Ipswitch, Inc.
www.ipswitch.com
1-678-287-0700


MessageWay FTP Perimeter Server Maintenance Release

Maintenance Release Name:     mwftp-6.1.0-mr07-win32

Release date:    December 21, 2018

Prerequisites:     MessageWay FTP Perimeter Server 6.1.0 and MessageWay 6.1.0 mr08

Obsoletes Maintenance Releases (formerly called Hotfixes):  All previous MessageWay FTP Server 6.1.0 Hotfixes

Files:
This Maintenance Release contains the files listed below:

  Files changed in this Maintenance Release mwftp-6.1.0-mr07-win32:

    mwftpd.exe MessageWay FTP Perimeter Server version 6.1.0.16
    mwftpd.conf.samp  Sample Configuration File
    libeay32.dll OpenSSL crypto library
    ssleay32.dll OpenSSL ssl library
    mwftp-6.1.0-mr07-win32_readme.html This Readme file

  Files changed in previous Hotfixes and rolled into this Maintenance Release:

    None  

Installing the MessageWay FTP Server Maintenance Release:

1) Download the Maintenance Release install package sent by Ipswitch.
2) Logon to the perimeter server as the user that installed the MessageWay FTP Server service.
3) Copy the Maintenance Release install package to the perimeter server and unzip.
4) Step 3 will automatically create a new subdirectory named after the Maintenance Release install package.
5) Stop the MessageWay FTP Server service.
6) Locate and run the install program (mwftp-6.1.0-mr07-win32.exe) in the subdirectory structure created in step 3 (...\servers_mrs\windows\).
7) Answer the prompts as they appear.
8) Start the MessageWay FTP Server service.

The Maintenance Release is now installed on the server. A backup copy of every replaced object was saved in the \Program Files (x86)\MessageWay\ftp\backups subdirectory.

To verify that the Maintenance Release installed properly, view the \Program Files (x86)\MessageWay\ftp\updates\ChangeLog.txt file.  That file is updated whenever a Maintenance Release is installed.  Additionally, this Maintenance Release Readme file is saved in the \Program Files (x86)\MessageWay\ftp\updates subdirectory for future reference.

Regarding any sample config files that may be part of this Maintenance Release, in-use config files should always be compared against newly installed sample config files in order to make any necessary modifications, as well as to incorporate new parameters and updated comments.

( December 21, 2018 ) Issues closed in mwftp-6.1.0-mr07-win32

IMPORTANT NOTE about Security Updates for this release:
MessageWay now includes the OpenSSL 1.0.2p and FIPS 2.0.16 releases.

They address many vulnerabilities that can be found in the release notes on the OpenSSL.org site.

Specifically, see the following link for further details about this release of OpenSSL:
https://www.openssl.org/news/openssl-1.0.2-notes.html

Specifically, see the following link for further details about this release of FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.16.pdf

MessageWay FTP Perimeter Server - Issue #4312, 4359 (Program changed: mwftpd.exe - version 6.1.0.16)

Issue 4312: A PCI scan against MWFTPD Server indicates vulnerability CVE-2016-2183 (Birthday attacks against TLS ciphers with 64bit block size) also known as Sweet32.  Changes: This problem has been fixed by removing 3DES cipher from mwftpd.conf.samp.  Customers will need to merge this change into their in-use mwftpd.conf file.  The updated cipher list is: CipherList=ALL:!LOW:!EXP:!ADH:!IDEA:!3DES:@STRENGTH

Issue 4359:
The FTP "Appe" command does not append correctly if transfer mode is ASCII and the file being appended to does not have CRLF at the end of the last line.  Changes: AppeInsertCRLF has been added to mwftpd.conf.samp.  Customers will need to merge this change into their in-use mwftpd.conf file.  When AppeInsertCRLF=True, CRLF is inserted at the beginning of the data stream of the file being appended from.

MessageWay FTP Perimeter Server - Issue #4312, 4359 (Program changed: mwftpd.conf.samp)

Issue 4312: A PCI scan against MWFTPD Server indicates vulnerability CVE-2016-2183 (Birthday attacks against TLS ciphers with 64bit block size) also known as Sweet32.  Changes: This problem has been fixed by removing 3DES cipher from mwftpd.conf.samp.  Customers will need to merge this change into their in-use mwftpd.conf file.  The updated cipher list is: CipherList=ALL:!LOW:!EXP:!ADH:!IDEA:!3DES:@STRENGTH

Issue 4359:
The FTP "Appe" command does not append correctly if transfer mode is ASCII and the file being appended to does not have CRLF at the end of the last line.  Changes: AppeInsertCRLF has been added to mwftpd.conf.samp.  Customers will need to merge this change into their in-use mwftpd.conf file.  When AppeInsertCRLF=True, CRLF is inserted at the beginning of the data stream of the file being appended from.

MessageWay FTP Perimeter Server - Issue #4118 (Programs changed: libeay32.dll, ssleay32.dll)

Issue 4118:
See Important Note about Security Updates for this release above.

( March 31, 2018 ) Issues closed in mwftp-6.1.0-mr06-win32

IMPORTANT NOTE about Security Updates for this release:
MessageWay now includes the OpenSSL 1.0.2n and FIPS 2.0.16 releases.

They address many vulnerabilities that can be found in the release notes on the OpenSSL.org site.

Specifically, see the following link for further details about this release of OpenSSL:
https://www.openssl.org/news/openssl-1.0.2-notes.html

Specifically, see the following link for further details about this release of FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.16.pdf

MessageWay FTP Perimeter Server - Issue #4345 (Program changed: mwftpd.exe - version 6.1.0.15)

Issue 4345: 
MessageWay FTP Server allows creation of directories  containing invalid characters, which results in file system corruption.  Changes: The MessageWay FTP Server has been changed to reject an MKD/MKDIR command with error 550 if invalid characters are used.  Invalid characters include ":*?\/\\\"<>|!@&&()`';"

MessageWay FTP Perimeter Server - Issue #4118 (Programs changed: libeay32.dll, ssleay32.dll)

Issue 4118:
See Important Note about Security Updates for this release above.

( May 26, 2017 ) Issues closed in mwftp-6.1.0-mr05-win32

IMPORTANT NOTE about Security Updates for this release:
MessageWay now includes the OpenSSL 1.0.2j and FIPS 2.0.12 releases.

They address many vulnerabilities that can be found in the release notes on the OpenSSL.org site.

Specifically, see the following link for further details about this release of OpenSSL:
https://www.openssl.org/news/openssl-1.0.2-notes.html

Specifically, see the following link for further details about this release of FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.12.pdf

MessageWay FTP Perimeter Server - Issue #4244, 4262, 4271, 4276, 4279, 4288 (Program changed: mwftpd.exe - version 6.1.0.14)

Issue 4244: 
Allow restriction of TLS protocol to TLS 1.2 only.  Changes: The MessageWay FTP Server has been changed to allow restriction of TLS protocol to TLS 1.2 only.  The MessageWay FTP Server configuration file can be modified to include a param 'Tls12Only' which when set to 'True' limits the SSL protocol to TLS 1.2 only. The default is 'False'.  Please refer to the new parameter in the sample configuration file mwftpd.conf.samp. Copy and paste the description from the comments section and the parameter into your configuration file, and set the parameter to suit your needs. Don't forget to restart your MWFTPD server to make any changes to your configuration file take effect.

Issue 4262: Force IP Address returned by a PASV response to be used for the data channel connection from the FTP Adapter to the proxy portion of FTP Server.  Changes: FTP Server has been enhanced to support this.

Issue 4271: MessageNameFormat=1 (list by message id) in FTP Server configuration file causes 'mget' to not retrieve any files, even when there are files to retrieve.  Changes: This problem has been fixed.

Issue 4276: Need to improve message download performance in MWFTPD perimeter server when message to download is the result of a distribution list.  Changes: Unnecessary database interactions were removed to service this type of download request.

Issue 4279: Need to improve message transfer performance in perimeter servers.  Changes: We identified updates that occurred against the database more frequently than required, such as Last Activity Time on the Session entry and Size on the Message Header entry.  We feel we have maintained the functionality provided by the updates while being more selective of how often these updates are done.  We also identified socket option changes that improved TCP connection throughput.

Issue 4288: MDTM (modtime) command not implemented.  Changes: This problem has been fixed.

MessageWay FTP Perimeter Server - Issue #4246 (Program changed: libeay32.dll)

Issue 4246:
See Important Note about Security Updates for this release above.

MessageWay FTP Perimeter Server - Issue #4246 (Program changed: ssleay32.dll)

Issue 4246:
See Important Note about Security Updates for this release above.

( August 19, 2016 ) Issues closed in mwftp-6.1.0-mr04-win32

IMPORTANT NOTE about Security Updates for this release:
MessageWay now includes the OpenSSL 1.0.2h and FIPS 2.0.12 releases.

They address many vulnerabilities that can be found in the release notes on the Openssl.org site.

Specifically, see the following link for further details about this release of OpenSSL:
https://www.openssl.org/news/openssl-1.0.2-notes.html

Specifically, see the following link for further details about this release of FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.12.pdf

( April 13, 2016 ) Issues closed in mwftp-6.1.0-mr03-win32

IMPORTANT NOTE about Security Updates for this release (Issue-4025, 4144):
MessageWay now includes the OpenSSL 1.0.1r and FIPS 2.0.11 releases.

They address many vulnerabilities that can be found in the release notes on the Openssl.org site.

Specifically, see the following link for further details about this release of OpenSSL:
https://www.openssl.org/news/openssl-1.0.1-notes.html

Specifically, see the following link for further details about this release of FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.11.pdf

MessageWay FTP Perimeter Server - Issue #4025, 4112, 4144 (Program changed: mwftpd.exe - version 6.1.0.9)

Issue 4025, 4144:
See Important Note about Security Updates for this issue above.

Issue 4112:
Verify that FTP Server will work correctly with SHA2 signed certificates.  Changes: FTP Server supports SHA2 signed certificates.

MessageWay FTP Perimeter Server - Issue #4025, 4144 (Program changed: libeay32.dll)

Issue 4025, 4144:
See Important Note about Security Updates for this issue above.

MessageWay FTP Perimeter Server - Issue #4025, 4144 (Program changed: ssleay32.dll)

Issue 4025, 4144:
See Important Note about Security Updates for this issue above.

( May 15, 2015 ) Issues closed in mwftp-6.1.0-mr02

IMPORTANT NOTE about Security Updates for this release (Issue-3975):
MessageWay now includes the OpenSSL 0.9.8ze and FIPS 1.2.2 releases.

They address the following higher profile vulnerabilities and many others that can be found in the release notes on the Openssl.org site.

CVE-2014-0160, Heartbleed vulnerability, the OpenSSL 0.9.8.ze is not vulnerable to the issue outlined in this CVE report.
CVE-2014-0224, SSL/TLS MITM vulnerability, the OpenSSL 0.9.8.ze version contains the updates to address this vulnerability.
CVE-2014-3566, POODLE vulnerability, MessageWay no longer supports the SSLv3 protocol for secure sessions.
CVE-2015-0204, FREAK vulnerability, the OpenSSL 0.9.8.ze version contains the updates to address this vulnerability.

MessageWay FTP Perimeter Server - Issue #3917, 3942, 3947, 3948, 3960, 3975, 3992, 4002, 4050, 4051 (Program changed: mwftpd.exe - version 6.1.0.8)

Issue 3917:
If a users default location is set to a mailbox in the file system hierarchy and a LIST is attempted while connected to the FTP Perimeter Server, it returns an A in the Owner/Group attributes for all of the files returned in the results. For some FTP clients such as WinSCP this causes it to interpret the LIST results incorrectly, making them completely unreadable.  Also, the LIST and NLST commands do not support the -a, -la or -al options.  Changes: This problem has been fixed.

Issue 3942: The FTP SSL Perimeter Server did not address all possible command injection vulnerabilities.  Changes: FTP SSL Perimeter Server has been enhanced to remove the possibility of plaintext command injection while negotiating an encrypted communications channel.

Issue 3947: If a valid user tries to access an FTP Perimeter Server listener that they are restricted from based on Access Class, the users profile gets locked out in MessageWay.  Changes: This problem has been fixed.  The user will still not be able to access the listener, but their user profile in MessageWay will not be locked out.

Issue 3948: A session trace using the 'ftp' option writes passwords in the clear into the output trace file.  Changes: This problem has been fixed.

Issue 3960: A remote client using the file system hierarchy is not rooted to their home directory properly, allowing them to see the parent directory(s) of the remote client's home directory.  Changes: Added ability to chroot users by adding new parameter ChrootSet to the Listener Configurations section of mwftpd.conf.  Valid values are true or false, with false being the default.

Issue 3975: See Important Note about Security Updates for this issue above.

Issue 3992: When attempting to upload a message into the file system hierarchy (HMS) using FTP Perimeter Server, and the upload fails, the message is left in a Receive Error status and is not available to be canceled. Prior to HMS, this was acceptable behavior, but in HMS, due to filenames can be duplicated, this issue prevents a message with the same filename from being uploaded.  Changes: The Manager has been changed to allow a message in Receive Error to be Canceled and the FTP Perimeter Server has been changed to recognize this Receive Error scenario and auto Cancel the message if no restart is attempted.

Issue 4002: The ssl-poodle vulnerability has created the need to disable SSLv3 as a valid SSL protocol.  Changes: SSLv3 is no longer available in MessageWay and now only TLS is used. All MessageWay configuration files have been updated to reflect this change going forward, but existing configuration files will still work as is because the SSL option will simply be ignored.

Issue 4050: In proxy mode, the server should pass both the command and its argument to the remote FTP server, even for commands not supported by our FTP Perimeter Server.  Instead, arguments of commands not supported by our FTP Perimeter Server are not being sent to remote FTP server.  Changes: This problem has been fixed.

Issue 4051:
If the FTP SSL Perimeter Server receives a connection abort, the server will stop listening for any additional connections. The server process will still appear to be running, but will not accept any new requests from external clients, and will log the following error: 'fail: 7011: FTP Client Connection Rejected: Accept failure: 130, Accept error 1, Software caused connection abort'.  Changes: This problem has been fixed.

MessageWay FTP Perimeter Server - Issue #3975 (Program changed: libeay32.dll)

Issue 3975:
See Important Note about Security Updates for this issue above.

MessageWay FTP Perimeter Server - Issue #3975 (Program changed: ssleay32.dll)

Issue 3975:
See Important Note about Security Updates for this issue above.

( October 24, 2013 ) Issues closed in mwftp-6.1.0-hf01

MessageWay FTP Perimeter Server - Issue #3579, 3763 (Program changed: mwftpd - version 6.1.0.3)

Issue 3579: When an ftp client attempts to log on with a bad password, mwftpd then makes nine attempts to log on with the same user ID and password. If user security policies are configured to lock out a user after fewer than 10 logon attempts, the remote client's user ID is locked out after only one logon attempt. Changes: This problem has been fixed.

Issue 3763:
Standard FTP server directory listings are sorted alphabetically by file name. The MessageWay FTP Perimeter Server displays lists with newest file first. There is no option that would allow users to control dir listing sort format. Changes: A new parameter has been added to the Listener Configurations section of the mwftpd.conf file. Users can set the parameter FilenameSort=True to sort directory lists by file name, overriding the default sort order by date and time. Please refer to the new parameter in the sample configuration file mwftpd.conf.samp. Copy and paste the description from the comments section and the parameter into your configuration file, and set the parameter to suit your needs. Don't forget to restart your FTP server to make any changes to your configuration file take effect.

 

Ipswitch, Inc. | 1-678-287-0700