proftpd-1.3.9

[Bruce Dubbs]

New point version.

[thomas]

Changelog: ​http://www.proftpd.org/docs/RELEASE_NOTES-1.3.9

1.3.9 Release Notes

------------------------

This file contains a description of the major changes to ProFTPD for the 1.3.9 release cycle, from the 1.3.9rc1 release to the 1.3.9 maintenance releases. More information on these changes can be found in the NEWS and ChangeLog files.

1.3.9

---

+ Fixed memory usage issue with SFTP channels.

+ Added Polish translation.

+ Updated bundled libtool.m4 for better MacOSX support.

1.3.9rc3

---

+ When started with root privileges, ProFTPD now drops all supplemental

group memberships, retaining only the UID/GID of the configured User/Group.

+ Properly use all configured ECDSA SSH hostkeys, not just the first

configured ECSA SSH hostkey.

+ Fixed issue with RADIUS authentication when using mod_radius and newer

FreeRADIUS, due to BlastRadius mitigation.

+ New Directives

SFTPAuthPublicKeys

This directive can be used to enable support for only the specified list of public key algorithms, as for key-based user authentication. See doc/contrib/mod_sftp.html#SFTPAuthPublicKeys for more.

+ Changed Directives

SFTPExtensions +limits

The mod_sftp module now implements the "limits@…" custom SFTP extension, used by newer OpenSSH limitations for discovering server-side limits, such as larger SFTP READ/WRITE buffer lengths. See doc/contrib/mod_sftp.html#SFTPExtensions.

1.3.9rc2

---

+ Implemented SSH mitigations for the "Terrapin" SSH attack (CVE-2023-48795).

+ Fixed compiling of 3rd party modules whose names match very specific

regular expression patterns.

+ Changed Directives

SFTPOptions NoStrictKex

By default, mod_sftp uses a "strict KEX" mode as a mitigation for the "Terrapin" SSH attack (CVE-2023-48795). Use of this strict mode may unexpectedly cause interoperability issues; this new SFTPOption can be used to disable this mode if necessary. See doc/contrib/mod_sftp.html#SFTPOptions for more.

1.3.9rc1

---

+ Clients are disconnected if there is an error adding them to the

ScoreboardFile. Previously, such errors were logged, but the session allowed to continue.

+ Implemented the "chacha20-poly1305@…" SSH cipher algorithm.

+ Implemented support for OpenSSH FIDO security keys in mod_sftp.

+ The mod_auth_otp module now requires per-user entries in its tables

by default. This is a change from previous versions, when such per-user entries were optional.

+ New Directives

IfSessionOptions PerUnauthenticatedUser

The mod_ifsession module only applies its user/group-specific configurations after the client has authenticated itself. Some sites, however, may wish for user-specific configurations to be applied based on the unauthenticated username supplied by the client, such as in cases where the conditional configuration in question will affect the authentication process. The new PerUnauthenticatedUser IfSessionOption can be used to achieve this; see doc/contrib/mod_ifsession.html#IfSessionOptions for more.

ScoreboardOptions AllowMissingEntry

Clients are now disconnected if they cannot be added to the ScoreboardFile. Some sites may require the previous behavior; use this new AllowMissingEntry ScoreboardOption to do so. See doc/modules/mod_core.html#ScoreboardOptions for more information.

+ Changed Directives

AuthOTPOptions OptionalTableEntry

Now that the mod_auth_otp module requires an entry for each user, sites may need to re-enable the previous opt-in behavior. Use the OptionalTableEntry AuthOTPOption for this. Read doc/contrib/mod_auth_otp.html#AuthOTPOptions for details.

DelayOnEvent Connect

The DelayOnEvent directive can now be used to inject randomized delays, "jitter", at the start of a session. This can be used to spread out the processing of a large number of connections that occur at the same time, such as on a schedule/cron. See doc/modules/mod_delay.html#DelayOnEvent for details.

ExtendedLog SEC class

SSH key exchange requests are now classified as "security" related messages, and thus are logged in ExtendedLog configurations that use the SEC logging class.

LDAPDefaultGID, LDAPDefaultUID Auto

Retrieving the UID, GID to use for users configured in ActiveDirectory domains, based on the default/expected attributes, is not always possible. In such cases, the new "Auto" value for the default UID, GID to use by mod_ldap allows for retrieving the actual UID, GID by system user lookup, which is handled for AD domains by the special sssd program, for example.

LogFormat %{transfer-speed}

The LogFormat directive now supports a variable, %{transfer-speed}, for logging the average data transfer speed.

SFTPCiphers chacha20-poly1305@…

The mod_sftp module now implements OpenSSH's "chacha20-poly1305@…" algorithm.

SFTPExtensions userGroupNames

The mod_sftp module supports the custom OpenSSH "users-groups-by-id@…" SFTP extension, used to retrieve the textual user/group names for given lists of UIDs, GIDs.

SFTPOptions FIDOTouchRequired FIDOVerifyRequired

OpenSSH FIDO security keys, such as Yubikeys, are now supported for SSH authentication by the mod_sftp module. These keys allow for policies such as proof of user presence, and/or proof of user verification. These new SFTPOptions can be used to configure your site policies for such keys; see doc/contrib/mod_sftp.html#SFTPOptions for more information.

+ Developer Notes

Removed the unused pr_ctrls_parse_msg Controls API function.

[thomas]

Fixed in [4080d4289d]