Version history

This page lists the version history of FileZilla Server releases. Have a look at the changelog for a detailed list of all changes committed to the source code repository.

1.4.1 (2022-05-06)

Bugfixes and minor changes:

  • Admin UI: Fixed a crash on the listener page
  • Admin UI: Improved workflow for changing user passwords
  • MSW: Fixed an issue with the converter for configurations from FileZilla Server 0.9.x

1.4.0 (2022-04-29)

Bugfixes and minor changes:

  • Debian: by default the service is now configured to exclude headers from log lines, since journald outputs its own headers already.
  • Mac: fixed regression that made the installed service not startable
  • Admin UI: changed wording in the logging settings
  • Admin UI: made default connection values correct, in case the settings file is missing.
  • MSW: fixed various bug in the ExecDos plugin, that could cause the admin password not to be set properly.
  • MSW: non-ASCII admin passwords can now be properly used.
  • MSW: fixed a bug in libfilezilla that caused an unexpected failure when creating directories with restricted access. It had effects on the ACME account creation.

1.4.0-rc1 (2022-04-20)

Fixed vulnerabilities:

  • MSW: the installer doesn't rely on the PATH environment variable to find the tools its needs, but refers to them absolutely, to avoid hijacking.

New features:

  • The size of the TCP buffer sizes on the sockets used for data transfers can now be specified
  • Configuration files are now tagged with a "flavour" and a version number. The Server will refuse to load configuration files with a different flavour than its own or with a version higher than its own. The server's option --config-version-check can be used to control this functionality: if specified, the server checks the versioning, performs the required action and then exit, unless its action is 'ignore'. If the action is 'error', it just checks whether the versions are ok. If the action is 'backup', then a backup of the files is made if the versions are not ok. The parameter --config-version-check-result-file is used to specify a file in which the result of the version check has to be put. If the file contains 'ok', then everything went file. If the file contains 'error', then there was an error. If the file contains 'backup', then a backup was made. The installer makes use of this functionality.
  • Admin UI: the selected log entries can now be copied to the clipboard, in CSV, HTML and plaintext formats through the context menu
  • Admin UI: the settings dialog layout has been changed to accomodate for future other protocol settings, factoring out the settings that are common to all protocols.
  • Admin UI: adjusted borders and spacing to look better on HiDPI displays.
  • Admin UI: preserve the fingerprints of the previously connected servers. The connection dialog gives hints when inputing the host and port.
  • Log files can optionally be rotated daily instead of by size
  • Added option to specify a default user to impersonate if a user logs in with an account that does not use impersonation

Bugfixes and minor changes:

  • MSW: The installer not detects and rejects 32bit Windows
  • MSW, Admin UI: No more double error message when a validation error occurs
  • Admin UI: Solved a crash and fixed other bugs related to minimzing the main window to the notification area
  • Server: --write-config option now also updates the users and groups configuration files
  • Server: the log contains more detailed info about which configuration files have been saved
  • Admin UI: the controller used for editing numbers now correctly accepts negative integers
  • The network config wizard's text has been updated to be more explanatory and intuitive
  • Self signed certificates don't require a 2nd level domain anymore
  • Admin UI: the system user is now always at the top
  • Admin UI: more meaningful message if the password is empty
  • Admin UI: message dialogs now always have a reference to the top window
  • FTP: QUIT needs to respond with 221, not 200
  • Bug fixes to the internal HTTP library
  • MSW: the installer now correctly displays the progress bar in all cases
  • Fixed a confusing error message in some situations if trying to list non-existing directories

1.3.0 (2022-02-14)

New features:

  • Configuration wizard to setup passive mode
  • Linux: Warn if sysctl knob kernel.yama.ptrace_scope is 0
  • Linux: Refuse to run if sysctl knob fs.protected_hardlinks is 0

Bugfixes and minor changes:

  • Admin UI: Rejecting a certificate fingerprint prompt no longer triggers automatic reconnects

1.3.0-rc1 (2022-02-03)

Fixed vulnerabilities:

  • The internal tool filezilla-server-crypt now accepts the password from stdin, not anymore as a parameter, to avoid password leaking.
  • Mountpoints are now impossible to rename or delete.

New features:

  • The configuration files can now be reloaded without shutting down the service first. To make it work, send the SIGHUP signal to the service process on nix, send the paramchange control message to the service on Windows (i.e. 'sc control filezilla-server paramchange').
  • The UI now automatically attempts to reconnect to the server if the connection is lost
  • MSW: users are now case-insensitive
  • Mac: created an installer
  • Display the administration TLS certificate fingerprints at installation time, so that they can be taken note of.
  • Negotiate custom ALPN with FileZilla Client, this allows saving a few round-trips during connection establishment

Bugfixes and minor changes:

  • Warn if no administration password has been given during installation.
  • In TVFS, fixed implicit root "/" not being accessible, trac #12617.
  • In TVFS, an implicit mountpoint whose parent is non-recursive is now able to be listed and cwd'd into.
  • Solved off-by-one bug in path normalization.
  • Reported filesystem errors are permanent, hence use 5yz error codes rather than 4yz error codes in command replies.
  • Permissions are now correctly updated in the UI when the current selected user changes.
  • Fixed regressions in the UI related to the TLS certificates generation.
  • MSW: the installer now correctly support the /D parameter, used to define a different default installation directory from the command line.
  • Debian: the installer now asks for an administration password.
  • Errors during ACME certificates generation are now properly displayed in the UI.

1.2.0 (2021-12-25)

Bugfixes and minor changes:

  • Small usability changes to setting up Let's Encrypt certificates

1.2.0-rc1 (2021-12-17)

New features:

  • Created Debian and macOS packages
  • Introduced more finegrained access controls for the mountpoints

Bugfixes and minor changes:

  • MSW: Disallow files and directories ending on space or dot
  • If a user gets disabled, corresponding sessions are now kicked
  • Let's Encrypt certificates are now only renewed if in use.
  • The UI now lets you edit users info even if they're disabled.
  • Fixed support for UNC pathames on Windows
  • Fixed a few regressions
  • Autoban now shares state across login sessions, which makes it work as intended.
  • The UI now clearly shows in the log whenever it has connected with the FileZilla FTP server.

1.1.0 (2021-10-29)

Fixed vulnerabilities:

  • MSW: Fixed directory traversal vulnerability, all users of 1.x must update

Bugfixes and minor changes:

  • MSW: Fixed installer getting stuck if not installing all components
  • MSW: Installer enables minidump for executables
  • Fixed CIDR parsing
  • Fixed potential crash if a transfer gets aborted

1.1.0-beta1 (2021-10-19)

New features:

  • User impersonation, FileZilla Server can now optionally let users log in using the credentials of system accounts and use their filesystem permissions
  • Added description field to users and groups
  • Added enable checkbox to users
  • Status bar in administration UI now shows connection status

Bugfixes and minor changes:

  • Logging fixes
  • Fixes to auto-ban logic
  • Fixed crash if changing users during ongoing directory listings

1.0.1 (2021-09-20)

New features:

  • Log messages in the administration interface are now colored using the same scheme as FileZilla client's and automatically scroll down unless the user decides otherwise.

Bugfixes and minor changes:

  • The Windows installer no longer disrupts logging settings from previous installations
  • Fixed a bug that would cause failed transfers in certain conditions
  • Fixed display of vowels with umlauts and other non-ASCII characters in the groups selection for users in the administration interface
  • Fixed assorted crashes
  • Fixed possible race conditions

1.0.0 (2021-09-14)

New features:

  • Support for Let's Encrypt and other certificate providers using ACME
  • Improved display of log messages in the administration interface

Bugfixes and minor changes:

  • Changed session ticket/PSK generation when using TLS 1.3, new tickets are now only sent on the control connection
  • Changes to settings such as passive mode ports now affect connected sessions
  • Deleting a user now affects connected sessions logged in as that user
  • Fixed assorted crashes

1.0.0-rc5 (2021-07-28)

Bugfixes and minor changes:

  • Fixed passive mode port settings
  • Minumum allowed TLS version is now 1.2, added configuration option to restrict it further to 1.3
  • Fixed progress display during uploads to the server

1.0.0-rc4 (2021-07-19)

New features:

  • Admin UI: Added checkbox to connect dialog to automatically connect at start
  • Admin UI: Added menu item to start interface minimized
  • Fixed data from a failed download being prepended to a subsequent download

Bugfixes and minor changes:

  • Admin UI: Display additional certificate information such as SANs and subject DN.
  • Admin UI: Simplified selection of log levels
  • Onboarding: After first installing the server, it listens on port 21 by default

1.0.0-rc3 (2021-07-12)

Bugfixes and minor changes:

  • Changed permissions of created settings and log files and directories, they now also grant Windows' built-in Administrators group full access. Does not change existing files from previous versions.

1.0.0-rc2 (2021-07-05)

Bugfixes and minor changes:

  • Fixed a crash in the converter for old configurations

0.9.60.2 (2017-02-08)

Bugfixes and minor changes:

  • Signed binaries, no functional changes over 0.60.0

0.9.60 (2017-02-06)

Bugfixes and minor changes:

  • TLS certificates generated by FileZilla Server now use a random serial number
  • Global speed limits now fluctuate less, unused quota during each timeslice is now carried over instead of discarded
  • Shared directories for groups with the auto-create flag are now created before the user's home directory is accessed
  • Updated OpenSSL to 1.0.2k
  • Building FileZilla Server now requires libfilezilla 0.9.0 or greater

0.9.59 (2016-09-22)

Bugfixes and minor changes:

  • Updated OpenSSL to 1.0.2i due to several security vulnerabilities in OpenSSL
  • Fixed getting list of connected users when connecting with the admin interface
  • Fixed crash if the administration connection is closed while an administrative command is being processed

0.9.58 (2016-08-11)

New features:

  • TCP send buffer auto-tuning
  • Performance improvements to reduce CPU usage under high load
  • Disabled IDEA and SEED ciphers for FTP over TLS

Bugfixes and minor changes:

  • Fixed potential crash if closing connections with pending socket messages
  • A missing home directory is no longer treaded like an empty directory

0.9.57 (2016-05-03)

New features:

  • Rearranged "Connect to Server" dialog and added some helpful labels

Bugfixes and minor changes:

  • Updated OpenSSL to 1.0.2h
  • FileZilla Server no longer fails to read or write its settings if installed in a directory containing characters not expressible in the system's default multibyte character set.

0.9.56.1 (2016-03-16)

Fixed vulnerabilities:

  • Updated installer to NSIS 3.0b3 to prevent DLL hijacking

0.9.56 (2016-03-01)

Bugfixes and minor changes:

  • Improve compatibility with broken clients that always try anonymous logins even if the user has explicitly specified a username.
  • Updated OpenSSL to 1.0.2g

0.9.55 (2016-01-28)

New features:

  • The maximum amount of reconnect attempt for the administration interface can be configured in its settings file

Bugfixes and minor changes:

  • The administration interface no longer starts if it cannot load the TLS libraries
  • Small fixes to the Copy user functionality
  • Updated OpenSSL to 1.0.2f

0.9.54 (2015-11-30)

New features:

  • Newly set account passwords are now stored in form of salted SHA512 hashes
  • The undocumented 8+3 filename feature has been removed

Bugfixes and minor changes:

  • Waiting for transfers to finish when taking the server offline now correctly closes the sockets
  • Clarified a few error messages related to FTP over TLS
  • Updated OpenSSL to 1.0.2d

0.9.53 (2015-06-12)

Bugfixes and minor changes:

  • Updated OpenSSL to 1.0.2b due to several security vulnerabilities in OpenSSL

0.9.52.1 (2015-06-01)

New features:

  • Add support for TLS ciphers using DHE and ECDHE to allow perfect forward secrecy
  • In the settings file, "Minimum TLS version" can be used to further increase the minimum required TLS version a client needs to speak in order to connect

Bugfixes and minor changes:

  • Allow 0.0.0.0/0 CIDR notation in IP filters.

0.9.51 (2015-05-06)

Fixed vulnerabilities:

  • The code that checks that the peer's data connection IP address matches the control connection IP had been nonfunctional. Vulnerability discovered and reported by Amit Klein.
  • Added option to force TLS session resumption on the data connection to prevent data connection stealing
  • FileZilla Server now randomizes the port used for passive mode transfers to mitigate data connection stealing when using plain FTP

New features:

  • Added diagnostic message to the administration interface if FTP over TLS is disabled and if the configured certificate is expired or otherwise invalid
  • Added diagnostic message to the administration interface if no passive mode IP has been configured and the server appears to be behind a NAT router
  • The settings dialog layout had a spring cleaning. The security settings, passive mode settings and TLS settings pages have received the most cleanup.

0.9.50 (2015-03-19)

Bugfixes and minor changes:

  • Updated to OpenSSL 1.0.2a due to several security vulnerabilities in OpenSSL
  • Fixed default network buffer size to match its description
  • Fixed silent uninstallation

0.9.49 (2015-01-09)

Bugfixes and minor changes:

  • Updated OpenSSL library to due to several security vulnerabilties in OpenSSL
  • Fixed crash if updating permissions under load
  • Changing admin interface IP bindings did not recreate the listening socket on ::1
  • Fix display of welcome message and FEAT reply in log

0.9.48 (2014-10-30)

New features:

  • Allow use of the OPTS command prior to login
  • EPSV and EPRT support are now advertised in the reponse to the FEAT command
  • Minidumps are now automatically written in the installation directory in the unfortunate case of a server crash

Bugfixes and minor changes:

  • Updated OpenSSL libraries and fixed memory leaks when unloading OpenSSL

0.9.47 (2014-09-19)

New features:

  • Self-signed certificates created with FileZilla Server are now signed using SHA-256
  • Interface settings (as opposed to server settings) are now stored in %APPDATA%/FileZilla Server
  • Increased maximum IP filter size for users and groups by 50%
  • The administration protocol now allows up to 16 million users and groups

Bugfixes and minor changes:

  • Fix sporadic crashes when using FTP over TLS
  • Fix timestamps in LIST output being off up to 7 minutes in extreme cases
  • Speed up querying file attributes
  • Autoban did not work over IPv6
  • Fixed selection in user list sort dropdown behind the corresponding toolbar button

0.9.46 (2014-08-03)

New features:

  • FTP over TLS: Disallow insecure and weak cipher suites. Algorithms no longer supported include 3DES, RC4, MD5
  • Small performance improvements

Bugfixes and minor changes:

  • Fix stalling or improperly terminated connections when using FTP over TLS
  • Fix crash with enabled speed limits

0.9.45 (2014-06-07)

Fixed vulnerabilities:

  • Security fix: Update to OpenSSL 1.0.1h to address CVE-2014-0224

New features:

  • Clarified wording and offer additional help when setting up aliases

Bugfixes and minor changes:

  • Through the RMD command it was possible to delete aliases

0.9.44 (2014-04-08)

Fixed vulnerabilities:

  • Update to OpenSSL 1.0.1g to address CVE-2014-0160

New features:

  • Improve alias description and guide user towards alias creation if multiple unrelated directories are being shared. Support for the old non-virtual alias configuration has been removed.
  • Display additional information if a certificate or key file cannot be loaded

0.9.43 (2014-01-02)

Fixed vulnerabilities:

  • Security fix: Disallow renaming and deleting of aliases through FTP commands

New features:

  • Removed outdated and untested Kerberos GSSAPI support
  • Removed support for the nonstandard OPTS UTF8 OFF command which is not part of the FTP specifications
  • Added TLS 1.2 support
  • Minimum RSA key size for generated certificates is now 1280 bit
  • Build system: Modernized and cleaned up workspace files for Visual Studio 2013
  • Build system: Removed all non-Unicode configurations

Bugfixes and minor changes:

  • Fix handling of leading/trailing whitespace in filenames
  • Fix display of file name at the end of a transfer
  • The 8+3 account setting is now stored in the correct XML element
  • Increase number of tries searching for a free port after the PASV/EPSV command
  • Fix text clipping on the miscellaneous page in the settings dialig
  • Fixed memory leaks when changing settings
  • The numbers to the PORT command are now always treated as decimal numbers as per the FTP specifications even if they have leading zeroes

0.9.42 (2013-12-16)

New features:

  • Last version ever to support Windows XP
  • More verbose replies to the transfer commands

Bugfixes and minor changes:

  • Fix an endless loop if a client closes a connection using the QUIT command while a speed limit was in effect on a low-latency connection
  • Fixed a rare memory leak
  • Correct handling of 0.0.0.0/0 in IP address filters
  • Use UTF8 in the distinguished names of created certificates

0.9.41 (2012-02-26)

Bugfixes and minor changes:

  • Fix parsing of IP address filters ending with :0 or equivalent substringss.
  • Allow speed limits larger than 64 MiB/s.
  • Show more verbose error messages if transfer connection cannot be established.

0.9.40 (2011-10-23)

Bugfixes and minor changes:

  • The service no longer crashes if onnecting with the administration interface when there are clients connected over IPv6
  • Close the connection if there is additional data in the input buffers when processing the AUTH command.
  • Display correct connection state item in administration interface when getting initial list of connected clients

0.9.39 (2011-06-07)

Bugfixes and minor changes:

  • Do not attempt to display a message box if creating an administration interface binding fails. This freezes the service on some machines.
  • On FTP over TLS connections, the socket address family was not initialized from the underlaying socket
  • Fix a bug in IPv4 address filters and increase their performance

0.9.38 (2011-06-05)

New features:

  • IPv6 support
  • Range, wildcard, regular expression and dot-decimal notation subnet IP address filters have been removed. These filter rules need to be recreated using CIDR notation.

Bugfixes and minor changes:

  • Upon /reload-config, notify all running instances, not just the first found.
  • Report correct physical path of aliases in administration interface
  • Fix reply code on permanent bans, not of 5yz type
  • Increased default size of socket buffers
  • Fix a crash when entering invalid IP filters
  • Fixed a crash when a connection closes
  • Updated to most recent OpenSSL version

0.9.37 (2010-10-17)

Bugfixes and minor changes:

  • Advertise support for PBSZ and PROT in FEAT reply
  • Allow PROT after PORT/PASV/EPRT/EPSV but before transfer command
  • Use correct replies for RNTO, EPRT and MKD command
  • Reply with correct error code in response to transfer commands if PROT P is required but not set
  • Fix display of non-ASCII characters in log
  • Ignore read-only attribute on DELE

0.9.36 (2010-07-19)

Bugfixes and minor changes:

  • Fix welcome message

0.9.35 (2010-07-04)

New features:

  • Administration interface is now Unicode enabled.

Bugfixes and minor changes:

  • Fix saving of speed-limit rules

0.9.34 (2009-12-31)

New features:

  • Show address of server in title bar of administration interface (patch submitted by eyebex)

Bugfixes and minor changes:

  • Disable some weak TLS/SSL ciphers such as DES-CBC-SHA which shouldn't be used anymore
  • Work around some obscure error reported by OpenSSL, fixes spurious transfer failures
  • Use case-insensitive comparison instead of always converting to lowercase in permissions handling. Fixes problems with sharing case-sensitive network resources.
  • Settings with empty data were not loaded from settings file correctly and reverted back to default values (patch submitted by eyebex)
  • Improve performance of (re-)loading settings

0.9.33 (2009-09-06)

New features:

  • Add /servicename and /servicedisplayname options to change the (display) name of the server service.

Bugfixes and minor changes:

  • Fix potential double-delete in admin connection code, could be used for remote denial of service if using remote administration (not enabled by default).
  • Increase minimum value for maximum allowed login attempts before autoban to 10.

0.9.32 (2009-06-21)

New features:

  • Use thousands separator in output of large numbers.

Bugfixes and minor changes:

  • Disallow weak SSLv2.
  • Slightly reword FTP over TLS/SSL settings page
  • Adjust width of user and group lists on permissions dialogs.

0.9.31 (2009-03-03)

Bugfixes and minor changes:

  • Fix buffer overflow in SSL code leading to a potential security vulnerability

0.9.30 (2009-01-30)

Bugfixes and minor changes:

  • Fix a rare case in which SSL shutdown notifications were created but not actually sent.

0.9.29 (2008-11-10)

Bugfixes and minor changes:

  • Executable path did not get quoted properly in service creation leading to a local privilege escalation vulnerability.

0.9.28 (2008-11-03)

Bugfixes and minor changes:

  • Directly reject PROT C if PROT P is required instead of complaining after a transfer command
  • Fix race in transfer connection initialization leading to timeouts
  • No-transfer timeouts could not be disabled in 0.9.27
  • Server startup options in installer had no effect

0.9.27 (2008-07-30)

Bugfixes and minor changes:

  • An orderly SSL/TLS shutdown was not performed in all cases
  • Disallow no-transfer timeouts smaller than 600 seconds

0.9.26 (2008-07-13)

Bugfixes and minor changes:

  • Downloading empty files over TLS connections no longer closes the connection prematurely
  • Updated to latest OpenSSL version