pdate to OpenSSL 1.0.1g to address CVE-2014-0160. Through the RMD command it was possible to delete aliases. Clarified wording and offer additional help when setting up aliases. Security fix: Update to OpenSSL 1.0.1h to address CVE-2014-0224. Fix stalling or improperly terminated connections when using FTP over TLS. Algorithms no longer supported include 3DES, RC4, MD5 FTP over TLS: Disallow insecure and weak cipher suites. Fixed selection in user list sort dropdown behind the corresponding toolbar button. Fix timestamps in LIST output being off up to 7 minutes in extreme cases. Fix sporadic crashes when using FTP over TLS. The administration protocol now allows up to 16 million users and groups. Increased maximum IP filter size for users and groups by 50%. Interface settings (as opposed to server settings) are now stored in %APPDATA%/FileZilla Server. Self-signed certificates created with FileZilla Server are now signed using SHA-256. Updated OpenSSL libraries and fixed memory leaks when unloading OpenSSL. 
Minidumps are now automatically written in the installation directory in the unfortunate case of a server crash. EPSV and EPRT support are now advertised in the reponse to the FEAT command. Allow use of the OPTS command prior to login. 
Fix display of welcome message and FEAT reply in log.Changing admin interface IP bindings did not recreate the listening socket on ::1.Fixed crash if updating permissions under load.Updated OpenSSL library to due to several security vulnerabilties in OpenSSL.Fixed default network buffer size to match its description.
Updated to OpenSSL 1.0.2a due to several security vulnerabilities in OpenSSL. 
The security settings, passive mode settings and TLS settings pages have received the most cleanup.
The settings dialog layout had a spring cleaning. Added diagnostic message to the administration interface if no passive mode IP has been configured and the server appears to be behind a NAT router. Added diagnostic message to the administration interface if FTP over TLS is disabled and if the configured certificate is expired or otherwise invalid. FileZilla Server now randomizes the port used for passive mode transfers to mitigate data connection stealing when using plain FTP. Added option to force TLS session resumption on the data connection to prevent data connection stealing. Vulnerability discovered and reported by Amit Klein. The code that checks that the peer's data connection IP address matches the control connection IP had been nonfunctional.
0 kommentar(er)
