SecureFX(R) 9.5.1 (Official) -- February 27, 2024 Copyright (C) 1995-2024 VanDyke Software, Inc. All rights reserved. This file contains the SecureFX product history. It includes lists of new features, changes, and bug fixes sorted by release. For a product description, installation notes, registration information, and contact information, please refer to SecureFX_README.txt (downloaded with this installation). Changes in SecureFX 9.5.1 (Official) -- February 27, 2024 --------------------------------------------------------- Vulnerability Fix: - Windows/Mac: SecureFX now includes OpenSSL version 3.1.5, which addresses CVE-2023-5363, CVE-2023-5678, CVE-2023-6129, and CVE-2024-0727. Bug Fix: - Windows: When focus was in the Connect Bar and the Enter key was pressed without entering a hostname or session, a connection was attempted using the "" hint text as the hostname. Changes in SecureFX 9.5 (Official) -- January 16, 2024 ------------------------------------------------------ No changes. Changes in SecureFX 9.5 (Beta 3) -- December 19, 2023 ----------------------------------------------------- Vulnerability Fix: - SSH2: For some algorithms, an attacker can manipulate the packets sent during key exchange to cause some packets to be removed, which compromises channel integrity. A "Strict KEX" extension was implemented to address this vulnerability (CVE-2023-48795). In order to use the "Strict KEX" extension, the extension must be supported by both the client and the server. Change: - Mac/Linux: When using a .LIC file to license the product, it can now be placed in a location that is common to all users. Bug Fixes: - If SecureFX was launched with an invalid command line, a crash could have occurred. - When transferring a file to a Cisco system, if the main transport was disconnected due to an idle timeout, the transport created for the file transfer would have also been disconnected, causing the transfer to fail. - When parallel transfers were enabled, moving a directory structure from a remote system may have failed. - When connecting to a session and tabbed mode was disabled, the remote session window may have appeared in an unexpected location. - Windows: When the application was ran on a new system and a license was applied for the current user, the license data may have failed to be written to the registry. - Mac: When session passwords were saved to the system Keychain, attempting to modify the saved password from within SecureFX resulted in the password saved in the Keychain being cleared. - Mac: On Sonoma, when opening the application help, the help window may have been blank. Changes in SecureFX 9.5 (Beta 2) -- November 21, 2023 ----------------------------------------------------- Change: - Information about a session disconnecting immediately when SFTP subsystem is unavailable is now logged. Bug Fixes: - When transferring multiple files in parallel, the transfer window may not have shown an accurate count of the files transferred. - Mac: When opening the font selection dialog, the bold font weight was selected by default. - Mac/Linux: If a public-key upload was cancelled before the operation completed, a crash could have occurred. Changes in SecureFX 9.5 (Beta 1) -- November 2, 2023 ---------------------------------------------------- New Features: - For FTPS and HTTPS sessions, added TLS certificate validation options "Revocation checking enabled" and "Revocation checking only uses cache". - Added a compatibility mode for Azure Blob SFTP servers, which automatically disables SFTP extensions. - Passwords for saved credentials can be updated more easily via the Tools menu. Changes: - Hostnames containing multiple "@" characters are now supported, which allows jump hosts (e.g., CyberArk) to be specified in the hostname. - For failed SCP connections, the log message was changed from "The remote execute operation has been aborted." to "The operation was aborted because the channel closed." - Log messages for HTTPS connections no longer show the protocol as being HTTP. - When standalone SecureFX is installed, the button to launch SecureCRT is not shown on the toolbar. - SFXCL: When logging to a file, if authentication failed, the actual cause of the authentication failure would not have been logged to the file. - SFXCL: When a move is executed and /tracelevel is set to 2 (or higher), the log includes the attempt to delete the file and whether or not it succeeded. - Windows: When opening the Session Manager, performance may have been impacted due to the protocol-specific session icons. A "Use Old Session Manager Icons" global INI-only option has been added to allow the use of the old generic icons. - Windows: The USERNAME environment variable can be embedded within a string in the Username field (e.g., %USERNAME%.admin). Bug Fixes: - If a malformed key file was specified as the global public key, opening the Global Options dialog resulted in a crash. - The "Accept and Save" button was not available when connecting to a session with multiple host keys for the same host, which resulted in the prompt to accept the host key being displayed every time the session connected. - When an open session was disconnected and reconnected, the directory listing for the current directory was not refreshed. - When a cross-platform substitution variable (e.g., VDS_CONFIG_PATH) was used as part of the path to a key to load into agent at startup, the variable was replaced with the actual path. - If SecureFX was opened from the command line with the /Firewall option and an instance of SecureFX was already running, the specified firewall was not used. - When the configuration path was specified on the command line via the "/F " option, SecureFX did not honor the option. - When opening a SecureCRT session from SecureFX, the "Open in a tab" option was not honored. - If a session was configured to authenticate with a certificate from CAPI or a smartcard and authentication failed, the dialog to select a public-key file was displayed instead of the dialog to select a certificate. - When creating a folder in the Session Manager, if the folder was renamed as part of the addition, a secondary folder with the original "New Folder" name was also added. - When debug logging level 9 was enabled and the Cisco SCP shell enable password was entered, the password was not obscured in the log output. - With a new configuration, both the Quick Connect dialog and the Session Manager could have be shown at startup. - When SecureCRT and SecureFX were installed integrated and the terminal protocol for a session was changed to "Local Shell" then back to SSH2, the SSH2 session options page could have appeared twice. - Windows: When SecureFX was running within SecureCRT's process, the applications could have crashed after waking the computer from sleep. - Windows: If the evaluation period ended and a license was applied from the expired license dialog, the application did not start automatically when the license wizard was dismissed. - Windows: When using SFXCL to connect to an FTPS or HTTPS host, if the connection resulted in a certificate validation prompt, the save certificate option was unexpectedly allowed. - Windows: If the session database contained a very large number of sessions and the Session Manager filter field was used to filter the session list, a long delay may have occurred. - Windows: When focus was within the Session Manager session view or filter field, pressing the Tab key unexpectedly moved focus to the local window. - Windows: When the Session Manager and Command Manager were docked within the same window as tabs, selecting the tab that did not have focus may have caused the tabs to switch position. - Mac: If a session password saved in the keychain became invalid, attempting to save an updated password failed. - Mac: On certain open file dialogs (e.g., Select Identity Filename, Receive ASCII, etc.), the file type filter was not displayed as expected.