VShell(R) Server 4.8.1 (Official) -- February 7, 2023
Copyright (C) 1995-2023 VanDyke Software, Inc.
All rights reserved.
This file contains a VShell product history. It includes lists
of new features, changes, and bug fixes sorted by release. For a
product description, installation notes, registration, and contact
information, please refer to readme.txt (downloaded with this
package).
Changes in VShell 4.8.1 (Official) -- February 7, 2023
------------------------------------------------------
Bug fixes:
- Under certain scenarios, when VShell was running with a license
that included a "Features" field and a user subconfiguration was
configured, VShell could crash when a user connected to the server.
- When VShell was configured to load a subconfiguration and the
server was processing a large number of parallel connections,
VShell could crash.
- HTTPS: The server could leak memory when performing directory
listings.
- Windows: When RADIUS authentication was used and there was latency
between the VShell host and the RADIUS server, a crash could occur.
- Windows: VShell could crash when it failed to do a user lookup
while responding to a WMI processing request.
Changes in VShell 4.8 (Official) -- November 3, 2022
----------------------------------------------------
Vulnerabilities addressed:
- Windows: Using a brute-force attack, it may be possible to crack
sensitive data such as passwords stored in the VShell configuration
in a relatively short amount of time. Direct access to the
configuration by a user with Administrator privileges is required
in order to exploit this vulnerability.
Bug fixes:
- Windows: On certain systems, when Windows is configured with
additional protection for the Local Security Authority (LSA)
process using the RunAsPPL option, public-key authentication via
the LSA module could fail.
Changes in VShell 4.8 (Beta 5) -- October 25, 2022
--------------------------------------------------
Changes:
- HTTPS: Cookies now have the "SameSite" attribute set to "strict".
- Windows: Allow the use of ssh-rsa and ssh-dss algorithms for
signature verification when FIPS mode is enabled.
Bug fixes:
- Command-line tools: If the host key algorithm preference list was
specified on the command line, the algorithm order would not always
be honored.
- Windows: When exporting the VShell configuration, the operation
could take an abnormally long amount of time.
- Windows: If the server's host key was configured to use both an
X.509 certificate and a public/private-key pair for the equivalent
algorithm (e.g., RSA certificate and RSA key pair), and the X.509
certificate was loaded first, the public/private-key pair would not
be loaded.
- Windows: When starting the VShell Control Panel after installing on
a new system, a prompt to migrate an existing configuration may have
been displayed.
- Mac: When the arm64 *.pkg installers were used on a macOS M1 native
system, they would incorrectly prompt to install Rosetta on the
system.
Changes in VShell 4.8 (Beta 4) -- September 29, 2022
----------------------------------------------------
Bug fixes:
- Windows: In some cases, if a STAT operation failed on a file
within a remote SFTP Virtual Root, VShell could crash.
- Windows: The "Environment variable filters" list would be reset
to the default value when the VShell Control Panel was started.
Changes in VShell 4.8 (Beta 3) -- August 16, 2022
-------------------------------------------------
Bug fixes:
- Windows: The Help search tab did not work.
Changes in VShell 4.8 (Beta 2) -- July 19, 2022
-----------------------------------------------
Changes:
- Windows: Enabled Microsoft's Control Flow Guard option.
- Linux/Mac: Changed hostname resolution to be non-blocking.
Bug fixes:
- Windows, HTTPS: When connected to the VShell User Web Interface,
refreshing the file listing may have resulted in a JavaScript
error displayed in the web browser's console view.
Changes in VShell 4.8 (Beta 1) -- June 28, 2022
-----------------------------------------------
New features:
- Added a new trigger type that fires when a user fails to connect
either because no virtual roots are specified or no virtual root
paths are available.
- Added support for a new trigger variable that returns the short
(not fully qualified) username.
- SSH2: Added support for using the x509v3-rsa2048-sha256 algorithm
for authentication (RFC 6187).
- Windows: A new option on the VShell Control Panel allows the debug
logging level to be set when Debug logging is enabled.
- Windows: A new button on the VShell Control Panel opens a File
Explorer window to the log file folder.
- Windows: Dialogs for triggers now include a button that opens a
help page with examples of trigger substitution variable usage.
- Windows, SSH2: Added support for using x509v3-ecdsa-sha2*
algorithms from RFC 6187 for keys in the CAPI store and as raw
SSH2 keys.
- Windows, SSH2: Added support for using rsa-sha2-256 and rsa-sha2-512
public-key algorithms as raw keys for CAPI certificates (RFC 8332).
Changes:
- FTPS, HTTPS: Disabled weak TLS cipher suites DES, 3DES, IDEA, and
RC2.
- FTPS, HTTPS: Updated the message that is logged reporting the
available Cipher and MAC algorithms.
- Windows: On Add/Edit Trigger dialogs, text showing substitution
variables can now be copied and pasted.
- Windows, SSH2: The "Use Kerberos protocol transition" option is
now enabled by default.
- Windows, SSH2: During public-key authentication, if Kerberos
Protocol Transition (KPT) fails because the user does not have a
UPN formatted name configured, subsequent authentication attempts
for that user will not use KPT until VShell has been restarted.
- Windows, SSH2: When in debug mode, lines are now logged to
indicate the server's available SSH2 algorithms.
- Linux: On Ubuntu, VShell now uses systemd for daemon start/stop
actions.
Bug fixes:
- Windows: If a "File added to folder" trigger was configured, it
may not have fired if a file was added to the watched folder at
the same time that a configuration change was made.
- Windows: If a "File added to folder" trigger was in use and the
watched folder became unavailable, the VShell service/daemon had
to be restarted afrer the folder became available again in order
to re-establish the watch.
- Windows: When VShellConfig was supplied with an empty filename, it
would go into interactive mode rather than displaying an error.
- Windows, SSH2: When multiple VShell services were started on the
same server, some of the services may have failed to load the
primes file.
- Linux/Mac: When the Public-Key Assistant was used to upload a key to
VShell, the target directory was created as the user running the
VShell daemon.
- Linux: When installing VShell on Ubuntu, several update-rc.d
warnings would be reported.
