VShell(R) Server 4.8.1 (Official) -- February 7, 2023 Copyright (C) 1995-2023 VanDyke Software, Inc. All rights reserved. This file contains a VShell product history. It includes lists of new features, changes, and bug fixes sorted by release. For a product description, installation notes, registration, and contact information, please refer to readme.txt (downloaded with this package). Changes in VShell 4.8.1 (Official) -- February 7, 2023 ------------------------------------------------------ Bug fixes: - Under certain scenarios, when VShell was running with a license that included a "Features" field and a user subconfiguration was configured, VShell could crash when a user connected to the server. - When VShell was configured to load a subconfiguration and the server was processing a large number of parallel connections, VShell could crash. - HTTPS: The server could leak memory when performing directory listings. - Windows: When RADIUS authentication was used and there was latency between the VShell host and the RADIUS server, a crash could occur. - Windows: VShell could crash when it failed to do a user lookup while responding to a WMI processing request. Changes in VShell 4.8 (Official) -- November 3, 2022 ---------------------------------------------------- Vulnerabilities addressed: - Windows: Using a brute-force attack, it may be possible to crack sensitive data such as passwords stored in the VShell configuration in a relatively short amount of time. Direct access to the configuration by a user with Administrator privileges is required in order to exploit this vulnerability. Bug fixes: - Windows: On certain systems, when Windows is configured with additional protection for the Local Security Authority (LSA) process using the RunAsPPL option, public-key authentication via the LSA module could fail. Changes in VShell 4.8 (Beta 5) -- October 25, 2022 -------------------------------------------------- Changes: - HTTPS: Cookies now have the "SameSite" attribute set to "strict". - Windows: Allow the use of ssh-rsa and ssh-dss algorithms for signature verification when FIPS mode is enabled. Bug fixes: - Command-line tools: If the host key algorithm preference list was specified on the command line, the algorithm order would not always be honored. - Windows: When exporting the VShell configuration, the operation could take an abnormally long amount of time. - Windows: If the server's host key was configured to use both an X.509 certificate and a public/private-key pair for the equivalent algorithm (e.g., RSA certificate and RSA key pair), and the X.509 certificate was loaded first, the public/private-key pair would not be loaded. - Windows: When starting the VShell Control Panel after installing on a new system, a prompt to migrate an existing configuration may have been displayed. - Mac: When the arm64 *.pkg installers were used on a macOS M1 native system, they would incorrectly prompt to install Rosetta on the system. Changes in VShell 4.8 (Beta 4) -- September 29, 2022 ---------------------------------------------------- Bug fixes: - Windows: In some cases, if a STAT operation failed on a file within a remote SFTP Virtual Root, VShell could crash. - Windows: The "Environment variable filters" list would be reset to the default value when the VShell Control Panel was started. Changes in VShell 4.8 (Beta 3) -- August 16, 2022 ------------------------------------------------- Bug fixes: - Windows: The Help search tab did not work. Changes in VShell 4.8 (Beta 2) -- July 19, 2022 ----------------------------------------------- Changes: - Windows: Enabled Microsoft's Control Flow Guard option. - Linux/Mac: Changed hostname resolution to be non-blocking. Bug fixes: - Windows, HTTPS: When connected to the VShell User Web Interface, refreshing the file listing may have resulted in a JavaScript error displayed in the web browser's console view. Changes in VShell 4.8 (Beta 1) -- June 28, 2022 ----------------------------------------------- New features: - Added a new trigger type that fires when a user fails to connect either because no virtual roots are specified or no virtual root paths are available. - Added support for a new trigger variable that returns the short (not fully qualified) username. - SSH2: Added support for using the x509v3-rsa2048-sha256 algorithm for authentication (RFC 6187). - Windows: A new option on the VShell Control Panel allows the debug logging level to be set when Debug logging is enabled. - Windows: A new button on the VShell Control Panel opens a File Explorer window to the log file folder. - Windows: Dialogs for triggers now include a button that opens a help page with examples of trigger substitution variable usage. - Windows, SSH2: Added support for using x509v3-ecdsa-sha2* algorithms from RFC 6187 for keys in the CAPI store and as raw SSH2 keys. - Windows, SSH2: Added support for using rsa-sha2-256 and rsa-sha2-512 public-key algorithms as raw keys for CAPI certificates (RFC 8332). Changes: - FTPS, HTTPS: Disabled weak TLS cipher suites DES, 3DES, IDEA, and RC2. - FTPS, HTTPS: Updated the message that is logged reporting the available Cipher and MAC algorithms. - Windows: On Add/Edit Trigger dialogs, text showing substitution variables can now be copied and pasted. - Windows, SSH2: The "Use Kerberos protocol transition" option is now enabled by default. - Windows, SSH2: During public-key authentication, if Kerberos Protocol Transition (KPT) fails because the user does not have a UPN formatted name configured, subsequent authentication attempts for that user will not use KPT until VShell has been restarted. - Windows, SSH2: When in debug mode, lines are now logged to indicate the server's available SSH2 algorithms. - Linux: On Ubuntu, VShell now uses systemd for daemon start/stop actions. Bug fixes: - Windows: If a "File added to folder" trigger was configured, it may not have fired if a file was added to the watched folder at the same time that a configuration change was made. - Windows: If a "File added to folder" trigger was in use and the watched folder became unavailable, the VShell service/daemon had to be restarted afrer the folder became available again in order to re-establish the watch. - Windows: When VShellConfig was supplied with an empty filename, it would go into interactive mode rather than displaying an error. - Windows, SSH2: When multiple VShell services were started on the same server, some of the services may have failed to load the primes file. - Linux/Mac: When the Public-Key Assistant was used to upload a key to VShell, the target directory was created as the user running the VShell daemon. - Linux: When installing VShell on Ubuntu, several update-rc.d warnings would be reported.