VanDyke Software

VShell Server History

      VShell(R) Server 4.5.4 (Official) -- September 1, 2020

         Copyright (C) 1995-2020 VanDyke Software, Inc.
                    All rights reserved.

This file contains a VShell product history.  It includes lists
of new features, changes, and bug fixes sorted by release.  For a
product description, installation notes, registration, and contact
information, please refer to readme.txt (downloaded with this

Changes in VShell 4.5.4 (Official) -- September 1, 2020

Bug fixes:

   - SSH2: In the unlikely event that upload or download triggers 
     have not yet been processed and the SFTP channel closes
     unexpectedly, the server could crash.

   - Windows, SSH2: Under rare circumstances, when authenticating 
     to the server using RADIUS, the server could crash.

   - Windows, SSH2: In the unusual case where a system issue prevents
     the server from impersonating the user when an SFTP connection
     is closed, the server could crash.

Changes in VShell 4.5.3 (Official) -- June 23, 2020

Bug fixes:

   - HTTPS: If a connection from a non-browser file transfer client
     was idle, it would be disconnected after two minutes, regardless
     of the configured idle timeout period.

   - Windows: In the VShell Control Panel, particularly with a large 
     number of users, there could be a delay before the Access Control 
     page or Virtual Roots Folder Options page was displayed.

   - Windows: On Server 2019, attempts by clients to create new 
     directories within a virtual root on a network share could fail. 

   - Linux/Mac: With port forwarding, when a connection was made but 
     no service was listening on the remote port, CPU usage could 
     increase and remain close to 100%.

Changes in VShell 4.5.2 (Official) -- January 28, 2020

Vulnerabilities addressed:

   - HTTPS: Given a maliciously crafted URL, VShell was vulnerable
     to a directory traversal attack using HTTP requests, allowing 
     potentially unauthorized access to the file system.

Bug fixes:

   - Using a non-standard encoding of a file path, an authenticated 
     user could have access to files and folders permitted by the 
     underlying file system, but outside the user's Virtual Root.

   - Windows: In the VShell Control Panel, changes to the 
     Authentication timeout value were not honored.

Changes in VShell 4.5.1 (Official) -- December 17, 2019


   - HTTPS: "Host" headers sent by the client are ignored.

   - SSH2: The default length of newly created RSA host keys has been
     increased to 3072 bits.    

   - Windows, FTPS: If VShell is unable to look up the authentication 
     package MICROSOFT_AUTHENTICATION_PACKAGE_V1_0, the "Error" topic
     is now used for the log message. 

Bug fixes:

   - Windows: In the VShell Control Panel, changes to the RADIUS 
     authentication order option would not save correctly.

Changes in VShell 4.5 (Official) -- October 29, 2019


   - Mac OS installers are now notarized by Apple.  

Changes in VShell 4.5 (Beta 4) -- October 15, 2019


   - When adding internal database users, if username includes 
     the illegal character "@", an error is now displayed.

   - HTTPS: Added a robots.txt file containing settings that tell 
     web robots not to visit the site.

   - HTTPS: In the VShell User Web Interface, minor adjustments
     were made to meet WCAG 2.0 success criteria.

Bug fixes:

   - HTTPS: When using a logout trigger, the %I (IP address) and 
     %G (source port) parameters could be set to "unknown". 

   - HTTPS: When the HTTP PUT command was used to upload a file 
     that replaced a larger version of the same file, the uploaded
     file incorrectly retained the previous size.
   - Windows: In the VShell Control Panel, using the LDAP 
     User/Group Picker would trigger a minor memory leak.

   - Windows 2019: When Logon access was allowed for a domain 
     level group, members of the group could be denied Logon 
     access when using publickey authentication. 

   - Linux/Mac: The FailedAuthCommand trigger was not executed when 
     a user was prevented from logging in due to account restrictions.

   - Linux/Mac: vuserdb commands could fail with an error mentioning 
     ciphers, MACs, or key exchange methods specified in the 
     vshelld_config file.

   - HTTPS: In the VShell User Web Interface, if an invalid URL 
     was entered, the error message could be displayed as XML.

Changes in VShell 4.5 (Beta 3) -- September 5, 2019


   - HTTPS: Secure headers Strict-Transport-Security, Content-
     Security-Policy, X-XSS-Protection, X-Frame-Options, X-Content-
     Type-Options, and Cache-Control are now sent.

   - HTTPS: The "Server" header is no longer sent.

   - HTTPS: In the VShell User Web Interface, colors of two 
     components were changed to meet WCAG 2.0 success criteria.

   - Linux/Mac SSH2: The Crypto++ library used by VShell was 
     updated to version 8.2.

   - Some AIX OpenSSH clients (versions 7.5p1 and later) were 
     disconnected with error "Server received packet unknown 
     userauth packet, which should never be sent by the client".
Bug fixes:

   - HTTPS & FTPS: In the rare case that a client closed the 
     connection immediately after renegotiating SSL parameters, 
     CPU usage could increase and remain close to 100%.

Changes in VShell 4.5 (Beta 2) -- August 15, 2019

New features:

  - SSH2: Added support for the diffie-hellman-group14-sha256,
    diffie-hellman-group16-sha512, and diffie-hellman-group18-
    sha512 key exchange algorithms.

  - Windows: Added the ability to enable and disable use of 
    specific TLS versions.

Bug fixes:
  - Windows: The VShell Control Panel had three lists of options 
    in which extra lines would appear when an item was selected.

Changes in VShell 4.5 (Beta 1) -- July 25, 2019

New features:

  - HTTPS: Added support for the WebDAV protocol.

  - HTTPS: In the VShell User Web Interface, the title text can now 
    be customized.

  - FTPS: Added support for the MDTM command described in RFC 3659,  
    as well as the MFF and MFMT commands described in draft-somers-
  - Windows: Added support for a folder monitor that can detect 
    creation or copy/move of new files to a specified folder and 
    initiate actions such as automatic transfer to another SFTP 

  - Windows: Added a wizard for faster configuration of VShell to 
    receive file uploads from Cisco Unified Communications Manager  
    (CUCM) and similar applications that connect using SFTP.

  - Linux/Mac: Added support for the HTTPS protocol.

  - Linux/Mac: Added the ability to specify the maximum number of 
    concurrent connections per user for SSH2 and FTPS connections.

  - Linux/Mac: Added support for subconfigurations to limit the 
    number of concurrent SSH2 or FTPS connections for a particular 
    user or group.

  - Linux/Mac: Added the ability to add VShell internal database 
    users from a file.


   - VShell Workgroup Edition now allows 25 concurrent connections 
     (previously 10).

Bug fixes:

  - In the rare case that a trigger was configured with a timeout 
    >= 215 seconds and a "run as" user, the trigger would not fire.

  - When using subconfigurations for both users and groups that
    both specified a logging destination, a memory leak could occur.

  - When a new log file was created for the day, it was possible for 
    some of the lines to be written above the header.

  - In the line logged to indicate the IP address and port on which 
    a service was listening, the address and port were reversed.

  - When LDAP authentications were performed, a memory leak occurred.

  - Upon connection by a client that displays a single row in its 
    console such as Remote Desktop Manager by Devolutions, VShell 
    would produce an error and disconnect the client.

  - HTTPS: In some cases, when VShell HTTPS received a PUT command to 
    upload a 0-byte file, it could return a response with an invalid 
    Content-Range header field.

  - HTTPS: When a file transfer was interrupted, upload and download 
    triggers did not set the %U (user) and %s (session) parameters.

  - HTTPS: When the VShell server was configured to disable the HTTPS 
    PUT command, an HTTPS client attempting to upload a file with PUT 
    could hang.

  - HTTPS: In the VShell User Web Interface, when downloading files
    the browser did not display its download indicator until the 
    download completed.

  - HTTPS: In the VShell User Web Interface, when multiple dialogs were 
    displayed at the same time, closing one would close them all.

  - HTTPS: In the VShell User Web Interface, when using a browser other 
    than Edge or Internet Explorer, you could not download a file with 
    non-ASCII (e.g., Russian) characters in the filename.

  - FTPS: When FTPS and FTP file uploads are performed using SecureFX, 
    timestamps are now preserved.  

  - FTPS and HTTPS: When a file upload was aborted due to loss of
    network connectivity, the client being killed or closed, or
    failure to write the file to disk, upload triggers returned
    success rather than the error code.

  - Windows: In the rare case of multiple simultaneous authentication 
    failures when the deny host option was enabled, it was possible for
    VShell to crash or incorrectly add one of the connecting IPs to the 
    deny host list.

  - Windows: For file operation triggers set up to fire conditionally 
    for users having access to an SFTP virtual root, the email and
    command trigger actions did not work. 

  - Windows: On the VShell Control Panel, performing a certain 
    sequence of actions on the Triggers page could incorrectly cause 
    the Add, Edit, and Delete buttons to be enabled.

  - Windows: When there were a large number of users, or when there 
    was network latency between the domain controller and the VShell 
    server, there could be a delay before displaying the Access Control 
    list, the SFTP commands list, and the Virtual Roots list. 

  - Linux/Mac: When MaximumAuthenticationRetries was set to a value 
    less than DenyHostAfterFailureCount, a host was not denied 
    connection after DenyHostAfterFailureCount authentication