forked from proftpd/proftpd
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathRELEASE_NOTES
141 lines (93 loc) · 5.02 KB
/
RELEASE_NOTES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
1.3.9 Release Notes
------------------------
This file contains a description of the major changes to ProFTPD for the
1.3.9 release cycle, from the 1.3.9rc1 release to the 1.3.9 maintenance
releases. More information on these changes can be found in the NEWS and
ChangeLog files.
1.3.9rc3
---------
+ Clear supplemental groups of daemon process off all except primary
GID (Issue #1836)
+ New Directives
SFTPAuthPublicKeys (Issue #1806)
+ Changed Directives
SFTPExtensions limits (Issue #1798)
1.3.9rc2
---------
+ Implemented SSH mitigations for the "Terrapin" SSH attack (CVE-2023-48795).
+ Fixed compiling of 3rd party modules whose names match very specific
regular expression patterns.
+ Changed Directives
SFTPOptions NoStrictKex
By default, mod_sftp uses a "strict KEX" mode as a mitigation for the
"Terrapin" SSH attack (CVE-2023-48795). Use of this strict mode
may unexpectedly cause interoperability issues; this new SFTPOption
can be used to disable this mode if necessary. See
doc/contrib/mod_sftp.html#SFTPOptions for more.
1.3.9rc1
---------
+ Clients are disconnected if there is an error adding them to the
ScoreboardFile. Previously, such errors were logged, but the session
allowed to continue.
+ Implemented the "[email protected]" SSH cipher algorithm.
+ Implemented support for OpenSSH FIDO security keys in mod_sftp.
+ The mod_auth_otp module now requires per-user entries in its tables
by default. This is a change from previous versions, when such per-user
entries were optional.
+ New Directives
IfSessionOptions PerUnauthenticatedUser
The mod_ifsession module only applies its user/group-specific
configurations after the client has authenticated itself. Some
sites, however, may wish for user-specific configurations to be
applied based on the unauthenticated username supplied by the client,
such as in cases where the conditional configuration in question will
affect the authentication process. The new PerUnauthenticatedUser
IfSessionOption can be used to achieve this; see
doc/contrib/mod_ifsession.html#IfSessionOptions for more.
ScoreboardOptions AllowMissingEntry
Clients are now disconnected if they cannot be added to the
ScoreboardFile. Some sites may require the previous behavior; use
this new AllowMissingEntry ScoreboardOption to do so. See
doc/modules/mod_core.html#ScoreboardOptions for more information.
+ Changed Directives
AuthOTPOptions OptionalTableEntry
Now that the mod_auth_otp module requires an entry for each user,
sites may need to re-enable the previous opt-in behavior. Use the
OptionalTableEntry AuthOTPOption for this. Read
doc/contrib/mod_auth_otp.html#AuthOTPOptions for details.
DelayOnEvent Connect
The DelayOnEvent directive can now be used to inject randomized
delays, "jitter", at the start of a session. This can be used to
spread out the processing of a large number of connections that
occur at the same time, such as on a schedule/cron. See
doc/modules/mod_delay.html#DelayOnEvent for details.
ExtendedLog SEC class
SSH key exchange requests are now classified as "security" related
messages, and thus are logged in ExtendedLog configurations that use
the SEC logging class.
LDAPDefaultGID, LDAPDefaultUID Auto
Retrieving the UID, GID to use for users configured in ActiveDirectory
domains, based on the default/expected attributes, is not always
possible. In such cases, the new "Auto" value for the default UID,
GID to use by mod_ldap allows for retrieving the actual UID, GID
by system user lookup, which is handled for AD domains by the special
`sssd` program, for example.
LogFormat %{transfer-speed}
The LogFormat directive now supports a variable, %{transfer-speed},
for logging the average data transfer speed.
SFTPCiphers [email protected]
The mod_sftp module now implements OpenSSH's
"[email protected]" algorithm.
SFTPExtensions userGroupNames
The mod_sftp module supports the custom OpenSSH
"[email protected]" SFTP extension, used to retrieve
the textual user/group names for given lists of UIDs, GIDs.
SFTPOptions FIDOTouchRequired FIDOVerifyRequired
OpenSSH FIDO security keys, such as Yubikeys, are now supported
for SSH authentication by the mod_sftp module. These keys allow
for policies such as proof of user presence, and/or proof of user
verification. These new SFTPOptions can be used to configure your
site policies for such keys; see doc/contrib/mod_sftp.html#SFTPOptions
for more information.
+ Developer Notes
Removed the unused `pr_ctrls_parse_msg` Controls API function.