Ipswitch, Inc.
www.ipswitch.com
1-678-287-0700


MessageWay SFTP Perimeter Server Maintenance Release

Maintenance Release Name:     mwsftp-6.1.0-mr07-cygwin

Release date:    December 21, 2018

Prerequisite:     MessageWay SFTP Perimeter Server 6.1.0 and MessageWay 6.1.0 mr08

Obsoletes Maintenance Releases (formerly called Hotfixes): All previous MessageWay SFTP Server 6.1.0 Hotfixes

Files:
This Maintenance Release contains the files listed below:

  Files changed in this Maintenance Release mwsftp-6.1.0-mr07-cygwin:

    cygcrypto-1.0.0.dll OpenSSL crypto library
    cygssl-1.0.0.dll OpenSSL library
    mwsftpd MessageWay SSH Server version 6.1.0.9
    mwsftpd.conf.samp Sample SFTP Configuration File
    mwsftpd_config.samp  Sample Configuration File
    mwsftp-6.1.0-mr07-cygwin_readme.html This Readme file

  Files changed in previous Hotfixes and rolled into this Maintenance Release:

    install.sh SFTP Installer
    mwsftp-server MessageWay SFTP Server
    moduli OpenSSH_6.6p1 moduli file

Installing the MessageWay SFTP Server Maintenance Release:

1) Download the Maintenance Release install package sent by Ipswitch and unzip.
2) Logon to the perimeter server as the user that "owns" the MessageWay SFTP Server service.
3) Locate the Maintenance Release tarballs (mwsftp-6.1.0-mr07-cygwin.tgz & mwsftp-6.1.0-mr07-cygwin-1.7.9.tgz) in the Maintenance Release install package (...\servers_mrs\windows\) and copy to C:root subdirectory of the perimeter server.
    NOTE: The copy command in step 9 requires the install files to be in the C:root subdirectory.  To copy them from another subdirectory, modify the copy command in step 9 accordingly.
4) Stop the MessageWay SFTP Server service.
5) Right-click the Cygwin icon on the desktop (or from within Programs) and select 'Run as administrator'.
    NOTE: Perform steps 6 thru 13 at the Cygwin prompt.
6) Create a mwayinstall subdirectory: mkdir mwayinstall
    NOTE:
Ignore the error that is displayed if the directory already exists
7) cd to the newly created mwayinstall subdirectory: cd mwayinstall
8) Type the following to obtain the Cygwin version displayed after the hostname: uname -a
  
 - If the version is 1.7.20 or newer, perform steps 9a and 10a
   
- If the version is 1.7.19 or older, perform steps 9b and 10b
9a) Copy the mwsftp-6.1.0-mr07-cygwin.tgz file to the mwayinstall subdirectory:
    cp -p /cygdrive/c/mwsftp-6.1.0-mr07-cygwin.tgz .
9b) Copy the mwsftp-6.1.0-mr07-cygwin-1.7.9.tgz file to the mwayinstall subdirectory:
    cp -p /cygdrive/c/mwsftp-6.1.0-mr07-cygwin-1.7.9.tgz .
    NOTE:
In steps 9a and 9b, the name of the tar file in the copy command must be followed by a space and a period.
10a) Untar the mwsftp-6.1.0-mr07-cygwin.tgz file: tar -xzvf mwsftp-6.1.0-mr07-cygwin.tgz
10b) Untar the mwsftp-6.1.0-mr07-cygwin-1.7.9.tgz file: tar -xzvf mwsftp-6.1.0-mr07-cygwin-1.7.9.tgz
    NOTE:
Steps 10a and 10b will automatically create a new subdirectory named mwsftp-6.1.0-mr07-cygwin.
11) cd to the newly created mwsftp-6.1.0-mr07-cygwin subdirectory.
12) Install the Maintenance Release by running the install script: ./install.sh
   NOTE
: During the install you will be prompted to enter your cygwin user and group.  To obtain these values, enter "ls -l" at the cygwin prompt and note the user and group from the file or folder properties displayed.
13) Answer the prompts as they appear.
14) To ensure that SFTP Server starts properly, make the following manual edits to /etc/messageway/mwsftpd_config:
    - comment out (#) the following line: 'HostKey <config-path>/keys/ssh_host_key'
    -
comment out (#) the following line: 'RSAAuthentication no'
Refer to mwsftpd_config.samp in subdirectory created in step 10 above for example of required changes
15) To configure the desired KexAlgorithms, refer to mwsftpd.conf.samp in subdirectory created in step 10 above and update /etc/messageway/mwsftpd.conf accordingly.  See comment section for information and recommendations related to the KexAlgorithms parameter settings.
    NOTE: mwsftpd.conf and mwsftpd_config can be accessed within Windows Explorer (<drive>:\cygwin\etc\messageway) and edited with a text editor, such as WordPad or Notepad++.  Alternatively, the config files can be edited in Cygwin using the vi editor.
16) If installed, start the CYGWIN syslogd service if not already running.
17) Start the MessageWay SFTP Server service.

The Maintenance Release is now installed on the server. A backup copy of every replaced object was saved in the /opt/messageway/sftp/backups subdirectory.

To verify that the Maintenance Release installed properly, view the /opt/messageway/sftp/MWSFTPInstall.log file. Additionally, this Maintenance Release Readme file is saved in the subdirectory created in step 10 above for future reference.

Regarding any sample config files that may be part of this Maintenance Release, in-use config files should always be compared against newly installed sample config files in order to make any necessary modifications, as well as to incorporate new parameters and updated comments.

( December 21, 2018 ) Issues closed in mwsftp-6.1.0-mr07-cygwin

IMPORTANT NOTE about Security Updates for this release:
MessageWay now includes the OpenSSL 1.0.2p and FIPS 2.0.16 releases.

They address many vulnerabilities that can be found in the release notes on the OpenSSL.org site.

Specifically, see the following link for further details about this release of OpenSSL:
https://www.openssl.org/news/openssl-1.0.2-notes.html

Specifically, see the following link for further details about this release of FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.16.pdf

MessageWay SFTP Perimeter Server - Issue #4312, 4408 (Program changed: mwsftpd - version 6.1.0.9)

Issue 4312: A PCI scan against MWSFTPD server indicates vulnerability CVE-2016-2183 (Birthday attacks against TLS ciphers with 64bit block size) also known as Sweet32.  Changes: This problem has been fixed by removing 3DES ciphers from mwsftpd.conf.samp.  Customers will need to merge this change into their in-use mwsftpd.conf file.

Issue 4408: The df command performed against the MWSFTPD server will display the disk usage statistics of the file system where the MWSFTPD server resides.  Changes: This problem has been fixed.

MessageWay SFTP Perimeter Server - Issue #4312, 4366 (Program changed: mwsftpd.conf.samp)

Issue 4312:
A PCI scan against MWSFTPD server indicates vulnerability CVE-2016-2183 (Birthday attacks against TLS ciphers with 64bit block size) also known as Sweet32.  Changes: This problem has been fixed by removing 3DES ciphers from mwsftpd.conf.samp.  Customers will need to merge this change into their in-use mwsftpd.conf file.

Issue 4366: Enable Public Key Authentication in MWSFTPD config file.  Changes: AuthenticationMethods=publickey,password has been added to mwsftpd.conf.samp.  Customers will need to merge this change into their in-use mwsftpd.conf file, as well as uncomment the "secure connection to MWSI" section.

MessageWay SFTP Perimeter Server - Issue #4364 (Program changed: mwsftpd_config.samp)

Issue 4364:
Update mwsftpd_config.samp to enable the use of DSS public keys if desired.  Changes: This problem has been fixed by adding a DSS public key parameter to mwsftpd_config.samp.  Customers will need to merge this change into their in-use mwsftpd_config file.  The added parameter is: PubkeyAcceptedKeyTypes ssh-dss,ssh-rsa

MessageWay SFTP Perimeter Server - Issue #4118 (Programs changed: cygcrypto-1.0.0.dll, cygssl-1.0.0.dll)

Issue 4118:
See Important Note about Security Updates for this release above.

( March 31, 2018 ) Issues closed in mwsftp-6.1.0-mr06-cygwin

IMPORTANT NOTE about Security Updates for this release:
MessageWay now includes the OpenSSL 1.0.2n and FIPS 2.0.16 releases.

They address many vulnerabilities that can be found in the release notes on the OpenSSL.org site.

Specifically, see the following link for further details about this release of OpenSSL:
https://www.openssl.org/news/openssl-1.0.2-notes.html

Specifically, see the following link for further details about this release of FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.16.pdf

MessageWay SFTP Perimeter Server - Issue #4321 (Programs changed: mwsftp-server, mwsftpd - version 6.1.0.8)

Issue 4321: Regression, can't specify port number that MessageWay SFTP Server listens on.  Changes: This problem has been fixed.

MessageWay SFTP Perimeter Server - Issue #4293, 4314 (Program changed: mwsftpd.conf.samp)

Issue 4293: Older SFTP Clients no longer work with  OpenSSH version 7.4 that was released with MWSFTPD Server version 6.1 MR06.  Changes: A wider array of  KexAlgorithms were added to the mwsftpd.conf.samp file to support both older SFTP Clients and newer SFTP Clients.  The trade off is security versus supporting older SFTP Clients.  Refer to the comments in mwsftpd.conf.samp to help you determine the correct choice of KexAlgorithms for your installation.

Issue 4314:
Typo in mwsftpd.conf.samp regarding KexAlgorithms causes SFTP Server to abort at startup when new KexAlgorithm is used.  Changes: The following incorrect KexAlgorithm ecdh-sha2-nistp512 has been corrected to ecdh-sha2-nistp521.

MessageWay SFTP Perimeter Server - Issue #4118 (Programs changed: cygcrypto-1.0.0.dll, cygssl-1.0.0.dll)

Issue 4118:
See Important Note about Security Updates for this release above.

( May 26, 2017 ) Issues closed in mwsftp-6.1.0-mr05-cygwin

IMPORTANT NOTE about SSH Security Updates for this release:
MWSFTPD server now includes the OpenSSH 7.4p1 release.

It addresses many vulnerabilities that can be found in the release notes on the OpenSSH.com site.  Note that SFTP clients using the old Diffie-Hellman Group Exchange request structure (type 30) will no longer work, as a new request structure (type 34) has been released.

Specifically, see the following link for further details about this release of OpenSSH:
http://www.openssh.com/releasenotes.html

IMPORTANT NOTE about Security Updates for this release:
MessageWay now includes the OpenSSL 1.0.2j and FIPS 2.0.12 releases.

They address many vulnerabilities that can be found in the release notes on the OpenSSL.org site.

Specifically, see the following link for further details about this release of OpenSSL:
https://www.openssl.org/news/openssl-1.0.2-notes.html

Specifically, see the following link for further details about this release of FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.12.pdf

MessageWay SFTP Perimeter Server - Issue #4246, 4266, 4279 (Programs changed: mwsftp-server, mwsftpd - version 6.1.0.7)

Issue 4246:
See Important Note about Security Updates for this release above.

Issue 4266: See Important Note about SSH Security Updates for this release above.  NOTE: Changes to the mwsftpd_config file are required to support OpenSSH 7.4.  Please see mwsftpd_config.samp for required changes.  You need to comment out (#) the following two lines in mwsftpd_config: 'HostKey <config-path>/keys/ssh_host_key' and 'RSAAuthentication no' or you will encounter warning messages when starting SFTP Server.

Issue 4279: Need to improve message transfer performance in perimeter servers.  Changes: We identified updates that occurred against the database more frequently than required, such as Last Activity Time on the Session entry and Size on the Message Header entry.  We feel we have maintained the functionality provided by the updates while being more selective of how often these updates are done.  We also identified socket option changes that improved TCP connection throughput.

MessageWay SFTP Perimeter Server - Issue #4246 (Program changed: cygcrypto-1.0.0.dll)

Issue 4246:
See Important Note about Security Updates for this release above.

MessageWay SFTP Perimeter Server - Issue #4246 (Program changed: cygssl-1.0.0.dll)

Issue 4246:
See Important Note about Security Updates for this release above.

( August 19, 2016 ) Issues closed in mwsftp-6.1.0-mr04-cygwin

IMPORTANT NOTE about Security Updates for this release:
MessageWay now includes the OpenSSL 1.0.2h and FIPS 2.0.12 releases.

They address many vulnerabilities that can be found in the release notes on the Openssl.org site.

Specifically, see the following link for further details about this release of OpenSSL:
https://www.openssl.org/news/openssl-1.0.2-notes.html

Specifically, see the following link for further details about this release of FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.12.pdf

MessageWay SFTP Perimeter Server - Issue #4173 (Programs changed: install.sh)

Issue 4173:
Installer not creating host key ssh_host_ed25519_key.  Changes: This problem has been fixed.

( April 20, 2016 ) Issues closed in mwsftp-6.1.0-mr03-cygwin

IMPORTANT NOTE: When applying the latest SFTP Perimeter server maintenance release in Cygwin on Windows, you must review the latest MessageWay Installation Guide, section 'To Install the SFTP Perimeter Server on Windows', and confirm that the 'libssp0: GCC Stack-Smashing Protection runtime library' package is added to your Cygwin environment.

IMPORTANT NOTE about Security Updates for this release (Issue-4025, 4144):
MessageWay now includes the OpenSSL 1.0.1r and FIPS 2.0.11 releases.

They address many vulnerabilities  that can be found in the release notes on the Openssl.org site.

Specifically, see the following link for further details about this release of OpenSSL:
https://www.openssl.org/news/openssl-1.0.1-notes.html

Specifically, see the following link for further details about this release of FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.11.pdf

MessageWay SFTP Perimeter Server - Issue #4145, 4160 (Programs changed: mwsftp-server, mwsftpd - version 6.1.0.6)

Issue 4145:
Add SHA2 support to server and add KexAlgorithms to configuration file.  Changes: The sample configuration file mwsftpd.conf.samp has been updated to include support for KexAlgorithms, including SHA2, and the server has been updated to support SHA2 key exchange.

Issue 4160: Changing directory to root ('/') within a client would cause server to abort.  Changes: Changing directory to root ('/') within a client will now cause server to return 'Permission Denied' (EACCESS).

MessageWay SFTP Perimeter Server - Issue #4025, 4144 (Program changed: cygcrypto-1.0.0.dll)

Issue 4025, 4144:
See Important Note about Security Updates for this issue above.

( May 15, 2015 ) Issues closed in mwsftp-6.1.0-mr02

IMPORTANT NOTE about SSH Security Updates for this release (Issue-3974):
This server now incorporates the updated OpenSSH 6.6 version. Details about this release can be reviewed on the openssh.org site.

IMPORTANT NOTE about Security Updates for this release (Issue-3975):
MessageWay now includes the OpenSSL 0.9.8ze and FIPS 1.2.2 releases.

They address the following higher profile vulnerabilities and many others that can be found in the release notes on the Openssl.org site.

CVE-2014-0160, Heartbleed vulnerability, the OpenSSL 0.9.8.ze is not vulnerable to the issue outlined in this CVE report.
CVE-2014-0224, SSL/TLS MITM vulnerability, the OpenSSL 0.9.8.ze version contains the updates to address this vulnerability.
CVE-2014-3566, POODLE vulnerability, MessageWay no longer supports the SSLv3 protocol for secure sessions.
CVE-2015-0204, FREAK vulnerability, the OpenSSL 0.9.8.ze version contains the updates to address this vulnerability.

MessageWay SFTP Perimeter Server - Issue #3949, 3974, 4002, 4012, 4014, 4026 (Programs changed: mwsftp-server, mwsftpd)

Issue 3949:
Using an SOSFTP Client to delete a message in MessageWay fails with 'Access Denied' error.  The SOSFTP Client uses an Open mode O_RDWR when attempting to delete a message in MessageWay.  MessageWay SFTP Perimeter Server only supports Open modes O_RDONLY and O_WRONLY.  Changes: This problem has been fixed.

Issue 3974: See Important Note about SSH Security Updates for this issue above.

Issue 4002: The ssl-poodle vulnerability has created the need to disable SSLv3 as a valid SSL protocol.  Changes: SSLv3 is no longer available in MessageWay and now only TLS is used. All MessageWay configuration files have been updated to reflect this change going forward, but existing configuration files will still work as is because the SSL option will simply be ignored.

Issue 4012: Add DenyUsers functionality to SFTP Perimeter Server to help prevent 'brute force attacks' from using up valuable system resources in the service interface.  Changes: New parameter DenyUsers can now be configured in mwsftpd_config file to specify list of users that should not be allowed thru to the service interface via SFTP Perimeter Server.

Issue 4014: The SFTP Perimeter Server install is not putting the moduli file into /usr/local/etc, causing error messages to be written to system event log when SFTP Perimeter Server is used.  Changes: The SFTP Perimeter Server install now copies the moduli file into /usr/local/etc if not there already.

Issue 4026: Vulnerability reported against the SSH cipher list.  Changes: The sample configuration file mwsftpd.conf.samp has been updated to offer a recommended set of ciphers and MACs functions.  Recommended ciphers in preferred order include aes128-ctr, aes256-ctr, aes128-cbc, aes256-cbc and 3des-cbc.  The recommended MACs function is hmac-sha1.  Beware that older clients that are based on previous generations of DLLs or Libraries that implement SSH may have problems.  These older clients may not have a wide selection of ciphers and may require a cipher no longer included in the recommended settings.  It is difficult to tell which clients may be impacted without further testing.

MessageWay SFTP Perimeter Server - Issue #3975 (Program changed: cygcrypto-1.0.0.dll)

Issue 3975:
See Important Note about Security Updates for this issue above.

MessageWay SFTP Perimeter Server - Issue #3975 (Program changed: cygssl-1.0.0.dll)

Issue 3975:
See Important Note about Security Updates for this issue above.

( October 24, 2013 ) Issues closed in mwsftp-6.1.0-hf01

MessageWay SFTP Perimeter Server - Issue #3565, 3763, 3858, 3877 (Programs changed: mwsftp-server, mwsftpd)

Issue 3565: When a client uploads a file to the SFTP Server using a relative file name, the upload fails.  Changes: The SFTP server now accepts both relative and absolute file names.

Issue 3763: Standard SFTP server directory listings are sorted alphabetically by file name. The MessageWay SFTP Perimeter Server displays lists with newest file first. There is no option that would allow users to control dir listing sort format. Changes: A new parameter has been added to the Global section of the mwsftpd.conf file. Users can set the parameter FilenameSort=True to sort directory lists by filename, overriding the default sort order by date and time. Please refer to the new parameter in the sample configuration file mwsftpd.conf.samp. Copy and paste the description from the comments section and the parameter into your configuration file, and set the parameter to suit your needs. Don't forget to restart your FTP server to make any changes to your configuration file take effect.

Issue 3858: For Windows platforms, Cygwin files will no longer be delivered with the mwsftpd install. Changes: Users should follow the revised instructions in the topic "To Install the SFTP Perimeter Server on Windows" in the MessageWay Installation Guide to download Cygwin and install it before installing mwsftpd.

Issue 3877: If the SFTP perimeter server is configured with SuppressCanceledAndDownloadDirs=True, any attempt to obtain a directory listing for a hierarchical file system location where there are no available files and no sub locations will terminate the session. The problem does not occur with flat file system locations and it does not occur in the FTP perimeter server. Changes: This problem has been fixed.
 

Ipswitch, Inc. | 1-678-287-0700