using Derby (builtin)
_18:fix for zipstream uploads not extracting correctly with corrupted
files
_19:fix for when SFTP clients open many channels on one connection and
logout before all file transfers are finished
_20:fixes for share button in WebInterface not showing, and additional log
details for CrushTasks of protocol errors
_21:fix for SMB3 not using the correct ModifiedTime on files and causing
issues for Find tasks in jobs
_22:fix for replication on a new server that doens't have a groups.XML or a
inheritance.XML file
_24:fixes for kerberos and NTLM auth issues related to SMB3 servers
_25:fixed 1st bug with memory leak on async quota and remote VFS items
_26:fixed 2nd bug with memory leak on async quota and remote VFS items
_27:fixed bug with memory leak with bad S3 VFS items
_28:10.5.4 fixes a bug related to alerts where a server admin could execute
a local process in an unexpected way (there are other allowed ways, so this
isn't a vulnerability)
_29:fix for WebInterface index.html cache and slow DMZ login page loading
for some people, and possible memory leak for SFTP connections
_30:fix for SAML bug where the plugin's logging was disabled
_31:possible memory leak fix for certain sftp scenarios
_32:same as #31, different approach
_34:fix for dmz not responding with failed login response when the internal
server wouldn't even honor the request for bad logins (fake admin)
_35:fix for File VFS items instead of folder VFS items in the User
Manager
_37:10.5.5 release with three critical vulnerability fixes: Credit to: The
UK's National Cyber Security Centre (NCSC). Details will follow soon.
_40:fixed some missing variables in FTP responses
_41:fix for SFTP logins timing out
_42:implemented fix for multiple SFTP ports and race conditions for logins
being tied to the wrong server port
_43:fix for password encryption breaking the save button in the Jobs area
_44:fixes DMZ user issues
_45:updated SSH libraries to fix a library compatibility issue causing RSA
keys not to work for some people
_46:fix for password lookups with multiple User COnnection Groups
configured
_47:potential fix for AS2 MDN async responses
_48:removed SSH session timeouts as its already handled by the user idle
timeout of the User Manager (and this fixes bad SFTP clients)
New since CrushFTP 10.4.0_0 release:
New:
_0:released
_0:updated SFTP, SMB3, PGP libraries
_4:updated BouncyCastle libraries to latest 1.72 (used for PGP)
_5:changed how PGP encrypt/decrypt task works in a job for S3 locations to
avoid any rename situations and just output the actual file
_8:updated SFTP libraries to improve KEX compatibility
_9:AzureClient now attempts multiple retries in case there i a temporary
server issue, and added {0group}, {1gorup}, {group0} variables for user
info
_16:SMB3 library updated to latest with improved kerberos support
_19:finished support for SOCKS5 protocol support. user/pass auth, logging
flag, and protocol control in user manager
_22:major improvements to job info caching and job monitoring, flag to
disable job summary lookup on dashboard job_summary_on_dashboard
_24:removed some jars used for JMS, if you use JMS, you need to manually
re-add some jars to keep JMS support. This was required due to prior
vulnerabilities in the older JMS jars. See wiki.
_25:significantly sped up the Jobs viewer when dealing with thousands of
Jobs. Both in editing and saving jobs and in viewing prior run jobs
_32:added ability to do multiple jobs in testJobSchedule and
changeJobStatus
Fixes:
_0:new SMB3 library fixes issues with Amazon FSX servers
_1:fix for some Tectia SSH servers and outbound SFTP connections from
CrushFTP
_2:fix for ip restrictions and public key auth with SFTP
_3:2nd fix for ip restrictions and public key auth with SFTP
_6:fix for CopyTask bug with S3 locations and SFTP client not liking null
characters in folder names
_7:fix for CopyTask bug with S3 locations
_10:fix bug related to expire users inheriting from group user
_11:fix for jobs not running at their scheduled time when the system was too
overloaded with job schedules to process
_12:fixed bugs related to Move task with folder structures and being on the
same disk
_13:fixed bug with Move task when absolute paths had been used in Find
task
_14:fixed bug with Move task related to certain event scenarios
_15:fix for merged VFS items now showing when out of sync with SMB/SMB3
_16:fix for multi-threaded Move task handling folder creations
_17:fix for move task leaving behind folders when the source was a FTP
server location
_18:fix for WebInterface when using SQL user mode
_20:socks4/socks5 auth fixes
_21:fix for uploads failing with WebInterface
_22:fixes for search process with bad directories in the memCache
_23:fix for remote agentRegistration in a HA environment
_25:fix for broken java -jar CrushFTP.jar scenario due to a malformed
manifest.mf file. java -jar plugins/lib/CrushFTPJarProxy.jar was unaffected
and still worked fine
_26:fix for connection pooling in CrushTask/Jobs with Copy/move steps not
always doing pooling
_27:fixes for change password email delays
_28:minor SMB3 library update with some bug fixes
_29:fix for merged VFS download all items failing in certain scenarios
_30:socket usage improvements for Azure client protocol
_31:connections fixes for azure client
_33:rolled back JNQ SMB3 Library to prior version due to some connectivity
issues for a customers
_34:fixed merged VFS scenario where all VFS items had different root names
and zip download failed
_35:fix for failing dir listings caused by _34
_36:updated PGP supporting libraries to fix a PGP zipexception error on
decrypt
_37:fix for DMZ server not allowing uploads for local accounts (pass through
to internal was fine.)
New since CrushFTP 10.3.0_0 release:
New:
_0:released
_0:updated SSH libraries to support PUTTy v3 key type and support for ED448
key types
_5:added active_jobs_shutdown_wait_secs parameter to allow CrushFTP to wait
for jobs to finish before allowing a friendly service shutdown
_20:automatically disabled multi-segmented downloading when memory is low
_21:updated SFTP libraries to latest version
_21:fix for FTPES uploads to FZ servers because they complain bout TLS
closure and disagree with how java does it
_23:re-wrote the HTTPClient multi-segmented download handling to be more
memory safe
_25:updated sftp libraries to latest version
_26:updated SMB3 libraries which had various bug fixes (deadlocks and better
connection handling)
_28:validates SQL connections from the pool before using them for looking up
user info when using SQL mode
_29:added ability to reload keystores for internal and dmz by making a local
file 'reload_ssl'
_29:fix for a DOS related to password encryption, credit to Matt Moreschi
_31:updated JNQ SMB3 library with minor fixes
_33:triggers GarbageCollection before triggering low_memory level 3
alert...just in case memory really isn't that low
_35:added VFS items at login log line to help track VFS config in archived
logs
_36:changes default for sftp to not use sftp_transport_blocking to improve
compatibility
_37:updated SMB3 library for minor bug fixes
_43:added advanced list management capabilities to UserVariable task in
Jobs. See wiki CrushTask Functions
_44:allow deletion of read-only flagged files on SMB3...the same as Windows
SMB allows
_45:updated to final sftp library update
_46:updating users with updated expiration date/time is now asynchronous
_53:support for JKS sharing between cluster nodes with Let'sEncrypt
plugin.
_58:faster directory listings
_59:additional logging for CrushTask debugging
_61:added flags for 'ssh_client_*' in prefs.XML to control allowed ciphers,
kex, and macs
Fixes:
_1:new memory tracking algorithm for html transfers to better track and fix
memory consumption issues
_2:fix for delete on overwrite with similar named directory paths
_3:fix for slow memory creep when using multi segmented transfers through
DMZ and slow downloads
_4:fix for sftp rename bug
_6:fix for memory usage not being freed immediately when a multi segmented
download transfer fails.
_7:fix for failing sftp downloads
_8:fix for failing sftp downloads
_9:fix for FTPS/FTPES outbound connections potentially having a thread
leak
_10:fix for SFTP not honoring the lack of delete directory permission in
some scenarios
_11:fix for LDAP plugins not properly honoring group membership
_12:fix for thread leak when running CrushFTP as a SFTP proxy
_13:CrushTask multi-threading fixes for Delete task and error catching for
zip/copy tasks
_14:fix for DMZ UI not loading preferences
_15:fix for dmz memory usage for multi-segmented transfer downloads
_16:fix for dmz memory usage for multi-segmented transfer downloads
_17:fix for memory not being cleared quickly when an error is encountered on
file download
_18:fix for html5 memory usage on DMZ for slow downloads
_19:fix for failing dmz downloads created by build _17.
_21:fix for SCP doubling filename when renaming file
_22:rolled back SFTP libraries
_24:fix for non-serializable item getting into areas where it should not
have been
_27:fix for split_prefs and dmz servers for server_list items
_30:re-implemented window space control for SFTP to allow buggy JSCH
implementations to not crash
_32:fix for memory race condition when allowing multi-segmented chunks
download
_34:fix for job task item URL's loosing their final character
_37:fix for DMZ quota lookups
_38:updated sftp libraries for a fix for the 'paramiko' SFTP client
_39:rolled back sftp libraries..still has fix for paramiko, but not working
at high performance level for now
_40:rolled back sftp libraries to last known stable version...
_41:updated sftp libraries to a new stable version that protects against a
memory issue, and compatibility issues
_42:fix for Jobs loosing the path to items after their first copy was
performed
_44:fix for an admin bug causing deletion of all users, credit for Jean
Calvin Mugabo of Trustwave SpiderLabs
_47:fix for sharepoint VFS client
_48:fix for ignoring errors during a Move task
_49:fix for uploads not showing speed on dashboard
_50:added additional full disk protection for job scheduler
_51:fix for potential socket getting stuck in DMZv5 mode and all other
sockets stuck behind it.
_52:fix for limited admin and using @AutoHost on server ports
_54:honors the hidden flag on SMB/SMB3 servers now
_55:fixed bug with proxy protocol v1/v2 and SFTP server ports hanging
sometimes
_56:fix for routing connections through DMZ
_57:fix for SFTP public key auth with disabled user manager users
_58:fix for @AutoDomain limited administrators in the UserManager
_60:bug fix for overlapping settings config in CrushTask scenarios
_62:fixed issue where ssh_client_* parameters not used for Job configs (was
VFS only)
_63:fixed missing encrypted url support for SQL mode storage of user
configurations
_64:fix for items being lost for events when zipping on the fly with nested
folders
New since CrushFTP 10.2.0_0 release:
_0:released
_2:more efficient XML cache handling for user.XML loading
_3:more efficient FindTask execution by processing the filter while building
the lists of items
_4:added support for SAML sub names
_6:added control for user manager to set 2nd factor requirement.
_12:CSP (Content Security Policy) improvements and fixes to give better
scanning scores
_13:user session logs now capture session specific debug stack traces too
_14:SSH sessions track errors in user session logs now too
_15:support for zip on the fly MD5 calculations in logs
_17:added automated {heap_dump} capability and additional low memory alert
types
_20:DMZ will not start it server ports if the template user is missing or
invalid
_20:updated faster-xml jackson libraries to latest
_21:DMZ template user is auto generated on first DMZ start
_24:updated SSH libraries to support PUTTy v3 key type and support for ED448
key types
Fixes:
_1:fix for making servers slow if they happened to be missing
inheritance.XML or groups.XML as it attempted to search for them
_3:fix for Find task duplicating items when it runs in a loop waiting for
files to appear matching criteria
_7:fixes for special characters in filenames for azure
_8:added automatic fallback method for SMTP servers to fallback on TLS
versions in case they don't support more modern versions
_9:fixed issues with saml_assertion_subname to allow differentiating SAML
configurations
_10:fixes for WebInterface login page prepending a slash to usernames or not
functioning at all
_11:Carlo Di Dato and Francesco Gnocchi for Deloitte Risk Advisory Italy
discovered an XSS issue that has been fixed.
_12:fix for SMB3 and non existent file downloads
_14:fix for spaces in folder names when using certain admin controls
_16:fix for SFTP port counter growing when using proxy protocol v1/v2.
_16:fix for SAML not working when going through DMZ
_18:fix for scan_vfs_for_initial_listing flag causing problems for single
file share items
_19:added fix for same userid opening second session and overwriting file
that was in sue in the prior session
_20:fix for Azure password char encoding issue
_22:fix for sockets getting stuck in some scenarios with proxy protocol
v1
_23:fix for ascii PGP uploads getting a PGP trailer for size added on
them
New since CrushFTP 10.1.0 release:
_0:released
_0:CrushFTP v10 New Features
_1:added support for chacha20-poly1305@openssh.com cipher and
curve25519-sha2@libssh.org for KEX in SFTP
_1:Updated SFTP libraries to latest
_2:changed SFTP client to default to doing a "ls" command with blank value
instead of ".". Controlled by pref: sftpclient_ls_dot
_4:partial white labeling support
_5:implemented newer SMB3 library version with some additional bug fixes for
DFS
_8:log memory buffering improvements
_15:added new vfs bad config alert type
_16:added GROUPBY capability to CrushTask Jump
_22:added test keystore buttons for AS2 certificates and added SSH character
encodings to SFTP sessions control
_24:changed replication to sue path from the URL and not the entire URL
_25:updated SMB3 library to latest version
_33:added custom char encoding for outbound SFTP connections
_36:updated log4j library from 1.2.17 to v2.16 even though it was NOT
vulnerable. This is not a security patch, its just to appease security
departments.
_37:better public key validation when two factor is enabled (more compatible
with sftp clients)
_39:updated log4j libraries to 2.17 due to other issues which don't affect
CrushFTP...
_40:updated jars across various areas to more current versions
(letsencrypt,hadoop)
_41:added ecdsa and ed25519 server host key support for SFTP (defaults to
enabled)
_43:automatically remove invalid or dead linked events when saving a user
_46:updated log4j to 2.17.1 libraries
_47:added change phone option and OTP valid for X days
_48:logging improvements for alerts
_49:added faster native md5sum calculations on file transfers
_50:changed update idle behavior to update DMZ first, then update main, and
updated log4j to 2.17.1 to appease organizations that don't understand its
usage in CrushFTP
_51:faster Windows UNC dir listings and added created time for listings on
FILE:// locations in WebInterface
_52:end user ability to subscribe to
reverse event notifications.
_56:added ability to do dual banning mode for hammering passwords, first by
username, then by IP. Separate dual mode items with comma.
_58:added password blacklist file support
_59:added additional login frequency failure alert info
_62:updated PGP libraries for additional key compatibility
_65:new build of Let'sEncrypt plugin with improved handling of errors
_66:updated SMB3:// libraries with JNQ
_67:ldap cache now applies to users and groups
_70:added performance metrics checking for quotaWorker at startup to reduce
server load
_71:improved thread dumps for HTML5Downlaod transfers
_73:added support for rename overwrite to HTTPClient to help with
multi_journal
_75:fix for Citrix LoadBalancers not knowing how to properly do
ProxyProtocolV1 so CrushFTP has to do magic to make the proxy header come
through for SFTP
_77:speed improvements for Azure and storage class controls for S3
_79:memory usage throttling for segmented downloads improved
_82:updated SMB3:// libraries to use the latest version.
Fixes:
_2:fixes for OneDrive VFS protocol
_3:fix for AzureClient
_6:fix for async quota using a lot of CPU
_7:fixes for async quota and parent quota dir configurations
_9:fix for incorrect s3 listings under simultaneous listings from multiple
clients
_10:fix for restart bug on Windows where service did not auto restart (since
build_4 roughly)
_11:fix for sending dmz logs to internal server sometimes stopping
_12:fix for SMB DFS, to keep it enabled if its ever toggled enabled
_13:SMB DFS defaults to enabled for "smb://" protocol now.
_14:fix for PGP encrypt job not detecting failures correctly and zip/unzip
tasks not handling dfs_enabled flags.
_16:XSS mitigation for user manager admin accounts
_17:fix for rename failures with SMB and PGP task, attempts a copy/delete
source if encountered
_18:faster failures through DMZ for bad VFS configurations
_20:fixes for http errors being relayed to CrushClient
_21:fixes for async quota calculations and logging more information
_22:fixes for quota results through DMZ
_23:fix for AS2 incoming issues due to BouncyCastle jar updates
_24:fix for AS2 sends to HTTP URLs (only HTTPS) were allowed
_25:fixed VFS replication URLs to only look at the path of the URL and not
compare entire URL
_26:fix for Radius not working due to missing old library from
BouncyCastle
_27:fix for login failures
_28:fix for generating SSL keystores not working due to missing old library
from BouncyCastle
_29:fix for broken share by reference in certain scenarios
_30:fix for cached time stamps on newly uploaded files via SFTP
_31:fix for TEXT mode in SFTP v4 clients
_32:additional support for custom runtime system properties (proxy for
updating, etc)
_34:fix for outbound ftp client connections in active mode
_35:fix for thread leak in outbound ftp client connections
_38:fix for LetsEncrypt and log4j issues due to missing jars
_40:fix for out of sync md5 hashes for CrushClient uploads across multiple
threads
_40:fix for viewing recent jobs on a server that has a different time zone
than the browser
_42:fixed bug with UI not showing ecdsa and ed25519 keys were enabled when
they were (enabled by default)
_44:fix for MicrosoftMail being more restrictive on Content-Type headers
_45:fix for events being deleted when editing a user
_48:fix for alerts being triggered on hack usernames
_53:fix for FTP downloads with zip on the fly
_54:fix for download as zip when going through DMZ and using segmented
downloads
_55:fix for subdir quotas with async_quota enabled
_57:fixes for variable replacements in alerts
_58:fix for OTP validation
_60:fixes for alerts on login frequency
_61:fix for update when idle for DMZ
_62:fix for AS2 jobs getting stuck
_63:fix for PGP private keys for decryption failing
_64:re-published fix for AS2 jobs getting stuck as build _62 did not publish
correctly
_66:fix for SAML XML signing order of the Signature tag being before the
Issuer tag
_67:fix for html5 transfer memory leak in specific scenarios
_68:fix for additional html5 download memory leak
_69:fixes for missing username in some alerts and missing failed port
startup log entries
_72:updated SFTP libraries to fix compatibility with Azure SFTP server
_73:fixes for Azure client being too slow to handle quick uploads
_74:fix for case insensitive CSRF token
_76:fix for plugin based logins not functioning
_78:fix for proxy protocol v1/v2 with SSL ports
_80:fixes for Find task logging and logic for skipping 2nd listing, and fix
for memory issues in segmented downloads through the DMZ
_81:fix for alerts triggered in DMZ and relayed through internal server
_82:fix for ed25519 keys getting auto enabled, and for tomorrow date
variable being yesterday instead
_82:fix for replicated servers and multiple users writing group and
inheritance changes at the same time.