VShell(R) Server 4.9.6 (Official) -- December 11, 2025
Copyright (C) 1995-2025 VanDyke Software, Inc.
All rights reserved.
This file contains a VShell product history. It includes lists
of new features, changes, and bug fixes sorted by release. For a
product description, installation notes, registration, and contact
information, please refer to readme.txt (downloaded with this
package).
Changes in VShell 4.9.6 (Official) -- December 11, 2025
-------------------------------------------------------
Bug fixes:
- In rare cases, in environments with heavy traffic and either
a large number of triggers or multiple VanDyke servers running,
trigger logging could be delayed and the servers could hang
during shutdown.
- Windows: When there were a large number of virtual roots,
adding/removing a user or group to/from a root could cause the
VShell Control Panel to temporarily stop responding.
Changes in VShell 4.9.5 (Official) -- April 8, 2025
----------------------------------------------------
New feature:
- Added support for Windows Server 2025.
Change:
- The "Session Channel Maximum Packet" option can now be set
to a maximum of 256K. This allows clients to use a larger
packet size than the 32K default, which may result in improved
transfer speeds.
Changes in VShell 4.9.4 (Official) -- December 5, 2024
------------------------------------------------------
Bug fixes:
- FTPS, HTTPS: Under rare circumstances, when requesting a buffer
for new data, the length of the buffer could have been calculated
incorrectly, resulting in a crash.
- Windows: If a client specified a UPN-formatted username (i.e.,
user@domain) that could not be translated on the remote system,
VShell would use an empty username for logging and authentication.
- Windows: If Kerberos (gssapi-keyex) was used for the key-exchange
method and an invalid username was specified in UPN format (i.e.,
user@host), the username derived from the GSSAPI credentials would
be used for authentication.
Changes in VShell 4.9.3 (Official) -- September 17, 2024
--------------------------------------------------------
Change:
- HTTPS: Download speeds were improved by increasing the read
buffer size.
Bug fix:
- SSH2: When the "Strict KEX" key-exchange extension was negotiated,
if a SSH_MSG_IGNORE or SSH_MSG_DEBUG message was received during
key re-exchange, VShell would mistakenly disconnect the client.
Changes in VShell 4.9.2 (Official) -- February 27, 2024
-------------------------------------------------------
Vulnerability fix:
- Mac: VShell now includes OpenSSL version 3.0.13, which addresses
CVE-2023-5363, CVE-2023-5678, CVE-2023-6129, and CVE-2024-0727.
Bug fix:
- When the AllowSHA-1AlgorithmsForRSAKeys option was enabled in a
subconfiguration, RSA SHA-1 keys were not allowed for public-key
authentication.
Changes in VShell 4.9.1 (Official) -- December 19, 2023
-------------------------------------------------------
Vulnerability fix:
- SSH2: For some algorithms, an attacker can manipulate the packets
sent during key exchange to cause some packets to be removed, which
compromises channel integrity. A "Strict KEX" extension was
implemented to address this vulnerability (CVE-2023-48795).
In order to use the "Strict KEX" extension, the extension must be
supported by both the client and the server.
New feature:
- Windows: SFTP Virtual Roots can now be used to connect to an
Azure Blob SFTP server.
Change:
- Windows: The Short Thread Pool Size maximum value has been
increased to 2048, and the default (minimum) value increased to
the larger of 16 or 4 times the number of logical processors.
Bug fix:
- Windows: When a user disconnects and that user's profile was not
loaded during the initial connection, VShell will no longer
attempt to enumerate network resources that may have been opened
during profile loading, potentially causing a slowdown.
Changes in VShell 4.9 (Official) -- June 8, 2023
------------------------------------------------
No changes.
Changes in VShell 4.9 (Beta 3) -- May 2, 2023
---------------------------------------------
Bug fixes:
- Windows: When VShell was configured to authenticate against an
LDAP server and an incoming connection loaded a subconfiguration,
VShell could crash.
- Windows: HTTPS: If an unusually long error was displayed when a
user attempted to log in, the login page elements may have become
misaligned and possibly truncated.
Changes in VShell 4.9 (Beta 2) -- April 13, 2023
------------------------------------------------
Bug fix:
- If the deny hosts feature was enabled and the deny hosts file
was accessed from multiple threads simultaneously, VShell could
crash.
Changes in VShell 4.9 (Beta 1) -- March 28, 2023
------------------------------------------------
New features:
- Windows: SFTP Virtual Roots now support public-key authentication.
- Windows: Added support for using x509v3-ecdsa-sha2* algorithms
from RFC 6187 for keys stored in a .pfx or .p12 file.
- Windows: A user's access to a virtual root folder can be tested
using a button on the VShell Control Panel.
- Windows: Internal user database system user credentials can now
be tested using a button on the VShell Control Panel.
- Windows: FTPS, HTTPS: Improved support for TLS, including
the enabling of TLS 1.3 on Windows Server 2022 and Windows 11.
Changes:
- For public-key authentication attempts, the bit size of the key
received from the client is now logged.
- The version and serial number are now logged in an info message
rather than a debug message.
- SSH2: A new option lets the VShell administrator limit the number
of channels allowed per SSH2 transport.
- HTTPS: The jQuery UI plugin was updated to 1.13.2.
- Windows: The VShell Control Panel is now resizable.
- Windows: The VShell Monitor now "remembers" any changes made to
its column widths and overall size.
- Windows: When configuring public-key authentication for an SFTP
file transfer trigger or an SFTP virtual root, the public-key
fingerprint can now be displayed in several formats.
- Windows: The VShell Control Panel now displays a warning when the
system account for the user database or LDAP is given permissions
for Access Control or Virtual Roots that may result in unintended
behavior.
- Windows: When logging is set to debug level 1,
LsaApLogonTerminated messages are no longer logged.
- Windows: SSH2: The VShell Control Panel now displays actual
algorithm names for key exchanges, ciphers, and MACs in addition
to the user-friendly names.
- Windows: SSH2: The VShell Control Panel now displays the host key
bit size.
- Linux/Mac: Added an option to vshelld, vshell-ftpsd, and
vshell-httpsd to display license information.
- Mac: Support for BSM auditing was removed.
Bug fixes:
- With a non-standard configuration, when the server was handling
a large number of short-lived incoming connections, memory usage
could grow.
- When certain options were specified in a subconfiguration, VShell
could exhibit a memory leak.
- HTTPS: When using Single Sign On (SSO) for HTTPS authentication,
server authentication errors may not have been displayed in the
browser.
- Windows: VShell could crash when a subconfiguration file
specified an alternate log folder.
- Windows: When generating a new host key that would overwrite an
existing host key, the VShell Control Panel could crash.
- Windows: When running the 32-bit version of VShell on a system
with an AMD processor, VShell could crash.
- Windows: When a Local/UNC virtual root was configured to
impersonate another user, then changed to an SFTP virtual root,
the user impersonation was unexpectedly maintained.
- Windows: When removing an entry from a virtual root's user/group
list, if the list contained any internal database or LDAP users
or groups, the user or group actually removed may not have been
the one selected for removal.
- Windows: If the HTTPS server was not installed, some items on the
VShell Control Panel's Event Logging Options page may have been
misaligned.
- Windows: Added missing Windows Properties settings to the
vportcheck.exe file.
- Windows: SSH2: When an SFTP client set permissions on a file, the
modify date of the file would be changed incorrectly.
- Windows: HTTPS: When a user was connected using Internet Explorer
and Single Sign On authentication was enabled, disconnecting and
reconnecting could result in a crash.
- Linux/Mac: If there were a very large number of users specified
in an access control list, a reload of the config would take an
abnormally long time, during which connections would not be
accepted.
- Mac: When downloading a large number of files from VShell FTPS, a
number of vshell-ftpsd processes could have been left running with
their CPU usage at 100%.
