MessageWay SFTP Perimeter Server Maintenance Release
Maintenance Release Name:
mwsftp-6.1.0-mr08-linux
Release date: January 5, 2021
Prerequisite: MessageWay
SFTP Perimeter Server 6.1.0 and MessageWay 6.1.0 mr09
Obsoletes Maintenance Releases (formerly called Hotfixes): All
previous MessageWay SFTP Server 6.1.0 Hotfixes
Files:
This Maintenance Release contains the files listed below:
Files changed in this Maintenance Release
mwsftp-6.1.0-mr08-linux:
| libcrypto.so.1.0.0 |
OpenSSL crypto library |
| mwsftpd |
MessageWay SSH Server version 6.1.0.10 |
|
mwsftpd_config.samp |
Sample Configuration File |
|
mwsftp-6.1.0-mr08-linux_readme.html |
This Readme file |
Files changed in previous Hotfixes and rolled into this
Maintenance Release:
| install.sh |
SFTP Installer |
| mwsftp-server |
MessageWay SFTP Server |
| mwsftpd.conf.samp |
Sample SFTP Configuration File |
| moduli |
OpenSSH_6.6p1 moduli file |
Installing the MessageWay SFTP Server
Maintenance Release:
1) Download the
Maintenance Release install package sent by Progress and unzip.
2) Logon
to the perimeter server as
"root".
3) Locate the Maintenance Release tarball (mwsftp-6.1.0-mr08-linux.tgz)
in the Maintenance Release install package (...\servers_mrs\linux\)
and copy to the perimeter server.
4) Untar the Maintenance Release
tarball:
tar -xzvf mwsftp-6.1.0-mr08-linux.tgz
5) Step 4 will automatically create a new subdirectory named mwsftp-6.1.0-mr08-linux.
6) Stop the MessageWay
SFTP Server.
7) cd to the newly created
mwsftp-6.1.0-mr08-linux
subdirectory.
8) Install the
Maintenance Release by running the install script:
./install.sh
9) Answer the prompts as they appear.
10) To ensure that SFTP Server starts properly, make the following manual
edits to /etc/messageway/mwsftpd_config:
- comment out (#) the following line:
'HostKey <config-path>/keys/ssh_host_key'
-
comment out (#) the following line:
'RSAAuthentication no'
Refer to
mwsftpd_config.samp in subdirectory created in step 4 above for
example of required changes.
11) To configure the
desired
KexAlgorithms, refer to mwsftpd.conf.samp in
subdirectory created in step 4 above and update /etc/messageway/mwsftpd.conf accordingly. See comment section for information and
recommendations related to the KexAlgorithms parameter
settings.
12) Start the MessageWay SFTP Server.
The Maintenance
Release is now installed on the server. A backup copy of every replaced object was saved in the /opt/messageway/sftp/backups
subdirectory.
To verify that the
Maintenance Release installed properly, view the /opt/messageway/sftp/MWSFTPInstall.log file. Additionally, this
Maintenance Release Readme file is saved in the subdirectory created in step 4 above for future reference.
Regarding any sample config files that may be part of this Maintenance
Release, in-use
config files
should always be compared against newly installed sample config files in
order to make any necessary modifications, as well as to incorporate new
parameters and updated comments.
( January 5, 2021 ) Issues closed in
mwsftp-6.1.0-mr08-linux
IMPORTANT NOTE about Security Updates for this release:
MessageWay now includes the OpenSSL 1.0.2u and FIPS 2.0.16 releases.
They
address many vulnerabilities that can be
found in the release notes on the OpenSSL.org site.
Specifically, see the
following link for further details about this release of OpenSSL:
https://www.openssl.org/news/openssl-1.0.2-notes.html
Specifically, see the following link for further details about this release of
FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.16.pdf
MessageWay SFTP Perimeter Server - Issue #982 (Program
changed: mwsftpd - version
6.1.0.10)
Issue 982: Users password is displayed in the clear in event log
when loglevel is set to DEBUG1 in mwsftpd.conf. Changes:
This problem has been fixed.
MessageWay SFTP Perimeter Server - Issue #954 (Program changed: mwsftpd_config.samp)
Issue 954: ssh-ed25519 is missing from PublicAcceptedKeyTypes
example in mwsftpd_config.samp. Changes:
This problem
has been fixed.
MessageWay SFTP Perimeter Server - Issue #950 (Program
changed: libcrypto.so.1.0.0)
Issue 950:
See Important Note about Security Updates for this release above.
( December 21, 2018 ) Issues closed in
mwsftp-6.1.0-mr07-linux
IMPORTANT NOTE about Security Updates for this release:
MessageWay now includes the OpenSSL 1.0.2p and FIPS 2.0.16 releases.
They
address many vulnerabilities that can be
found in the release notes on the OpenSSL.org site.
Specifically, see the
following link for further details about this release of OpenSSL:
https://www.openssl.org/news/openssl-1.0.2-notes.html
Specifically, see the following link for further details about this release of
FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.16.pdf
MessageWay SFTP Perimeter Server - Issue #4312, 4408 (Program
changed: mwsftpd - version
6.1.0.9)
Issue 4312: A PCI scan against MWSFTPD server indicates
vulnerability CVE-2016-2183 (Birthday attacks against TLS ciphers with 64bit
block size) also known as Sweet32. Changes:
This problem has been fixed by removing 3DES ciphers
from mwsftpd.conf.samp. Customers will need to merge this change into
their in-use mwsftpd.conf file.
Issue 4408: The df command performed against the MWSFTPD server
will display the disk usage statistics of the file system where the MWSFTPD
server resides. Changes: This
problem has been fixed.
MessageWay SFTP Perimeter Server - Issue #4312, 4366 (Program changed: mwsftpd.conf.samp)
Issue 4312: A PCI scan against MWSFTPD server indicates
vulnerability CVE-2016-2183 (Birthday attacks against TLS ciphers with 64bit
block size) also known as Sweet32. Changes:
This problem
has been fixed by removing 3DES ciphers from mwsftpd.conf.samp. Customers
will need to merge this change into their in-use mwsftpd.conf file.
Issue 4366: Enable Public Key Authentication in MWSFTPD config
file. Changes:
AuthenticationMethods=publickey,password has been added to
mwsftpd.conf.samp. Customers will need to merge this change into their
in-use mwsftpd.conf file, as well as uncomment the "secure connection to MWSI"
section.
MessageWay SFTP Perimeter Server - Issue #4364 (Program changed: mwsftpd_config.samp)
Issue 4364: Update mwsftpd_config.samp to enable the use of DSS
public keys if desired. Changes:
This problem
has been fixed by adding a DSS public key parameter to mwsftpd_config.samp. Customers
will need to merge this change into their in-use mwsftpd_config file. The
added parameter is: PubkeyAcceptedKeyTypes ssh-dss,ssh-rsa
MessageWay SFTP Perimeter Server - Issue #4416 (Program changed: install.sh)
Issue 4416: Enhance the installation script to install systemctl
service files for starting, stopping and obtaining status of MessageWay SFTP
server. Changes:
A systemctl service file named mwsftpd.service is now installed in
/usr/lib/systemd/system if it does not already exist.
MessageWay SFTP Perimeter Server - Issue #4118 (Program
changed: libcrypto.so.1.0.0)
Issue 4118:
See Important Note about Security Updates for this release above.
( March 31, 2018 ) Issues closed in
mwsftp-6.1.0-mr06-linux
IMPORTANT NOTE about Security Updates for this release:
MessageWay now includes the OpenSSL 1.0.2n and FIPS 2.0.16 releases.
They
address many vulnerabilities that can be
found in the release notes on the OpenSSL.org site.
Specifically, see the
following link for further details about this release of OpenSSL:
https://www.openssl.org/news/openssl-1.0.2-notes.html
Specifically, see the following link for further details about this release of
FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.16.pdf
MessageWay SFTP Perimeter Server - Issue #4321 (Programs
changed: mwsftp-server, mwsftpd - version
6.1.0.8)
Issue 4321: Regression, can't specify port number that
MessageWay SFTP Server listens on. Changes: This problem has been fixed.
MessageWay SFTP Perimeter Server - Issue #4293, 4314 (Program
changed: mwsftpd.conf.samp)
Issue 4293:
Older SFTP Clients no longer work with OpenSSH version 7.4 that was
released with MWSFTPD Server version 6.1 MR06. Changes: A
wider array of KexAlgorithms were added to the mwsftpd.conf.samp file to
support both older SFTP Clients and newer SFTP Clients. The trade off is
security versus supporting older SFTP Clients. Refer to the comments in
mwsftpd.conf.samp to help you determine the correct choice of KexAlgorithms for
your installation.
Issue 4314:
Typo in mwsftpd.conf.samp regarding KexAlgorithms causes SFTP Server to abort at
startup when new KexAlgorithm is used. Changes: The
following incorrect KexAlgorithm ecdh-sha2-nistp512 has been corrected to
ecdh-sha2-nistp521.
MessageWay SFTP Perimeter Server - Issue #4118 (Program
changed: libcrypto.so.1.0.0)
Issue 4118:
See Important Note about Security Updates for this release above.
( May 26, 2017 ) Issues closed in
mwsftp-6.1.0-mr05-linux
IMPORTANT NOTE about SSH Security Updates for this release:
MWSFTPD server now includes the OpenSSH 7.4p1 release.
It addresses many
vulnerabilities that can be found in the release notes on the OpenSSH.com site.
Note that SFTP clients using the old Diffie-Hellman Group Exchange
request structure (type 30) will no longer work, as a new request structure
(type 34) has been released.
Specifically, see the following link for further details about this release
of OpenSSH:
http://www.openssh.com/releasenotes.html
IMPORTANT NOTE about Security Updates for this release:
MessageWay now includes the OpenSSL 1.0.2j and FIPS 2.0.12 releases.
They
address many vulnerabilities that can be
found in the release notes on the OpenSSL.org site.
Specifically, see the
following link for further details about this release of OpenSSL:
https://www.openssl.org/news/openssl-1.0.2-notes.html
Specifically, see the following link for further details about this release of
FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.12.pdf
MessageWay SFTP Perimeter Server - Issue #4246, 4266, 4279 (Programs
changed: mwsftp-server, mwsftpd - version
6.1.0.7)
Issue 4246:
See Important Note about Security Updates for this release above.
Issue 4266:
See Important Note about SSH Security Updates for this release above.
NOTE: Changes to the mwsftpd_config file are required to
support OpenSSH 7.4. Please see mwsftpd_config.samp for required changes.
You need to comment out (#) the following two lines in mwsftpd_config:
'HostKey <config-path>/keys/ssh_host_key' and
'RSAAuthentication no' or you will encounter warning
messages when starting SFTP Server.
Issue 4279: Need to improve message transfer performance in
perimeter servers. Changes: We identified updates that
occurred against the database more frequently than required, such as Last
Activity Time on the Session entry and Size on the Message Header entry. We
feel we have maintained the functionality provided by the updates while being
more selective of how often these updates are done. We also identified socket
option changes that improved TCP connection throughput.
MessageWay SFTP Perimeter Server - Issue #4246 (Program
changed: libcrypto.so.1.0.0)
Issue 4246:
See Important Note about Security Updates for this release above.
( August 19, 2016 ) Issues closed in
mwsftp-6.1.0-mr04-linux
IMPORTANT NOTE about Security Updates for this release:
MessageWay now includes the OpenSSL 1.0.2h and FIPS 2.0.12 releases.
They
address many vulnerabilities that can be
found in the release notes on the Openssl.org site.
Specifically, see the
following link for further details about this release of OpenSSL:
https://www.openssl.org/news/openssl-1.0.2-notes.html
Specifically, see the following link for further details about this release of
FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.12.pdf
MessageWay SFTP Perimeter Server - Issue #4173 (Programs
changed: install.sh)
Issue 4173:
Installer not creating host key ssh_host_ed25519_key. Changes:
This problem has been fixed.
(
April 13, 2016
) Issues closed in
mwsftp-6.1.0-mr03-linux
IMPORTANT NOTE about Security Updates for this release (Issue-4025,
4144):
MessageWay now includes the OpenSSL 1.0.1r and FIPS 2.0.11 releases.
They address many vulnerabilities
that can be found in the release notes on the Openssl.org site.
Specifically, see the following link for further details about this release of
OpenSSL:
https://www.openssl.org/news/openssl-1.0.1-notes.html
Specifically, see the following link for further details about this release of
FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.11.pdf
MessageWay SFTP Perimeter Server - Issue #4145, 4160 (Programs
changed: mwsftp-server, mwsftpd - version 6.1.0.6)
Issue 4145:
Add SHA2 support to server and add KexAlgorithms to configuration file. Changes:
The sample configuration file mwsftpd.conf.samp has been updated to include
support for KexAlgorithms, including SHA2, and the server has been updated to
support SHA2 key exchange.
Issue 4160:
Changing directory to root ('/') within a client would cause server to abort. Changes:
Changing directory to root ('/') within a client will now cause server to return
'Permission Denied' (EACCESS).
MessageWay SFTP Perimeter Server - Issue #4025, 4144 (Program
changed: libcrypto.so.1.0.0)
Issue 4025, 4144: See Important
Note about Security Updates for this issue above.
( May 15, 2015 ) Issues closed in
mwsftp-6.1.0-mr02
IMPORTANT NOTE about SSH Security Updates for this release
(Issue-3974):
This server now incorporates the updated OpenSSH 6.6
version. Details about this release can be reviewed on the openssh.org site.
IMPORTANT NOTE about Security Updates for this release (Issue-3975):
MessageWay now includes the OpenSSL 0.9.8ze and FIPS 1.2.2 releases.
They address the following higher profile vulnerabilities and many others
that can be found in the release notes on the Openssl.org site.
CVE-2014-0160, Heartbleed vulnerability, the OpenSSL 0.9.8.ze is not
vulnerable to the issue outlined in this CVE report.
CVE-2014-0224,
SSL/TLS MITM vulnerability, the OpenSSL 0.9.8.ze version contains the updates to
address this vulnerability.
CVE-2014-3566, POODLE
vulnerability, MessageWay no longer supports the SSLv3 protocol for secure
sessions.
CVE-2015-0204, FREAK vulnerability, the OpenSSL
0.9.8.ze version contains the updates to address this vulnerability.
MessageWay SFTP Perimeter Server - Issue #3949, 3974, 4002, 4012,
4014, 4026 (Programs
changed: mwsftp-server, mwsftpd)
Issue 3949:
Using an SOSFTP Client to delete a message in MessageWay fails with 'Access
Denied' error. The SOSFTP Client uses an Open mode O_RDWR when attempting
to delete a message in MessageWay. MessageWay SFTP Perimeter Server only
supports Open modes O_RDONLY and O_WRONLY. Changes: This
problem has been fixed.
Issue 3974: See Important Note about SSH Security
Updates for this issue above.
Issue 4002:The ssl-poodle vulnerability has created
the need to disable SSLv3 as a valid SSL protocol. Changes:
SSLv3 is no longer available in MessageWay and now only TLS is used. All
MessageWay configuration files have been updated to reflect this change going
forward, but existing configuration files will still work as is because the SSL
option will simply be ignored.
Issue 4012: Add DenyUsers functionality to SFTP
Perimeter Server to help prevent 'brute force attacks' from using up valuable
system resources in the service interface. Changes: New
parameter DenyUsers can now be configured in mwsftpd_config file to specify list
of users that should not be allowed thru to the service interface via SFTP
Perimeter Server.
Issue 4014: The SFTP Perimeter Server install is not
putting the moduli file into /usr/local/etc, causing error messages to be
written to system event log when SFTP Perimeter Server is used.
Changes: The SFTP Perimeter Server install now copies the moduli file
into /usr/local/etc if not there already.
Issue 4026: Vulnerability reported against the SSH
cipher list. Changes: The sample configuration file mwsftpd.conf.samp has
been updated to offer a recommended set of ciphers and MACs functions.
Recommended ciphers in preferred order include aes128-ctr, aes256-ctr,
aes128-cbc, aes256-cbc and 3des-cbc. The recommended MACs function is
hmac-sha1. Beware that older clients that are based on previous
generations of DLLs or Libraries that implement SSH may have problems.
These older clients may not have a wide selection of ciphers and may require a
cipher no longer included in the recommended settings. It is difficult to
tell which clients may be impacted without further testing.
MessageWay SFTP Perimeter Server - Issue #3975 (Program
changed: libcrypto.so.0.9.8)
Issue 3975: See Important
Note about Security Updates for this issue above.
( October 24, 2013 ) Issues closed in
mwsftp-6.1.0-hf01
MessageWay SFTP Perimeter Server - Issue #3565, 3763, 3877 (Programs
changed: mwsftp-server, mwsftpd)
Issue 3565: When a client uploads a file to the SFTP Server using a
relative file name, the upload fails. Changes: The
SFTP server now accepts both relative and absolute file names.
Issue 3763: Standard
SFTP server directory listings are sorted
alphabetically by file name. The MessageWay SFTP Perimeter Server displays lists with newest file
first. There is no option that would allow users to control dir listing sort format.
Changes: A new parameter has been added to the Global section of the
mwsftpd.conf file. Users can set the parameter FilenameSort=True to sort
directory lists by filename, overriding the default sort order by date and time.
Please refer to the new parameter in the sample configuration file
mwsftpd.conf.samp. Copy and paste the description from the comments
section and the parameter into your configuration file, and set the parameter to
suit your needs. Don't forget to restart
your FTP server to make any changes to your configuration file take effect.
Issue 3877: If the SFTP perimeter server is configured with
SuppressCanceledAndDownloadDirs=True, any attempt to obtain a directory listing
for a hierarchical file system location where there are no available files and
no sub locations will terminate the session. The problem does not occur with
flat file system locations and it does not occur in the FTP perimeter server.
Changes: This problem has been fixed. |
