1.3.3 Release Notes
------------------------
This file contains a description of the major changes to ProFTPD for the
1.3.3 release cycle, from the 1.3.3rc1 release to the 1.3.3 maintenance
releases. More information on these changes can be found in the NEWS and
ChangeLog files.
1.3.3c
---------
+ Fixed Telnet IAC stack overflow vulnerability (ZDI-CAN-925)
+ Fixed directory traversal bug in mod_site_misc
+ Fixed SQLite authentications using "SQLAuthType Backend"
1.3.3b
---------
+ Fixed SFTP directory listing bug
+ Avoid corrupting utmpx databases on FreeBSD
+ Avoid null pointer dereferences during data transfers
+ Fixed "AuthAliasOnly on" anonymous logins
1.3.3a
---------
+ Added Japanese translation
+ Many mod_sftp bugfixes
+ Fixed SSL_shutdown() errors caused by OpenSSL 0.9.8m and later
+ Fixed handling of utmp/utmpx format changes on FreeBSD
1.3.3
---------
+ Fixed mod_ban whitelisting using mod_ifsession.
+ Fixed per-user/group/class "HideFiles none" configurations.
1.3.3rc4
---------
+ Fixed mod_tls compilation using OpenSSL installations older than 0.9.7.
+ Fixed mod_sftp compilation on AIX.
+ Fixed RADIUS authentication on 64-bit platforms
+ Fixed memory leak in SCP downloads.
+ New configuration directives
SQLPasswordUserSalt
The SQLPasswordUserSalt directive can be used to configure per-user
salt data to be added to the encrypted password for a user. The salt
can be the user name, or it can be the result of a SQL query. More
information can be found in
doc/contrib/mod_sql_passwd.html#SQLPasswordUserSalt.
1.3.3rc3
---------
+ Added Taiwan translation.
+ Added support in mod_sftp for the following SFTP extensions:
check-file
copy-file
vendor-id
version-select
posix-rename@openssh.com
fstatvfs@openssh.com
statvfs@openssh.com
+ Added a workaround in mod_tls to deal with the vulnerability found in
SSL/TLS protocol during renegotiation (CVE-2009-3555). Good
descriptions of this vulnerability can be found here:
http://extendedsubset.com/?p=8
http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html
The workaround implemented in mod_tls (Bug#3324) is one of the suggested
mitigation approaches: the server now refuses all client-initiated
SSL/TLS session renegotiations.
+ Updated to the bundled libtool to 2.2.4 (plus patch) to deal with a
libtool vulnerability (CVE-2009-3736).
+ Added support for SHA256 and SHA512 passwords to the mod_sql_passwd
module.
+ New configuration directives
SFTPExtensions
The SFTPExtensions directive can be used to selectively enable/disable
mod_sftp's support for specific SFTP extensions. See
doc/contrib/mod_sftp.html#SFTPExtensions for more details.
+ Changed configuration directives
CapabilitiesSet
The CAP_FOWNER capability can now be explicitly requested when
using the mod_cap module:
CapabilitiesSet +CAP_FOWNER
For operations allowed on files, this capability overrides the
restriction that the file owner ID must match the process user ID.
1.3.3rc2
---------
+ When handling .ftpaccess files, proftpd was merging them into the
main configuration such that the .ftpaccess files configurations would
override the main configuration. This was never the intended behavior,
and has been fixed (Bug#3279).
However, this does mean that sites which use .ftpaccess files may see
a change in the behavior of their proftpd.
+ Changed scoreboard format (Bug#3286), need for "ServerType inetd"
server to manually delete their old ScoreboardFiles. Otherwise they
will see "error opening scoreboard: bad version (too old)" errors.
+ Changed SQL connection policy (Bug#3290). Important for clients which
connect but don't authenticate (e.g. mod_ban, mod_dnsbl, mod_wrap2_sql,
etc which will reject connected clients prior to authentication); saves
on unnecessary database connections in such cases. For sites which
require the old behavior, there is a new "PERCONNECTION" connection
policy.
NOTE: If you are using mod_sql for logging purposes only, e.g. you have
the following in your mod_sql config:
SQLEngine log
then this connection policy change may affect you. If the database
connection is opened after a chroot has occurred (via DefaultRoot or
login), the database connection may fail. And since now
the connection is delayed until first use, and the first use for logging
may occur after the chroot, the logging may fail. For such sites, then,
you will need to use the "PERCONNECTION" connection policy explicitly.
+ Support for "implicit" FTPS. To enable this, use:
TLSOptions UseImplicitSSL
WARNING: Using this setting will cause mod_tls to handle ALL connections
to the vhost as implicit FTPS connections. It is NOT possible to support
both plain FTP (or explicit FTPS) clients AND implicit FTPS clients on the
same address/port. Therefore this setting should ONLY ever be used in
order to support braindead/broken FTPS clients, and then only for as long
as it takes to fix/replace those broken clients.
Note that "implicit" FTPS was explicitly DROPPED from the RFC which
defines FTP over SSL/TLS; the only clients which use this feature are
outdated clients based on older, now-invalidated versions of the
specification. Please update your FTPS clients to one which uses
explicit FTPS as soon as possible.
+ Re-enable turning off the Nagle algorithm; this drastically helps speed
up transfers of multiple small files.
+ New modules
mod_sql_passwd
This module supports MD5 and SHA1 passwords, encoding using base64 or
hex, from SQL tables. See doc/contrib/mod_sql_passwd.html for details.
+ New configuration directives
AuthUnixOptions
In Bug#1896, support for checking some AIX-specific functions for
whether a login should be accepted was added; this happens only on AIX
server, of course.
However, some AIX admins like to configure "rlogin=false", yet still
want to allow FTP logins. To enable this specific behavior, a new
AuthUnixOptions directive was added, with a setting which is only
honored on AIX:
AuthUnixOptions aixNoRLogin
If this setting is used on any other server, it is silently ignored.
Bug#3300 has the full details.
+ Changed configuration directives
ExtendedLog
You can now disable logging in an section to an ExtendedLog
which was opened outside of the section, i.e.:
ExtendedLog /path/to/ext.log ALL
...
ExtendedLog /path/to/anon-ext.log ALL
# Disable the logging to the higher-level ExtendedLog by
# configuring again here, but changing the command class to 'NONE'
ExtendedLog /path/to/ext.log NONE
...
HiddenStores
The HiddenStores directive can now be used to customize and change
the prefix which is prepended to the HiddenStore files. The default
prefix is ".in.", but if you wish to use a different prefix for any
reason, you can use something like:
HiddenStores foo
This will cause the prefix to be ".foo.".
SQLOptions
When the connection to the database is lost, mod_sql now will try
only once to automatically reconnect (if such reconnect functionality
is supported by the database, e.g. MySQL or Postgres). To disable this
reconnect behavior, there is a new "noReconnect" SQLOptions setting:
SQLOptions noReconnect
See Bug#3270 for the full details of this behavior change. It should
be transparent for most sites.
1.3.3rc1
---------
+ Added French, Bulgarian, Korean translations.
+ RPM 4.2 or later is required by the proftpd.spec file provided in the
distribution.
+ If the --localstatedir configure option is used, proftpd's build system
used to automatically append "/proftpd" to the configured path. This
behavior has been fixed; proftpd's build system will now use the
configured --localstatedir path as is.
Note that this may cause issues if you have an existing build script
for compling proftpd; the expected locations of files under the
--localstatedir path will change.
+ New command-line options:
The -S, --serveraddr command-line option has been added. This option
can be used to specify the IP address of the host machine. By
default, proftpd attempts to resolve the host IP address by using DNS
resolution of the hostname. However, in cases where DNS is not
configured for the host machine, this approach does not work.
To specify the desired IP address, use -S when starting proftpd, e.g.:
/usr/local/sbin/proftpd -S 1.2.3.4 ...
And if you want proftpd to listen on all interfaces, you can specify
a wildcard socket using an IP address of 0.0.0.0:
/usr/local/sbin/proftpd -S 0.0.0.0 ...
+ New modules:
mod_exec
This module enables execution of external scripts based on actions/events
during a session. See doc/contrib/mod_exec.html for details.
mod_sftp
This module implements the SSH2, SFTP, and SCP protocols. See
doc/contrib/mod_sftp.html for more information.
mod_sftp_pam
This module uses PAM to provide a 'keyboard-interactive' SSH2
authentication method for mod_sftp. More information can be found in
the documentation for mod_sftp_pam, in doc/contrib/mod_sftp_pam.html.
mod_sftp_sql
This module uses SQL (via mod_sql) for looking up authorized SSH2
public keys for user and hostbased authentication. More information
is available in doc/contrib/mod_sftp_sql.html.
mod_shaper
This module can be used to provide data transfer rate "shaping"
across the entire server. See the documentation at
doc/contrib/mod_shaper.html.
mod_tls_shmcache
This module provides an external SSL session cache using shared
memory; see the TLSSessionCache configuration directive. More
information on this module can be found in
doc/contrib/mod_tls_shmcache.html.
+ New configuration directives:
RewriteHome
The RewriteHome directive can be used to support rewriting the
home directory for a user, based on regular expression rules.
One such use case is where some portion of the home directory is
retrieved e.g. from an LDAP directory, but you need to apply some
custom prefix to the LDAP attribute.
To enable this feature, first you need to add the following to your
proftpd.conf:
RewriteHome on
Next, you need to configure the mod_rewrite rules for rewriting your home
directory; this feature depends on mod_rewrite for the rewriting.
The pseudo-command used by mod_rewrite for rewriting home directories is
"REWRITE_HOME". Thus would you use:
RewriteEngine on
RewrlteLog /path/to/rewrite.log
RewriteCondition %m REWRITE_HOME
RewriteRule (.*) /my/new/prefix$1
ScoreboardScrub
The ScoreboardScrub directive can be used to turn on/off proftpd's
periodic "scrubbing" of its ScoreboardFile, where the ScoreboardFile
is scanned for entries of dead sessions:
ScoreboardScrub on|off|secs
Note that if scoreboard scrubbing is turned off, the ScoreboardFile
can still be scrubbed on demand, either by using mod_ctrls_admin's
"ftpdctl scoreboard scrub" action, or by using the new ftpscrub
command-line utility.
TLSControlsACLs
With the addition of support for external session caches, the
mod_tls module now supports some ftpdctl actions for interacting
with those session caches. The TLSControlsACLs directive can be
used to configure ACLs for the ftpdctl actions supported by mod_tls,
and is analogous to other ACLs directives for other modules which
support ftpdctl actions.
TLSPKCS12File
The TLSPKCS12File directive of the mod_tls module is used to
configure mod_tls to use the certificate and private key contained
in the indicated PKCS#12 file. Some sites already use PKCS#12 files
for containing their other certificates, and thus find it useful to
have PKCS#12 support in mod_tls.
TLSSessionCache
The TLSSessionCache directive configures an external SSL session
cache, which can be used for storing and shared SSL sessions across
multiple processes. An external SSL session cache is an optional
facility which speeds up parallel FTPS session connections.
See doc/contrib/mod_tls.html#TLSSessionCache for more information.
+ Changed configuration directives:
AllowOverride
This directive no longer supports the optional user/group/class
parameters. If you wish to have per-user/group/class conditional
use of the AllowOverride directive, you will need to use the
mod_ifsession module. For example, instead of:
AllowOverride off user !admin
you will need to use:
AllowOverride on
AllowOverride off
Note that the "!admin" section is necessary. If you set
"AllowOverride off" unconditionally, then use a mod_ifsession context,
you would end up with two AllowOverride settings, and the code might not
be able to distinguish properly which setting to use. Thus you need to
make both the "on" and "off" cases conditional, and mutually exclusive.
Configurations which use the user/group/class conditional parameters
to AllowOverride will now generate configuration errors.
BanOnEvent
The BanOnEvent directive of the mod_ban module now supports
TimeoutLogin events.
You can now specify an IP address of "0.0.0.0" in a
definition.
IdentLookups
The default IdentLookups value is now 'off'. The RFC1413 IDENT lookup
adds latency to the login process, so much so that it is a FAQ to
configure "IdentLookups off". In addition, the IDENT protocol is not
secure; it can easily be spoofed using man-in-the-middle attacks. Sites
that require IDENT lookups must now explicitly configure
"IdentLookups on".
Note that in order to use IdentLookups, you must compile proftpd with
the mod_ident module. If you use the --disable-ident configure
option, then proftpd will not recognize the IdentLookups directive.
Thus in your proftpd.conf, you should use something like:
IdentLookups on
if you want to use RFC1413 lookups.
LogFormat, SQLNamedQuery
There is a new variable, %{protocol}, which describes the protocol
that the client is using. This variable can have values of "ftp",
"ftps", "ssh2", "sftp", and "scp".
Note that for SSH2 connections, the value will be "ssh2" until SFTP or
SCP channels are opened; this means that during login, the %{protocol}
value will be "ssh2".
There is also a new %w variable which is only valid for RNTO commands.
The %w value will be the original name of the file being renamed
(mnemonic: "whence" a renamed file comes).
RewriteCondition, RewriteRule
Use of environment variables in mod_rewrite rules is now supported
via the "%{ENV:var}" syntax.
SQLGroupInfo
The SQLGroupInfo now supports custom queries for retrieve group
information. Note that instead of a single custom query, several
different queries are needed; different lookups are called for
depending on the situation and configuration of mod_sql (e.g.
using the 'groupset' or 'groupsetfast' SQLAuthenticate parameters).
See doc/contrib/mod_sql.html#SQLGroupInfo and
doc/howto/SQL.html#SQLUsersetfast for more details.
SQLUserInfo
The support for custom SQLUserInfo queries has been extended to
support custom queries to be used when the 'userset' or 'usersetfast'
SQLAuthenticate parameters are used.
For more information, see doc/contrib/mod_sql.html#SQLUserInfo and
doc/howto/SQL.html#SQLUsersetfast.
TLSOptions
The NoSessionReuseRequired option has been added. As of
ProFTPD 1.3.3rc1, mod_tls only accepts SSL/TLS data connections
that reuse the SSL session of the control connection, as a security
measure. Unfortunately, there are some clients (e.g. curl) which
do not reuse SSL sessions.
To relax the requirement that the SSL session from the control
connection be reused for data connections, use the following in the
proftpd.conf:
...
TLSOptions NoSessionReuseRequired
...
TLSRequired
The TLSRequired directive can now be used in sections and
in .ftpaccess files. When used in these configuration contexts, only
the TLSRequired values that require SSL/TLS protection on data transfers
are honored. With this, it is now possible to mark specific files or
directories as requiring SSL/TLS protection to be accessed via data
transfer.
TransferLog
The "service-name" field of the TransferLog usually contains just
"ftp". In order to support TransferLogs for SFTP and SCP transfers,
the service-name field of the TransferLog format may now show
"sftp" or "scp". It may also show "ftps" instead of "ftp", if the
data transfer occurred while the client is using FTP over SSL/TLS.
NOTE: This change, while correct, may cause issues for log parsers.
+ Deprecated configuration directives:
AnonymousGroup
Support for this directive has been removed.
+ Developer Notes
If you are a module developer, then you will want to know of the following
API/internals changes:
* The original USER value sent by the client is no longer stored in
the config tree. That is, the following no longer works:
user = get_param_ptr(main_server->conf, C_USER, FALSE);
Instead, the original USER value is stashes in the session.notes
table. Thus the above line of code can be replaced with:
user = pr_table_get(session.notes, "mod_auth.orig-user", NULL);
A similar change occurred for the anonymous "password" sent, but
this will probably not apply to most modules.
Last Updated: $Date$