VanDyke Software

VShell Server History

      VShell(R) Server 4.8.1 (Official) -- February 7, 2023

         Copyright (C) 1995-2023 VanDyke Software, Inc.
                    All rights reserved.

This file contains a VShell product history.  It includes lists
of new features, changes, and bug fixes sorted by release.  For a
product description, installation notes, registration, and contact
information, please refer to readme.txt (downloaded with this

Changes in VShell 4.8.1 (Official) -- February 7, 2023

Bug fixes:

  - Under certain scenarios, when VShell was running with a license 
    that included a "Features" field and a user subconfiguration was 
    configured, VShell could crash when a user connected to the server.

  - When VShell was configured to load a subconfiguration and the 
    server was processing a large number of parallel connections, 
    VShell could crash.

  - HTTPS: The server could leak memory when performing directory 

  - Windows: When RADIUS authentication was used and there was latency 
    between the VShell host and the RADIUS server, a crash could occur.

  - Windows: VShell could crash when it failed to do a user lookup 
    while responding to a WMI processing request.

Changes in VShell 4.8 (Official) -- November 3, 2022

Vulnerabilities addressed:

  - Windows: Using a brute-force attack, it may be possible to crack
    sensitive data such as passwords stored in the VShell configuration
    in a relatively short amount of time.  Direct access to the
    configuration by a user with Administrator privileges is required
    in order to exploit this vulnerability.

Bug fixes:

  - Windows: On certain systems, when Windows is configured with 
    additional protection for the Local Security Authority (LSA) 
    process using the RunAsPPL option, public-key authentication via 
    the LSA module could fail.

Changes in VShell 4.8 (Beta 5) -- October 25, 2022


  - HTTPS: Cookies now have the "SameSite" attribute set to "strict".

  - Windows: Allow the use of ssh-rsa and ssh-dss algorithms for
    signature verification when FIPS mode is enabled.

Bug fixes:

  - Command-line tools: If the host key algorithm preference list was 
    specified on the command line, the algorithm order would not always 
    be honored.

  - Windows: When exporting the VShell configuration, the operation 
    could take an abnormally long amount of time.

  - Windows: If the server's host key was configured to use both an 
    X.509 certificate and a public/private-key pair for the equivalent 
    algorithm (e.g., RSA certificate and RSA key pair), and the X.509 
    certificate was loaded first, the public/private-key pair would not 
    be loaded.

  - Windows: When starting the VShell Control Panel after installing on 
    a new system, a prompt to migrate an existing configuration may have 
    been displayed.

  - Mac: When the arm64 *.pkg installers were used on a macOS M1 native
    system, they would incorrectly prompt to install Rosetta on the 

Changes in VShell 4.8 (Beta 4) -- September 29, 2022

Bug fixes:

  - Windows: In some cases, if a STAT operation failed on a file 
    within a remote SFTP Virtual Root, VShell could crash.

  - Windows: The "Environment variable filters" list would be reset 
    to the default value when the VShell Control Panel was started.

Changes in VShell 4.8 (Beta 3) -- August 16, 2022

Bug fixes:

  - Windows: The Help search tab did not work.

Changes in VShell 4.8 (Beta 2) -- July 19, 2022


  - Windows: Enabled Microsoft's Control Flow Guard option.

  - Linux/Mac: Changed hostname resolution to be non-blocking.

Bug fixes:

  - Windows, HTTPS: When connected to the VShell User Web Interface, 
    refreshing the file listing may have resulted in a JavaScript 
    error displayed in the web browser's console view.

Changes in VShell 4.8 (Beta 1) -- June 28, 2022

New features:

  - Added a new trigger type that fires when a user fails to connect 
    either because no virtual roots are specified or no virtual root 
    paths are available.

  - Added support for a new trigger variable that returns the short
    (not fully qualified) username.

  - SSH2: Added support for using the x509v3-rsa2048-sha256 algorithm 
    for authentication (RFC 6187).

  - Windows: A new option on the VShell Control Panel allows the debug 
    logging level to be set when Debug logging is enabled.

  - Windows: A new button on the VShell Control Panel opens a File 
    Explorer window to the log file folder.

  - Windows: Dialogs for triggers now include a button that opens a
    help page with examples of trigger substitution variable usage.

  - Windows, SSH2: Added support for using x509v3-ecdsa-sha2* 
    algorithms from RFC 6187 for keys in the CAPI store and as raw 
    SSH2 keys.

  - Windows, SSH2: Added support for using rsa-sha2-256 and rsa-sha2-512 
    public-key algorithms as raw keys for CAPI certificates (RFC 8332).


  - FTPS, HTTPS: Disabled weak TLS cipher suites DES, 3DES, IDEA, and 

  - FTPS, HTTPS: Updated the message that is logged reporting the 
    available Cipher and MAC algorithms.

  - Windows: On Add/Edit Trigger dialogs, text showing substitution 
    variables can now be copied and pasted.

  - Windows, SSH2: The "Use Kerberos protocol transition" option is
    now enabled by default.

  - Windows, SSH2: During public-key authentication, if Kerberos 
    Protocol Transition (KPT) fails because the user does not have a 
    UPN formatted name configured, subsequent authentication attempts
    for that user will not use KPT until VShell has been restarted.

  - Windows, SSH2: When in debug mode, lines are now logged to
    indicate the server's available SSH2 algorithms.

  - Linux: On Ubuntu, VShell now uses systemd for daemon start/stop

Bug fixes:

  - Windows: If a "File added to folder" trigger was configured, it
    may not have fired if a file was added to the watched folder at 
    the same time that a configuration change was made. 

  - Windows: If a "File added to folder" trigger was in use and the
    watched folder became unavailable, the VShell service/daemon had
    to be restarted afrer the folder became available again in order 
    to re-establish the watch.

  - Windows: When VShellConfig was supplied with an empty filename, it 
    would go into interactive mode rather than displaying an error.

  - Windows, SSH2: When multiple VShell services were started on the 
    same server, some of the services may have failed to load the 
    primes file.

  - Linux/Mac: When the Public-Key Assistant was used to upload a key to 
    VShell, the target directory was created as the user running the 
    VShell daemon.

  - Linux: When installing VShell on Ubuntu, several update-rc.d 
    warnings would be reported.