MessageWay FTP Perimeter Server Maintenance Release
Maintenance Release Name:
mwftp-6.1.0-mr08-linux
Release date: January 5, 2021
Prerequisites: MessageWay
FTP Perimeter Server 6.1.0 and MessageWay 6.1.0 mr09
Obsoletes Maintenance Releases (formerly called Hotfixes):
All previous MessageWay FTP Server 6.1.0 Hotfixes
Files:
This Maintenance Release contains the files listed below:
Files changed in this Maintenance Release
mwftp-6.1.0-mr08-linux:
mwftpd |
MessageWay FTP Perimeter Server version 6.1.0.17 |
libcrypto.so.1.0.0 |
OpenSSL crypto library |
mwftp-6.1.0-mr08-linux_readme.html |
This Readme file |
Files changed in previous Hotfixes and rolled into this
Maintenance Release:
install.sh |
FTP Installer |
mwftpd.conf.samp |
Sample Configuration File |
Installing the MessageWay FTP Server
Maintenance Release:
1) Download the
Maintenance Release install package sent by Progress and unzip. 2) Logon
to the perimeter server as
"root". 3) Locate the Maintenance Release tarball (mwftp-6.1.0-mr08-linux.tgz)
in the Maintenance Release install package (...\servers_mrs\linux\)
and copy to the perimeter server. 4) Untar the Maintenance Release
tarball:
tar -xzvf mwftp-6.1.0-mr08-linux.tgz 5) Step 4 will automatically create a new subdirectory named
mwftp-6.1.0-mr08-linux. 6) Stop the MessageWay
FTP Server. 7) cd to the newly created
mwftp-6.1.0-mr08-linux
subdirectory. 8) Install the
Maintenance Release by running the install script:
./install.sh 9) Answer the prompts as they appear.
10) Start the MessageWay FTP Server.
The Maintenance
Release is now installed on the server. A backup copy of every replaced object was saved in the /opt/messageway/ftp/backups
subdirectory.
To verify that the
Maintenance Release installed properly, view the /opt/messageway/ftp/MWFTPInstall.log file. Additionally, this
Maintenance Release
Readme file is saved in the subdirectory created in step 4 above for future reference.
Regarding any sample config files that may be part of this Maintenance
Release, in-use
config files
should always be compared against newly installed sample config files in
order to make any necessary modifications, as well as to incorporate new
parameters and updated comments.
( January 5, 2021 ) Issues closed in
mwftp-6.1.0-mr08-linux
IMPORTANT NOTE about Security Updates for this release:
MessageWay now includes the OpenSSL 1.0.2u and FIPS 2.0.16 releases.
They
address many vulnerabilities that can be
found in the release notes on the OpenSSL.org site.
Specifically, see the
following link for further details about this release of OpenSSL:
https://www.openssl.org/news/openssl-1.0.2-notes.html
Specifically, see the following link for further details about this release of
FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.16.pdf
MessageWay FTP Perimeter Server - Issue #984 (Program
changed: mwftpd - version
6.1.0.17)
Issue 984: APPEND issue with concurrent
connections to same file/message causing data to be overwritten or lost. Changes: This
problem has been fixed.
MessageWay FTP Perimeter Server - Issue #950 (Program
changed: libcrypto.so.1.0.0)
Issue 950:
See Important Note about Security Updates for this release above.
( December 21, 2018 ) Issues closed in
mwftp-6.1.0-mr07-linux
IMPORTANT NOTE about Security Updates for this release:
MessageWay now includes the OpenSSL 1.0.2p and FIPS 2.0.16 releases.
They
address many vulnerabilities that can be
found in the release notes on the OpenSSL.org site.
Specifically, see the
following link for further details about this release of OpenSSL:
https://www.openssl.org/news/openssl-1.0.2-notes.html
Specifically, see the following link for further details about this release of
FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.16.pdf
MessageWay FTP Perimeter Server - Issue #4312, 4359 (Program
changed: mwftpd - version
6.1.0.16)
Issue 4312: A PCI scan against MWFTPD Server indicates
vulnerability CVE-2016-2183 (Birthday attacks against TLS ciphers with 64bit
block size) also known as Sweet32. Changes: This
problem has been fixed by removing 3DES cipher from mwftpd.conf.samp.
Customers will need to merge this change into their in-use mwftpd.conf file.
The updated cipher list is: CipherList=ALL:!LOW:!EXP:!ADH:!IDEA:!3DES:@STRENGTH
Issue 4359: The FTP "Appe" command does not append
correctly if transfer mode is ASCII and the file being appended to does not have
CRLF at the end of the last line. Changes:
AppeInsertCRLF has been added to
mwftpd.conf.samp. Customers will need to merge this change into their
in-use mwftpd.conf file. When AppeInsertCRLF=True, CRLF is inserted at the
beginning of the data stream of the file being appended from.
MessageWay FTP Perimeter Server - Issue #4312, 4359 (Program
changed: mwftpd.conf.samp)
Issue 4312: A PCI scan against MWFTPD Server indicates
vulnerability CVE-2016-2183 (Birthday attacks against TLS ciphers with 64bit
block size) also known as Sweet32. Changes: This
problem has been fixed by removing 3DES cipher from mwftpd.conf.samp.
Customers will need to merge this change into their in-use mwftpd.conf file.
The updated cipher list is: CipherList=ALL:!LOW:!EXP:!ADH:!IDEA:!3DES:@STRENGTH
Issue 4359: The FTP "Appe" command does not append
correctly if transfer mode is ASCII and the file being appended to does not have
CRLF at the end of the last line. Changes:
AppeInsertCRLF has been added to
mwftpd.conf.samp. Customers will need to merge this change into their
in-use mwftpd.conf file. When AppeInsertCRLF=True, CRLF is inserted at the
beginning of the data stream of the file being appended from.
MessageWay FTP Perimeter Server - Issue #4416 (Program changed: install.sh)
Issue 4416:
Enhance the installation script to install systemctl
service files for starting, stopping and obtaining status of MessageWay FTP
server. Changes:
A systemctl service file named mwftpd.service is now installed in
/usr/lib/systemd/system if it does not already exist.
MessageWay FTP Perimeter Server - Issue #4118 (Program
changed: libcrypto.so.1.0.0)
Issue 4118:
See Important Note about Security Updates for this release above.
( March 31, 2018 ) Issues closed in
mwftp-6.1.0-mr06-linux
IMPORTANT NOTE about Security Updates for this release:
MessageWay now includes the OpenSSL 1.0.2n and FIPS 2.0.16 releases.
They
address many vulnerabilities that can be
found in the release notes on the OpenSSL.org site.
Specifically, see the
following link for further details about this release of OpenSSL:
https://www.openssl.org/news/openssl-1.0.2-notes.html
Specifically, see the following link for further details about this release of
FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.16.pdf
MessageWay FTP Perimeter Server - Issue #4345 (Program changed: mwftpd - version 6.1.0.15)
Issue 4345: MessageWay FTP Server allows creation of
directories containing invalid characters, which results in file system
corruption. Changes: The MessageWay FTP Server has been changed to
reject an MKD/MKDIR command with error 550 if invalid characters are used.
Invalid characters include ":*?\/\\\"<>|!@&&()`';"
MessageWay FTP Perimeter Server - Issue #4118 (Program
changed: libcrypto.so.1.0.0)
Issue 4118:
See Important Note about Security Updates for this release above.
( May 26, 2017 ) Issues closed in
mwftp-6.1.0-mr05-linux
IMPORTANT NOTE about Security Updates for this release:
MessageWay now includes the OpenSSL 1.0.2j and FIPS 2.0.12 releases.
They
address many vulnerabilities that can be
found in the release notes on the OpenSSL.org site.
Specifically, see the
following link for further details about this release of OpenSSL:
https://www.openssl.org/news/openssl-1.0.2-notes.html
Specifically, see the following link for further details about this release of
FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.12.pdf
MessageWay FTP Perimeter Server - Issue #4244, 4262, 4271, 4276,
4279, 4288 (Program changed: mwftpd - version 6.1.0.14)
Issue 4244: Allow restriction of TLS protocol to TLS 1.2
only. Changes: The MessageWay FTP Server has been changed to allow restriction of TLS protocol
to TLS 1.2 only. The MessageWay FTP Server configuration file can be modified
to include a param 'Tls12Only' which when set to 'True' limits the SSL protocol to
TLS 1.2 only. The default is 'False'. Please refer to the new parameter in
the sample configuration file mwftpd.conf.samp. Copy and paste the description
from the comments section and the parameter into your configuration file, and
set the parameter to suit your needs. Don't forget to restart your MWFTPD server
to make any changes to your configuration file take effect.
Issue 4262: Force IP Address returned by a PASV response to be used for the data channel
connection from the FTP Adapter to the proxy portion of FTP Server. Changes:
FTP Server has been enhanced to support this.
Issue 4271: MessageNameFormat=1 (list by message id) in FTP
Server configuration file causes 'mget' to not retrieve any files, even when
there are files to retrieve. Changes: This problem has been fixed.
Issue 4276: Need to
improve message download performance in MWFTPD perimeter server when message to
download is the result of a distribution list. Changes: Unnecessary
database interactions were removed to service this type of download request.
Issue 4279: Need to
improve message transfer performance in perimeter servers. Changes: We
identified updates that occurred against the database more frequently than
required, such as Last Activity Time on the Session entry and Size on the
Message Header entry. We feel we have maintained the functionality provided by
the updates while being more selective of how often these updates are done. We
also identified socket option changes that improved TCP connection throughput.
Issue 4288: MDTM (modtime) command not implemented. Changes: This problem has been fixed.
MessageWay FTP Perimeter Server - Issue #4246 (Program
changed: libcrypto.so.1.0.0)
Issue 4246:
See Important Note about Security Updates for this release above.
( August 19, 2016 ) Issues closed in
mwftp-6.1.0-mr04-linux
IMPORTANT NOTE about Security Updates for this release:
MessageWay now includes the OpenSSL 1.0.2h and FIPS 2.0.12 releases.
They
address many vulnerabilities that can be
found in the release notes on the Openssl.org site.
Specifically, see the
following link for further details about this release of OpenSSL:
https://www.openssl.org/news/openssl-1.0.2-notes.html
Specifically, see the following link for further details about this release of
FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.12.pdf
(
April 13, 2016
) Issues closed in
mwftp-6.1.0-mr03-linux
IMPORTANT NOTE about Security Updates for this release (Issue-4025,
4144):
MessageWay now includes the OpenSSL 1.0.1r and FIPS 2.0.11 releases.
They address many vulnerabilities that can be found in the release notes on the Openssl.org site.
Specifically, see the following link for further details about this release of
OpenSSL:
https://www.openssl.org/news/openssl-1.0.1-notes.html
Specifically, see the following link for further details about this release of
FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.11.pdf
MessageWay FTP Perimeter Server - Issue #4025, 4112, 4144 (Program
changed: mwftpd - version 6.1.0.9)
Issue
4025, 4144:
See Important Note about Security Updates for
this issue above.
Issue
4112:
Verify that FTP Server will work correctly with SHA2 signed certificates.
Changes: FTP Server supports SHA2 signed certificates.
MessageWay FTP Perimeter Server - Issue #4025, 4144 (Program
changed: libcrypto.so.1.0.0)
Issue 4025, 4144: See Important Note about Security Updates for
this issue above. ( May 15, 2015 ) Issues
closed in mwftp-6.1.0-mr02
IMPORTANT NOTE about Security Updates for this release (Issue-3975):
MessageWay now includes the OpenSSL 0.9.8ze and FIPS 1.2.2 releases.
They address the following higher profile vulnerabilities and many others
that can be found in the release notes on the Openssl.org site.
CVE-2014-0160, Heartbleed vulnerability, the OpenSSL 0.9.8.ze is not
vulnerable to the issue outlined in this CVE report. CVE-2014-0224,
SSL/TLS MITM vulnerability, the OpenSSL 0.9.8.ze version contains the updates to
address this vulnerability. CVE-2014-3566, POODLE
vulnerability, MessageWay no longer supports the SSLv3 protocol for secure
sessions. CVE-2015-0204, FREAK vulnerability, the OpenSSL
0.9.8.ze version contains the updates to address this vulnerability.
MessageWay FTP Perimeter Server - Issue #3917, 3942, 3947, 3948, 3960,
3975, 3992, 4002, 4050, 4051 (Program
changed: mwftpd - version 6.1.0.8)
Issue
3917:
If a users default location is set to a mailbox in the file system hierarchy and
a LIST is attempted while connected to the FTP Perimeter Server, it returns an A
in the Owner/Group attributes for all of the files returned in the results. For
some FTP clients such as WinSCP this causes it to interpret the LIST results
incorrectly, making them completely unreadable. Also, the LIST and NLST
commands do not support the -a, -la or -al options.
Changes: This problem has been fixed.
Issue
3942: The FTP SSL Perimeter Server did not address
all possible command injection vulnerabilities. Changes:
FTP SSL Perimeter Server has been enhanced to remove the possibility of
plaintext command injection while negotiating an encrypted communications
channel.
Issue
3947: If a valid user tries to access an FTP
Perimeter Server listener that they are restricted from based on Access Class,
the users profile gets locked out in MessageWay.
Changes: This problem has been fixed. The user will still not be able to
access the listener, but their user profile in MessageWay will not be locked
out.
Issue
3948: A session trace using the 'ftp' option writes
passwords in the clear into the output trace file.
Changes: This problem has been fixed.
Issue
3960: A remote client using the file system hierarchy
is not rooted to their home directory properly, allowing them to see the parent
directory(s) of the remote client's home directory.
Changes: Added ability to chroot users by adding new parameter ChrootSet to
the Listener Configurations section of mwftpd.conf. Valid values are true
or false, with false being the default.
Issue
3975: See Important Note about Security Updates for
this issue above.
Issue
3992: When attempting to upload a message into the
file system hierarchy (HMS) using FTP Perimeter Server, and the upload fails, the message
is left in a Receive Error status and is not available to be canceled. Prior to
HMS, this was acceptable behavior, but in HMS, due to filenames can be
duplicated, this issue prevents a message with the same filename from being
uploaded. Changes: The Manager has been changed to allow
a message in Receive Error to be Canceled and the FTP Perimeter Server has been changed to
recognize this Receive Error scenario and auto Cancel the message if no restart
is attempted.
Issue
4002: The ssl-poodle vulnerability has created the
need to disable SSLv3 as a valid SSL protocol. Changes: SSLv3
is no longer available in MessageWay and now only TLS is used. All MessageWay
configuration files have been updated to reflect this change going forward, but
existing configuration files will still work as is because the SSL option will
simply be ignored.
Issue
4050: In proxy mode, the server should pass both the
command and its argument to the remote FTP server, even for commands not
supported by our FTP Perimeter Server. Instead, arguments of commands not
supported by our FTP Perimeter Server are not being sent to remote FTP server.
Changes: This problem has been fixed.
Issue
4051: If the FTP SSL Perimeter Server receives a
connection abort, the server will stop listening for any additional connections.
The server process will still appear to be running, but will not accept any new
requests from external clients, and will log the following error: 'fail: 7011:
FTP Client Connection Rejected: Accept failure: 130, Accept error 1, Software
caused connection abort'.
Changes: This problem has been fixed. MessageWay FTP Perimeter Server - Issue #3975 (Program
changed: libcrypto.so.0.9.8)
Issue 3975: See Important Note about Security Updates for
this issue above. ( October 24, 2013 ) Issues
closed in mwftp-6.1.0-hf01 MessageWay FTP Perimeter Server - Issue #3579, 3763 (Program
changed: mwftpd - version 6.1.0.3)
Issue 3579: When an ftp client attempts to log on with a bad
password, mwftpd then makes nine attempts to log on with the same user ID and
password. If user security policies are configured to lock out a user after
fewer than 10 logon attempts, the remote client's user ID is locked out after
only one logon attempt.
Changes: This problem has been fixed.
Issue 3763: Standard FTP server directory listings are sorted
alphabetically by file name. The MessageWay FTP Perimeter Server displays lists with newest file
first. There is no option that would allow users to control dir listing sort format.
Changes: A new parameter has been added to the Listener Configurations section of the
mwftpd.conf file. Users can set the parameter FilenameSort=True to sort
directory lists by file name, overriding the default sort order by date and time.
Please refer to the new parameter in the sample configuration file
mwftpd.conf.samp. Copy and paste the description from the comments section
and the parameter into your configuration file, and set the parameter to suit
your needs. Don't forget to restart your FTP
server to make any changes to your configuration file take effect. |