We are happy to announce the latest release of SFTPPlus version 4.14.0.
One important new functionality of this release is the availability of the file transfer webpage in Spanish and German. More languages will be added in the following releases. Let us know if you would like to have SFTPPlus translated in a certain language.
Starting with this release, when running behind an HTTP load balancer or proxy, SFTPPlus can extract the connection source IP address from the HTTP header forwarded by the proxy.
Below are the most important changes. You can check the full release notes here.
Security Fixes
- SFTPPlus now blocks client TLS renegotiation requests over TLS 1.1/1.2. This issue does not affect TLS 1.3 connections, as key exchange parameters are no longer negotiated between client and server. [server-side][security] [#3267]
- The OpenSSL 1.0.2 libraries used on AIX for Python's cryptography and the stdlib ssl module were patched for CVE-2021-3712. OpenSSL version 1.0.2 is not affected by CVE-2021-3711. [#5728-2]
- The OpenSSL 1.1.1 libraries used for Python's cryptography on Windows, generic Linux, and macOS were updated to version 1.1.1l to fix CVE-2021-3711 and CVE-2021-3712. On generic Linux and macOS, the same CVEs were fixed for Python's stdlib ssl module. [#5728]
New Features
- When SFTPPlus operates behind an HTTP reverse proxy, it can be configured via the client_forwarded_header option to extract the source address of a connection by parsing a header such as X-Forwarded-For, Forwarded, etc. [server-side][http][https] [#1555]
- You can now configure a list of allowed source IP addresses for authenticating an administrator. [manager] [#2908]
Defect Fixes
- When a location fails while a transfer is using that location as the source, the event with ID 60040 is emitted to inform that the transfer is no longer monitoring the source. In previous versions, the event 60040 was delayed until the source location was reconnected. [client-side] [#3960-1]
- File changes at the source location are now observed even if the connection is disconnected between checks. In previous versions, the list of changes was reset on disconnect, and no files were being transferred. [client-side] [#3960]
- The utility used by SFTPPlus to manage its Windows service was updated to prevent antivirus false-positives. [windows] [#4644]