Version history
This page lists the version history of FileZilla Server releases. Have a look at the changelog for a detailed list of all changes committed to the source code repository.
1.9.4 (2024-11-11)
Bugfixes and minor changes:
- Fixed a regression causing the setting 'do not require authentication' to get lost when restarting the server. Note: To see the effect of this fix, administrators must manually reapply the 'do not require authentication' setting for affected users. After this adjustment, the setting will persist as expected.
- MSW: Added NETWORK_SERVICE as a allowed user for the config dir ownership.
1.9.3 (2024-10-17)
Bugfixes and minor changes:
- Fixed a regression causing the automatic renewal of the Let's Encrypt® certificates to not work properly.
- UI: fixed regression causing the Administration Interface port of the last successful connection to not be properly restored.
- UI: fixed a bug where the TLS key appeared to be lost in the interface if certificate generation failed, even though the key was still retained on the server.
1.9.2 (2024-09-30)
Bugfixes and minor changes:
- Fixed an issue with the update mechanism
1.9.1 (2024-09-09)
Bugfixes and minor changes:
- Fixed a regression introduced in 1.9.0, the "public IP or hostname" field on the passive mode page was not restored when opening the settings dialog
1.9.0 (2024-09-06)
Fixed vulnerabilities:
- MSW: Warn if installing the server outside of Program Files due to custom directories having too lax permissions
Bugfixes and minor changes:
- Fixed a race condition resulting in stalled connections
- *nix: Fixed a potential crash if SIGINT is sent to the server while it is shutting down
- Fixes to the update check mechanism
- Fixed a regression in the converter for old 0.9.x configurations dealing with placeholders in native paths
1.9.0-rc1 (2024-08-08)
New features:
- Private keys used for TLS can now be stored on a PKCS#11-compatible token device; the UI has been updated accordingly.
- UI: added button to retrieve the current FileZilla Server's public IP address, useful to configure the PASV mode.
- UI: added an FTP connection test, that can be reached directly from the Server menu item or executed at the end of the FTP Network Configuration Wizard.
- Made default values more secure, among which: require TLS on new FTP listeners, require a password for new users and warn if the administration password doesn't meet more stringent security requirements.
- Fixed bug causing the most recent log file, rather than the oldest, to be deleted upon rotation, when using dates as suffixes.
- MSW: fixed regression causing socket listener conflicts due to recent libfilezilla changes.
- Added WebUI: an HTTP server providing a REST API and a web app for seamless web access to stored files. WebUI is not included in the default build and must be enabled with the --enable-webui parameter during compilation. This feature is experimental; feedback and bug reports are welcome.
Bugfixes and minor changes:
- UI: the certificate fingerprint verification dialog is now sized to display the full fingerprint at once.
- UI: fixed bug causing the focus to be lost during user editing.
- UI: fixed bug causing the tray icon to display unexpectedly in certain cases.
- UI: improved error handling in case of server disconnection.
- UI: improved handling of Settings window size on ultra wide screens.
- FTP: the MKD command now returns an error if the directory already exists.
- FTP: Improved login timeout handling to exclude internal server processing time.
- Fixed heap corruption in the Administrator Interface.
- Fixed regression in the path handling routines.
1.8.2 (2024-04-26)
Fixed vulnerabilities:
- FileZilla Server now requires that the configuration directory is owned either by the operating system user account the server runs under, or a more privileged user (SYSTEM, Amdministrators, TrustedInstaller on Windows, root elsewhere)
- MSW: Mount points are now case-insensitive so that restrictions on sub mounts cannot be bypassed by a change of character case
Bugfixes and minor changes:
- Fixed a potential deadlock during transfers
- FTP: Fixed potential crash if the session gets closed
1.8.1 (2024-01-25)
New features:
- Limits to the number of active sessions defined for the groups now apply to the group as a whole, not just to the individual users belonging to those groups.
- Fixed bug that led to timeouts not being set at startup, but only when changing the configuration.
Bugfixes and minor changes:
- FTP Server: NLST would report a file names with a leading ./ path in certain cases, which confused some clients. Fixed.
- UI: Fixed bug that caused the Administration Interface to misinterpret native paths in the mount lists in case the server were running on a machine with different path semantics than the Administration Interface's one.
- UI: fixed regression that led to some message dialogs not being displayed.
- Fixed regression that caused disabled mount points with empty native paths to be discarded.
- Fixed conversion to utf8 of virtual paths, which was wrongly misinterpreting some native encodings.
- In case of login failure, the login timeout resumes counting down for the remaining time.
1.8.0 (2023-12-11)
Bugfixes and minor changes:
- The autoban feature no longer bans clients with correct credentials that cannot log in due to exeeded connection limits
- Report correct timestamps of mount points in directory listings
- Fixed regression introduced in 1.8.0 resulting in "Do not require authentication" not working
1.8.0-rc2 (2023-11-16)
Fixed vulnerabilities:
- Fixed regression related to path handling
- Fixed off-by-one buffer overflow in handling of IPV6 addresses.
New features:
- Admin UI: sessions IPs and user names can now be independently copied into the clipboard.
- Added option to disable the automatic renewal of Let's Encrypt certificates.
Bugfixes and minor changes:
- Fixed bug in the updater that caused it to report new beta releases even if explictly told not to.
- User-provided certificates are now tested before being applied, so that the server always stays in a functioning state
- Fixed potential issues in the impersonator process
1.7.3 (2023-09-11)
Fixed vulnerabilities:
- Fixed a security vulnerability introduced in 1.7.0-rc1, update urgently recommended.
1.7.2 (2023-06-07)
Bugfixes and minor changes:
- Fixed handling of the "processing" order status when creating Let's Encrypt certificates
- Fixed an issue with sessions getting kicked if settings were applied
1.7.1 (2023-05-26)
Bugfixes and minor changes:
- UI: Fixed session list rendering issues on Windows
- Banning an IP now also automatically kicks sessions with that IP
1.7.0 (2023-05-10)
Bugfixes and minor changes:
- Additional updater improvements
- Validate passive mode port ranges, it is now an error if the range overlaps any of the regular listeners
1.7.0-rc2 (2023-04-28)
Bugfixes and minor changes:
- Small updater improvements
- Print error message in log if hostname lookup fails while preparing data connection for passive mode
- Fixes for login request throttler
1.7.0-rc1 (2023-04-24)
New features:
- Implemented automatic checking of the availability of new releases, configurable via Configuration dialog in the Administration Interface.
Bugfixes and minor changes:
- The log file now contains the flavour and version number at the top
- UI: the listeners are now easier to edit and navigate through.
1.6.7 (2023-02-20)
Bugfixes and minor changes:
- Fixed logging level in the Administration Interface settings dialog initially always showing Debug
- Fixed a crash due to missing synchronization when adding authentication workers
- Updated to GnuTLS 3.8.0
1.6.6 (2023-02-01)
Bugfixes and minor changes:
- Fixed crash if throttled authentications were cancelled
1.6.5 (2023-01-22)
Bugfixes and minor changes:
- Fixed a regression with the RNFR command
1.6.4 (2023-01-18)
Bugfixes and minor changes:
- Fixed a deadlock if sessions destroyed during ongoing authentication
- Fixed issues with the ABOR command
- Fixed a crash in the converter for old 0.9.x configurations
1.6.1 (2022-12-07)
Bugfixes and minor changes:
- MSW: Fixed an installation issue due to a service handle not being closed
1.6.0 (2022-12-06)
New features:
- UI: it is now possible to upload TLS certificates to the server directly from the UI, using a specific selector in the Security page of the protocols configuration.
- UI: the maximum amount of characters in all text controls has been limited to a sensible number, so to avoid potential crashes or stalls in corner cases.
Bugfixes and minor changes:
- Fixed potential issues with locking of mutexes in the administration protocol
- MSW: the installer now works properly also if the uninstaller from a previous installation has been deleted.
- Fixed an issue in the networking code when dealing with TLS close_notify alerts.
1.6.0-rc1 (2022-11-28)
New features:
- MSW: the installer now offers to keep the existing service configuration of a previously installed FileZilla Server whose release must be above or equal to 1.6.0.
- UI: the main window position and size is now remembered across different runs.
- UI: the server configuration can now be exported to a file and imported into another server. It is possible to select the specific parts of the configuration that are to be exported or imported.
- UI: double-clicking on a item in the session list will pop up a dialog with security information about the session. The functionality can be also accessed via the context menu.
- UI: file dialogs now remember the last used folder
Bugfixes and minor changes:
- UI: users' group names are now sorted, with the active ones up in the list
- UI: Clearly show when a session transfer is stalled
- UI: it is now possible to cut/copy/paste numbers in the specific controls.
- UI: Fixed various incoherencies in the state of the interface
- UI: it is no longer possible to have the administration listeners conflict with the file transfer protocols servers listeners. In case of pre-existing conflicts in the configuration file, the administration listeners take precedence, so that it is still possible to change the FileZilla Server's configuration.
- UI: in some corner cases concurrently opening dialogs could cause instabilities. These dialogs are now queued up and opened sequentially.
- *nix: fixed dependencies in the Debian installer
- *nix: fixed installation directory of the icons
- Fixed a crash on network errors while renewing Let's Encrypt certificates
- MSW: Communication with the impersonator child process no longer stalls or fails under heavy load
- User-specific impersonation is now working again
1.5.1 (2022-07-29)
Bugfixes and minor changes:
- Fixed a crash if a session is closed and the data connection receives a connection error at the same time
- MSW: The notification area icon now displays again in all display scale factors
- Admin UI: Fixed switching from "Use system credentials to log in" to "Require a password to log in" not applying
1.5.0 (2022-07-20)
Bugfixes and minor changes:
- Admin UI: Connection dialog did not remember the last used port if there are multiple saved entries for the same hostname with different ports
1.5.0-rc1 (2022-07-12)
New features:
- Server: Implemented throttling of login attempts in case of too many failed attempts.
- Server: The version number in the welcome messsage can now be manually suppressed by setting the "has_version" attribute of the message field in the configuration file to "false".
- MSW: If the service is running under the SYSTEM account, configuration files are now placed under %PROGRAMDATA%\filezilla-server. This is to workaround the issue that when doing a Windows Update the settings could be wiped out. Settings still residing under %LOCALAPPDATA%\filezilla-server are automatically migrated.
- Communication with the impersonator child process is now asynchronous
- Admin UI: The password fields in the configuration dialog now how show a hint to inform the user about how to keep the existing password
Bugfixes and minor changes:
- Admin UI: Fixed a crash in listener editor
- Admin UI (macOS): Implemented workarounds for some wxWidgets glitches and malfunctions.
- Admin UI: The system_user's name cannot be edited anymore (rightly so)
- Configuration data that cannot be serialized now prevents an incomplete output file from being written to disk
- Sudden deaths of the impersonator process no longer cause unintended behavior
- Fixed server crashes due to unexpected socket events in some corner cases
- MSW: Due to a toolchain issue, programs making use of thread-local variables would crash on exit. Implemented a workaround, until it gets addressed by future MinGW toolchains
- The number of possible worker threads has been reduced to a maximum of 256
- FTP Server: The NLST command now reports paths compliant with RFC 1123
- When using the command line parameter --config-version-check ignore, the expected version is now written to the settings files if a mismatch is detected
- *nix: Logo icons are no longer embedded in the executables, they are instead installed to the proper system paths
- *nix: Added a filezilla-server-gui.desktop file, so that the Admin UI can easily be opened by desktop environments
- Maximum number of log file rotations has been reduced to a more sensible amount and the rotation algorithm has been changed to be more efficient
1.4.1 (2022-05-06)
Bugfixes and minor changes:
- Admin UI: Fixed a crash on the listener page
- Admin UI: Improved workflow for changing user passwords
- MSW: Fixed an issue with the converter for configurations from FileZilla Server 0.9.x
1.4.0 (2022-04-29)
Bugfixes and minor changes:
- Debian: by default the service is now configured to exclude headers from log lines, since journald outputs its own headers already.
- Mac: fixed regression that made the installed service not startable
- Admin UI: changed wording in the logging settings
- Admin UI: made default connection values correct, in case the settings file is missing.
- MSW: fixed various bug in the ExecDos plugin, that could cause the admin password not to be set properly.
- MSW: non-ASCII admin passwords can now be properly used.
- MSW: fixed a bug in libfilezilla that caused an unexpected failure when creating directories with restricted access. It had effects on the ACME account creation.
1.4.0-rc1 (2022-04-20)
Fixed vulnerabilities:
- MSW: the installer doesn't rely on the PATH environment variable to find the tools its needs, but refers to them absolutely, to avoid hijacking.
New features:
- The size of the TCP buffer sizes on the sockets used for data transfers can now be specified
- Configuration files are now tagged with a "flavour" and a version number. The Server will refuse to load configuration files with a different flavour than its own or with a version higher than its own. The server's option --config-version-check can be used to control this functionality: if specified, the server checks the versioning, performs the required action and then exit, unless its action is 'ignore'. If the action is 'error', it just checks whether the versions are ok. If the action is 'backup', then a backup of the files is made if the versions are not ok. The parameter --config-version-check-result-file is used to specify a file in which the result of the version check has to be put. If the file contains 'ok', then everything went file. If the file contains 'error', then there was an error. If the file contains 'backup', then a backup was made. The installer makes use of this functionality.
- Admin UI: the selected log entries can now be copied to the clipboard, in CSV, HTML and plaintext formats through the context menu
- Admin UI: the settings dialog layout has been changed to accomodate for future other protocol settings, factoring out the settings that are common to all protocols.
- Admin UI: adjusted borders and spacing to look better on HiDPI displays.
- Admin UI: preserve the fingerprints of the previously connected servers. The connection dialog gives hints when inputing the host and port.
- Log files can optionally be rotated daily instead of by size
- Added option to specify a default user to impersonate if a user logs in with an account that does not use impersonation
Bugfixes and minor changes:
- MSW: The installer not detects and rejects 32bit Windows
- MSW, Admin UI: No more double error message when a validation error occurs
- Admin UI: Solved a crash and fixed other bugs related to minimzing the main window to the notification area
- Server: --write-config option now also updates the users and groups configuration files
- Server: the log contains more detailed info about which configuration files have been saved
- Admin UI: the controller used for editing numbers now correctly accepts negative integers
- The network config wizard's text has been updated to be more explanatory and intuitive
- Self signed certificates don't require a 2nd level domain anymore
- Admin UI: the system user is now always at the top
- Admin UI: more meaningful message if the password is empty
- Admin UI: message dialogs now always have a reference to the top window
- FTP: QUIT needs to respond with 221, not 200
- Bug fixes to the internal HTTP library
- MSW: the installer now correctly displays the progress bar in all cases
- Fixed a confusing error message in some situations if trying to list non-existing directories
1.3.0 (2022-02-14)
New features:
- Configuration wizard to setup passive mode
- Linux: Warn if sysctl knob kernel.yama.ptrace_scope is 0
- Linux: Refuse to run if sysctl knob fs.protected_hardlinks is 0
Bugfixes and minor changes:
- Admin UI: Rejecting a certificate fingerprint prompt no longer triggers automatic reconnects
1.3.0-rc1 (2022-02-03)
Fixed vulnerabilities:
- The internal tool filezilla-server-crypt now accepts the password from stdin, not anymore as a parameter, to avoid password leaking.
- Mountpoints are now impossible to rename or delete.
New features:
- The configuration files can now be reloaded without shutting down the service first. To make it work, send the SIGHUP signal to the service process on nix, send the paramchange control message to the service on Windows (i.e. 'sc control filezilla-server paramchange').
- The UI now automatically attempts to reconnect to the server if the connection is lost
- MSW: users are now case-insensitive
- Mac: created an installer
- Display the administration TLS certificate fingerprints at installation time, so that they can be taken note of.
- Negotiate custom ALPN with FileZilla Client, this allows saving a few round-trips during connection establishment
Bugfixes and minor changes:
- Warn if no administration password has been given during installation.
- In TVFS, fixed implicit root "/" not being accessible, trac #12617.
- In TVFS, an implicit mountpoint whose parent is non-recursive is now able to be listed and cwd'd into.
- Solved off-by-one bug in path normalization.
- Reported filesystem errors are permanent, hence use 5yz error codes rather than 4yz error codes in command replies.
- Permissions are now correctly updated in the UI when the current selected user changes.
- Fixed regressions in the UI related to the TLS certificates generation.
- MSW: the installer now correctly support the /D parameter, used to define a different default installation directory from the command line.
- Debian: the installer now asks for an administration password.
- Errors during ACME certificates generation are now properly displayed in the UI.
1.2.0 (2021-12-25)
Bugfixes and minor changes:
- Small usability changes to setting up Let's Encrypt certificates
1.2.0-rc1 (2021-12-17)
New features:
- Created Debian and macOS packages
- Introduced more finegrained access controls for the mountpoints
Bugfixes and minor changes:
- MSW: Disallow files and directories ending on space or dot
- If a user gets disabled, corresponding sessions are now kicked
- Let's Encrypt certificates are now only renewed if in use.
- The UI now lets you edit users info even if they're disabled.
- Fixed support for UNC pathames on Windows
- Fixed a few regressions
- Autoban now shares state across login sessions, which makes it work as intended.
- The UI now clearly shows in the log whenever it has connected with the FileZilla FTP server.
1.1.0 (2021-10-29)
Fixed vulnerabilities:
- MSW: Fixed directory traversal vulnerability, all users of 1.x must update
Bugfixes and minor changes:
- MSW: Fixed installer getting stuck if not installing all components
- MSW: Installer enables minidump for executables
- Fixed CIDR parsing
- Fixed potential crash if a transfer gets aborted
1.1.0-beta1 (2021-10-19)
New features:
- User impersonation, FileZilla Server can now optionally let users log in using the credentials of system accounts and use their filesystem permissions
- Added description field to users and groups
- Added enable checkbox to users
- Status bar in administration UI now shows connection status
Bugfixes and minor changes:
- Logging fixes
- Fixes to auto-ban logic
- Fixed crash if changing users during ongoing directory listings
1.0.1 (2021-09-20)
New features:
- Log messages in the administration interface are now colored using the same scheme as FileZilla client's and automatically scroll down unless the user decides otherwise.
Bugfixes and minor changes:
- The Windows installer no longer disrupts logging settings from previous installations
- Fixed a bug that would cause failed transfers in certain conditions
- Fixed display of vowels with umlauts and other non-ASCII characters in the groups selection for users in the administration interface
- Fixed assorted crashes
- Fixed possible race conditions
1.0.0 (2021-09-14)
New features:
- Support for Let's Encrypt and other certificate providers using ACME
- Improved display of log messages in the administration interface
Bugfixes and minor changes:
- Changed session ticket/PSK generation when using TLS 1.3, new tickets are now only sent on the control connection
- Changes to settings such as passive mode ports now affect connected sessions
- Deleting a user now affects connected sessions logged in as that user
- Fixed assorted crashes
1.0.0-rc5 (2021-07-28)
Bugfixes and minor changes:
- Fixed passive mode port settings
- Minumum allowed TLS version is now 1.2, added configuration option to restrict it further to 1.3
- Fixed progress display during uploads to the server
1.0.0-rc4 (2021-07-19)
New features:
- Admin UI: Added checkbox to connect dialog to automatically connect at start
- Admin UI: Added menu item to start interface minimized
- Fixed data from a failed download being prepended to a subsequent download
Bugfixes and minor changes:
- Admin UI: Display additional certificate information such as SANs and subject DN.
- Admin UI: Simplified selection of log levels
- Onboarding: After first installing the server, it listens on port 21 by default
1.0.0-rc3 (2021-07-12)
Bugfixes and minor changes:
- Changed permissions of created settings and log files and directories, they now also grant Windows' built-in Administrators group full access. Does not change existing files from previous versions.
1.0.0-rc2 (2021-07-05)
Bugfixes and minor changes:
- Fixed a crash in the converter for old configurations
0.9.60.2 (2017-02-08)
Bugfixes and minor changes:
- Signed binaries, no functional changes over 0.60.0
0.9.60 (2017-02-06)
Bugfixes and minor changes:
- TLS certificates generated by FileZilla Server now use a random serial number
- Global speed limits now fluctuate less, unused quota during each timeslice is now carried over instead of discarded
- Shared directories for groups with the auto-create flag are now created before the user's home directory is accessed
- Updated OpenSSL to 1.0.2k
- Building FileZilla Server now requires libfilezilla 0.9.0 or greater
0.9.59 (2016-09-22)
Bugfixes and minor changes:
- Updated OpenSSL to 1.0.2i due to several security vulnerabilities in OpenSSL
- Fixed getting list of connected users when connecting with the admin interface
- Fixed crash if the administration connection is closed while an administrative command is being processed
0.9.58 (2016-08-11)
New features:
- TCP send buffer auto-tuning
- Performance improvements to reduce CPU usage under high load
- Disabled IDEA and SEED ciphers for FTP over TLS
Bugfixes and minor changes:
- Fixed potential crash if closing connections with pending socket messages
- A missing home directory is no longer treaded like an empty directory
0.9.57 (2016-05-03)
New features:
- Rearranged "Connect to Server" dialog and added some helpful labels
Bugfixes and minor changes:
- Updated OpenSSL to 1.0.2h
- FileZilla Server no longer fails to read or write its settings if installed in a directory containing characters not expressible in the system's default multibyte character set.
0.9.56.1 (2016-03-16)
Fixed vulnerabilities:
- Updated installer to NSIS 3.0b3 to prevent DLL hijacking
0.9.56 (2016-03-01)
Bugfixes and minor changes:
- Improve compatibility with broken clients that always try anonymous logins even if the user has explicitly specified a username.
- Updated OpenSSL to 1.0.2g
0.9.55 (2016-01-28)
New features:
- The maximum amount of reconnect attempt for the administration interface can be configured in its settings file
Bugfixes and minor changes:
- The administration interface no longer starts if it cannot load the TLS libraries
- Small fixes to the Copy user functionality
- Updated OpenSSL to 1.0.2f
0.9.54 (2015-11-30)
New features:
- Newly set account passwords are now stored in form of salted SHA512 hashes
- The undocumented 8+3 filename feature has been removed
Bugfixes and minor changes:
- Waiting for transfers to finish when taking the server offline now correctly closes the sockets
- Clarified a few error messages related to FTP over TLS
- Updated OpenSSL to 1.0.2d
0.9.53 (2015-06-12)
Bugfixes and minor changes:
- Updated OpenSSL to 1.0.2b due to several security vulnerabilities in OpenSSL
0.9.52.1 (2015-06-01)
New features:
- Add support for TLS ciphers using DHE and ECDHE to allow perfect forward secrecy
- In the settings file, "Minimum TLS version" can be used to further increase the minimum required TLS version a client needs to speak in order to connect
Bugfixes and minor changes:
- Allow 0.0.0.0/0 CIDR notation in IP filters.
0.9.51 (2015-05-06)
Fixed vulnerabilities:
- The code that checks that the peer's data connection IP address matches the control connection IP had been nonfunctional. Vulnerability discovered and reported by Amit Klein.
- Added option to force TLS session resumption on the data connection to prevent data connection stealing
- FileZilla Server now randomizes the port used for passive mode transfers to mitigate data connection stealing when using plain FTP
New features:
- Added diagnostic message to the administration interface if FTP over TLS is disabled and if the configured certificate is expired or otherwise invalid
- Added diagnostic message to the administration interface if no passive mode IP has been configured and the server appears to be behind a NAT router
- The settings dialog layout had a spring cleaning. The security settings, passive mode settings and TLS settings pages have received the most cleanup.
0.9.50 (2015-03-19)
Bugfixes and minor changes:
- Updated to OpenSSL 1.0.2a due to several security vulnerabilities in OpenSSL
- Fixed default network buffer size to match its description
- Fixed silent uninstallation
0.9.49 (2015-01-09)
Bugfixes and minor changes:
- Updated OpenSSL library to due to several security vulnerabilties in OpenSSL
- Fixed crash if updating permissions under load
- Changing admin interface IP bindings did not recreate the listening socket on ::1
- Fix display of welcome message and FEAT reply in log
0.9.48 (2014-10-30)
New features:
- Allow use of the OPTS command prior to login
- EPSV and EPRT support are now advertised in the reponse to the FEAT command
- Minidumps are now automatically written in the installation directory in the unfortunate case of a server crash
Bugfixes and minor changes:
- Updated OpenSSL libraries and fixed memory leaks when unloading OpenSSL
0.9.47 (2014-09-19)
New features:
- Self-signed certificates created with FileZilla Server are now signed using SHA-256
- Interface settings (as opposed to server settings) are now stored in %APPDATA%/FileZilla Server
- Increased maximum IP filter size for users and groups by 50%
- The administration protocol now allows up to 16 million users and groups
Bugfixes and minor changes:
- Fix sporadic crashes when using FTP over TLS
- Fix timestamps in LIST output being off up to 7 minutes in extreme cases
- Speed up querying file attributes
- Autoban did not work over IPv6
- Fixed selection in user list sort dropdown behind the corresponding toolbar button
0.9.46 (2014-08-03)
New features:
- FTP over TLS: Disallow insecure and weak cipher suites. Algorithms no longer supported include 3DES, RC4, MD5
- Small performance improvements
Bugfixes and minor changes:
- Fix stalling or improperly terminated connections when using FTP over TLS
- Fix crash with enabled speed limits
0.9.45 (2014-06-07)
Fixed vulnerabilities:
- Security fix: Update to OpenSSL 1.0.1h to address CVE-2014-0224
New features:
- Clarified wording and offer additional help when setting up aliases
Bugfixes and minor changes:
- Through the RMD command it was possible to delete aliases
0.9.44 (2014-04-08)
Fixed vulnerabilities:
- Update to OpenSSL 1.0.1g to address CVE-2014-0160
New features:
- Improve alias description and guide user towards alias creation if multiple unrelated directories are being shared. Support for the old non-virtual alias configuration has been removed.
- Display additional information if a certificate or key file cannot be loaded
0.9.43 (2014-01-02)
Fixed vulnerabilities:
- Security fix: Disallow renaming and deleting of aliases through FTP commands
New features:
- Removed outdated and untested Kerberos GSSAPI support
- Removed support for the nonstandard OPTS UTF8 OFF command which is not part of the FTP specifications
- Added TLS 1.2 support
- Minimum RSA key size for generated certificates is now 1280 bit
- Build system: Modernized and cleaned up workspace files for Visual Studio 2013
- Build system: Removed all non-Unicode configurations
Bugfixes and minor changes:
- Fix handling of leading/trailing whitespace in filenames
- Fix display of file name at the end of a transfer
- The 8+3 account setting is now stored in the correct XML element
- Increase number of tries searching for a free port after the PASV/EPSV command
- Fix text clipping on the miscellaneous page in the settings dialig
- Fixed memory leaks when changing settings
- The numbers to the PORT command are now always treated as decimal numbers as per the FTP specifications even if they have leading zeroes
0.9.42 (2013-12-16)
New features:
- Last version ever to support Windows XP
- More verbose replies to the transfer commands
Bugfixes and minor changes:
- Fix an endless loop if a client closes a connection using the QUIT command while a speed limit was in effect on a low-latency connection
- Fixed a rare memory leak
- Correct handling of 0.0.0.0/0 in IP address filters
- Use UTF8 in the distinguished names of created certificates
0.9.41 (2012-02-26)
Bugfixes and minor changes:
- Fix parsing of IP address filters ending with :0 or equivalent substringss.
- Allow speed limits larger than 64 MiB/s.
- Show more verbose error messages if transfer connection cannot be established.
0.9.40 (2011-10-23)
Bugfixes and minor changes:
- The service no longer crashes if onnecting with the administration interface when there are clients connected over IPv6
- Close the connection if there is additional data in the input buffers when processing the AUTH command.
- Display correct connection state item in administration interface when getting initial list of connected clients
0.9.39 (2011-06-07)
Bugfixes and minor changes:
- Do not attempt to display a message box if creating an administration interface binding fails. This freezes the service on some machines.
- On FTP over TLS connections, the socket address family was not initialized from the underlaying socket
- Fix a bug in IPv4 address filters and increase their performance
0.9.38 (2011-06-05)
New features:
- IPv6 support
- Range, wildcard, regular expression and dot-decimal notation subnet IP address filters have been removed. These filter rules need to be recreated using CIDR notation.
Bugfixes and minor changes:
- Upon /reload-config, notify all running instances, not just the first found.
- Report correct physical path of aliases in administration interface
- Fix reply code on permanent bans, not of 5yz type
- Increased default size of socket buffers
- Fix a crash when entering invalid IP filters
- Fixed a crash when a connection closes
- Updated to most recent OpenSSL version
0.9.37 (2010-10-17)
Bugfixes and minor changes:
- Advertise support for PBSZ and PROT in FEAT reply
- Allow PROT after PORT/PASV/EPRT/EPSV but before transfer command
- Use correct replies for RNTO, EPRT and MKD command
- Reply with correct error code in response to transfer commands if PROT P is required but not set
- Fix display of non-ASCII characters in log
- Ignore read-only attribute on DELE
0.9.36 (2010-07-19)
Bugfixes and minor changes:
- Fix welcome message
0.9.35 (2010-07-04)
New features:
- Administration interface is now Unicode enabled.
Bugfixes and minor changes:
- Fix saving of speed-limit rules
0.9.34 (2009-12-31)
New features:
- Show address of server in title bar of administration interface (patch submitted by eyebex)
Bugfixes and minor changes:
- Disable some weak TLS/SSL ciphers such as DES-CBC-SHA which shouldn't be used anymore
- Work around some obscure error reported by OpenSSL, fixes spurious transfer failures
- Use case-insensitive comparison instead of always converting to lowercase in permissions handling. Fixes problems with sharing case-sensitive network resources.
- Settings with empty data were not loaded from settings file correctly and reverted back to default values (patch submitted by eyebex)
- Improve performance of (re-)loading settings
0.9.33 (2009-09-06)
New features:
- Add /servicename and /servicedisplayname options to change the (display) name of the server service.
Bugfixes and minor changes:
- Fix potential double-delete in admin connection code, could be used for remote denial of service if using remote administration (not enabled by default).
- Increase minimum value for maximum allowed login attempts before autoban to 10.
0.9.32 (2009-06-21)
New features:
- Use thousands separator in output of large numbers.
Bugfixes and minor changes:
- Disallow weak SSLv2.
- Slightly reword FTP over TLS/SSL settings page
- Adjust width of user and group lists on permissions dialogs.
0.9.31 (2009-03-03)
Bugfixes and minor changes:
- Fix buffer overflow in SSL code leading to a potential security vulnerability
0.9.30 (2009-01-30)
Bugfixes and minor changes:
- Fix a rare case in which SSL shutdown notifications were created but not actually sent.
0.9.29 (2008-11-10)
Bugfixes and minor changes:
- Executable path did not get quoted properly in service creation leading to a local privilege escalation vulnerability.
0.9.28 (2008-11-03)
Bugfixes and minor changes:
- Directly reject PROT C if PROT P is required instead of complaining after a transfer command
- Fix race in transfer connection initialization leading to timeouts
- No-transfer timeouts could not be disabled in 0.9.27
- Server startup options in installer had no effect
0.9.27 (2008-07-30)
Bugfixes and minor changes:
- An orderly SSL/TLS shutdown was not performed in all cases
- Disallow no-transfer timeouts smaller than 600 seconds
0.9.26 (2008-07-13)
Bugfixes and minor changes:
- Downloading empty files over TLS connections no longer closes the connection prematurely
- Updated to latest OpenSSL version