MessageWay SFTP Perimeter Server Maintenance Release
Maintenance Release Name:
mwsftp-6.1.0-mr08-cygwin
Release date:
January 5, 2021
Prerequisite: MessageWay
SFTP Perimeter Server 6.1.0 and MessageWay 6.1.0 mr09
Obsoletes Maintenance Releases (formerly called Hotfixes): All
previous MessageWay SFTP Server 6.1.0 Hotfixes
Files:
This Maintenance Release contains the files listed below:
Files changed in this Maintenance Release
mwsftp-6.1.0-mr08-cygwin:
| cygcrypto-1.0.0.dll |
OpenSSL crypto library |
| cygssl-1.0.0.dll |
OpenSSL library |
| mwsftpd |
MessageWay SSH Server version 6.1.0.10 |
| mwsftpd_config.samp |
Sample Configuration File |
|
mwsftp-6.1.0-mr08-cygwin_readme.html |
This Readme file |
Files changed in previous Hotfixes and rolled into this
Maintenance Release:
| install.sh |
SFTP Installer |
|
mwsftp-server |
MessageWay SFTP Server |
|
mwsftpd.conf.samp |
Sample SFTP Configuration File |
| moduli |
OpenSSH_6.6p1 moduli file |
Installing the MessageWay SFTP Server
Maintenance Release:
1) Download the Maintenance Release install package sent by Progress and
unzip.
2) Logon to the perimeter server as the user that "owns"
the MessageWay SFTP Server service.
3) Locate the
Maintenance Release tarball (mwsftp-6.1.0-mr08-cygwin.tgz) in the
Maintenance Release install package (...\servers_mrs\windows\)
and copy to C:root subdirectory of the perimeter server.
NOTE: The copy command in step 9 requires the install file
to be in the C:root subdirectory. To copy it from another
subdirectory, modify
the copy command in step 9 accordingly.
4) Stop the MessageWay
SFTP Server service.
5) Right-click the Cygwin icon on the desktop
(or from within Programs) and select 'Run as administrator'.
NOTE: Perform steps 6 thru 13 at the Cygwin prompt.
6)
Create a mwayinstall subdirectory: mkdir mwayinstall
NOTE: Ignore the error that is displayed if the directory already
exists
7) cd to the newly created mwayinstall subdirectory: cd
mwayinstall
8) Type the following to obtain the Cygwin version
displayed after the hostname: uname -a
-
If the version is 3.1.6 or newer, proceed with these install instructions
- If the version is older than 3.1.6, it will need to be
upgraded to 3.1.6 or newer before proceeding with this install
9) Copy the mwsftp-6.1.0-mr08-cygwin.tgz file to the
mwayinstall subdirectory:
cp -p
/cygdrive/c/mwsftp-6.1.0-mr08-cygwin.tgz .
NOTE: In step 9, the name of the tar file in the copy
command must be followed by a space and a period.
10) Untar the mwsftp-6.1.0-mr08-cygwin.tgz file:
tar -xzvf mwsftp-6.1.0-mr08-cygwin.tgz
NOTE: Step 10 will automatically create a new
subdirectory named
mwsftp-6.1.0-mr08-cygwin.
11) cd to the newly created
mwsftp-6.1.0-mr08-cygwin
subdirectory.
12) Install the
Maintenance Release by running the install script:
./install.sh
NOTE: During the install
you will be prompted to enter your cygwin user and
group. To obtain these values, enter "ls -l" at the cygwin
prompt and note the user and group from
the file or folder properties displayed.
13) Answer the prompts as they appear.
14) To ensure that SFTP Server starts properly, make the following manual
edits to /etc/messageway/mwsftpd_config:
- comment out (#) the following line:
'HostKey <config-path>/keys/ssh_host_key'
-
comment out (#) the following line:
'RSAAuthentication no'
Refer to
mwsftpd_config.samp in subdirectory created in step 10 above for
example of required changes.
15) To configure the
desired
KexAlgorithms, refer to mwsftpd.conf.samp in
subdirectory created in step 10 above and update /etc/messageway/mwsftpd.conf accordingly. See comment section for information and
recommendations related to the KexAlgorithms parameter
settings.
NOTE: mwsftpd.conf and
mwsftpd_config can be accessed within Windows Explorer
(<drive>:\cygwin\etc\messageway) and edited with a text editor, such as
WordPad or Notepad++. Alternatively, the config files can be edited in
Cygwin using the vi editor.
16) If installed, start the CYGWIN syslogd service if not
already running.
17) Start the MessageWay SFTP Server service.
The Maintenance
Release is now installed on the server. A backup copy of every replaced object was saved in the /opt/messageway/sftp/backups
subdirectory.
To verify that the
Maintenance Release installed properly, view the /opt/messageway/sftp/MWSFTPInstall.log file. Additionally, this
Maintenance Release Readme file is saved in the subdirectory created in step 10 above for future reference.
Regarding any sample config files that may be part of this Maintenance
Release, in-use config files should always be compared against newly installed
sample config files in order to make any necessary modifications, as well as to
incorporate new parameters and updated comments.
( January 5, 2021 ) Issues closed in
mwsftp-6.1.0-mr08-cygwin
IMPORTANT NOTE about Security Updates for this release:
MessageWay now includes the OpenSSL 1.0.2u and FIPS 2.0.16 releases.
They
address many vulnerabilities that can be
found in the release notes on the OpenSSL.org site.
Specifically, see the
following link for further details about this release of OpenSSL:
https://www.openssl.org/news/openssl-1.0.2-notes.html
Specifically, see the following link for further details about this release of
FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.16.pdf
MessageWay SFTP Perimeter Server - Issue #982 (Program
changed: mwsftpd - version
6.1.0.10)
Issue 982: Users password is displayed in the clear in event log
when loglevel is set to DEBUG1 in mwsftpd.conf. Changes:
This problem has been fixed.
MessageWay SFTP Perimeter Server - Issue #954 (Program changed: mwsftpd_config.samp)
Issue 954: ssh-ed25519 is missing from PublicAcceptedKeyTypes
example in mwsftpd_config.samp. Changes:
This problem
has been fixed.
MessageWay SFTP Perimeter Server - Issue #950 (Programs
changed: cygcrypto-1.0.0.dll, cygssl-1.0.0.dll)
Issue
950:
See Important Note about Security Updates for this release above.
( December 21, 2018 ) Issues closed in
mwsftp-6.1.0-mr07-cygwin
IMPORTANT NOTE about Security Updates for this release:
MessageWay now includes the OpenSSL 1.0.2p and FIPS 2.0.16 releases.
They
address many vulnerabilities that can be
found in the release notes on the OpenSSL.org site.
Specifically, see the
following link for further details about this release of OpenSSL:
https://www.openssl.org/news/openssl-1.0.2-notes.html
Specifically, see the following link for further details about this release of
FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.16.pdf
MessageWay SFTP Perimeter Server - Issue #4312, 4408 (Program
changed: mwsftpd - version
6.1.0.9)
Issue 4312: A PCI scan against MWSFTPD server indicates
vulnerability CVE-2016-2183 (Birthday attacks against TLS ciphers with 64bit
block size) also known as Sweet32. Changes:
This problem has been fixed by removing 3DES ciphers
from mwsftpd.conf.samp. Customers will need to merge this change into
their in-use mwsftpd.conf file.
Issue 4408: The df command performed against the MWSFTPD server
will display the disk usage statistics of the file system where the MWSFTPD
server resides. Changes: This
problem has been fixed.
MessageWay SFTP Perimeter Server - Issue #4312, 4366 (Program changed: mwsftpd.conf.samp)
Issue 4312: A PCI scan against MWSFTPD server indicates
vulnerability CVE-2016-2183 (Birthday attacks against TLS ciphers with 64bit
block size) also known as Sweet32. Changes:
This problem
has been fixed by removing 3DES ciphers from mwsftpd.conf.samp. Customers
will need to merge this change into their in-use mwsftpd.conf file.
Issue 4366: Enable Public Key Authentication in MWSFTPD config
file. Changes:
AuthenticationMethods=publickey,password has been added to
mwsftpd.conf.samp. Customers will need to merge this change into their
in-use mwsftpd.conf file, as well as uncomment the "secure connection to MWSI"
section.
MessageWay SFTP Perimeter Server - Issue #4364 (Program changed: mwsftpd_config.samp)
Issue 4364: Update mwsftpd_config.samp to enable the use of DSS
public keys if desired. Changes:
This problem
has been fixed by adding a DSS public key parameter to mwsftpd_config.samp. Customers
will need to merge this change into their in-use mwsftpd_config file. The
added parameter is: PubkeyAcceptedKeyTypes ssh-dss,ssh-rsa
MessageWay SFTP Perimeter Server - Issue #4118 (Programs
changed: cygcrypto-1.0.0.dll, cygssl-1.0.0.dll)
Issue 4118:
See Important Note about Security Updates for this release above.
( March 31, 2018 ) Issues closed in
mwsftp-6.1.0-mr06-cygwin
IMPORTANT NOTE about Security Updates for this release:
MessageWay now includes the OpenSSL 1.0.2n and FIPS 2.0.16 releases.
They
address many vulnerabilities that can be
found in the release notes on the OpenSSL.org site.
Specifically, see the
following link for further details about this release of OpenSSL:
https://www.openssl.org/news/openssl-1.0.2-notes.html
Specifically, see the following link for further details about this release of
FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.16.pdf
MessageWay SFTP Perimeter Server - Issue #4321 (Programs
changed: mwsftp-server, mwsftpd - version
6.1.0.8)
Issue 4321: Regression, can't specify port number that
MessageWay SFTP Server listens on. Changes: This problem has been fixed.
MessageWay SFTP Perimeter Server - Issue #4293, 4314 (Program
changed: mwsftpd.conf.samp)
Issue 4293:
Older SFTP Clients no longer work with OpenSSH version 7.4 that was
released with MWSFTPD Server version 6.1 MR06. Changes: A
wider array of KexAlgorithms were added to the mwsftpd.conf.samp file to
support both older SFTP Clients and newer SFTP Clients. The trade off is
security versus supporting older SFTP Clients. Refer to the comments in
mwsftpd.conf.samp to help you determine the correct choice of KexAlgorithms for
your installation.
Issue 4314:
Typo in mwsftpd.conf.samp regarding KexAlgorithms causes SFTP Server to abort at
startup when new KexAlgorithm is used. Changes: The
following incorrect KexAlgorithm ecdh-sha2-nistp512 has been corrected to
ecdh-sha2-nistp521.
MessageWay SFTP Perimeter Server - Issue #4118 (Programs
changed: cygcrypto-1.0.0.dll, cygssl-1.0.0.dll)
Issue 4118:
See Important Note about Security Updates for this release above.
( May 26, 2017 ) Issues closed in
mwsftp-6.1.0-mr05-cygwin
IMPORTANT NOTE about SSH Security Updates for this release:
MWSFTPD server now includes the OpenSSH
7.4p1
release.
It addresses many vulnerabilities that can be found in the
release notes on the OpenSSH.com site. Note that SFTP
clients using the old Diffie-Hellman Group Exchange request structure (type 30)
will no longer work, as a new request structure (type 34) has been released.
Specifically, see the following
link for further details about this release of OpenSSH:
http://www.openssh.com/releasenotes.html
IMPORTANT NOTE about Security Updates for this release:
MessageWay now includes the OpenSSL 1.0.2j and FIPS 2.0.12 releases.
They
address many vulnerabilities that can be
found in the release notes on the OpenSSL.org site.
Specifically, see the
following link for further details about this release of OpenSSL:
https://www.openssl.org/news/openssl-1.0.2-notes.html
Specifically, see the following link for further details about this release of
FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.12.pdf
MessageWay SFTP Perimeter Server - Issue #4246, 4266, 4279 (Programs
changed: mwsftp-server, mwsftpd - version
6.1.0.7)
Issue 4246:
See Important Note about Security Updates for this release above.
Issue 4266:
See Important Note about SSH Security Updates for this release above.
NOTE: Changes to the mwsftpd_config file are required to
support OpenSSH 7.4. Please see mwsftpd_config.samp for required changes.
You need to comment out (#) the following two lines in mwsftpd_config:
'HostKey <config-path>/keys/ssh_host_key' and
'RSAAuthentication no' or you will encounter warning
messages when starting SFTP Server.
Issue 4279: Need to improve message transfer performance in
perimeter servers. Changes: We identified updates that
occurred against the database more frequently than required, such as Last
Activity Time on the Session entry and Size on the Message Header entry. We
feel we have maintained the functionality provided by the updates while being
more selective of how often these updates are done. We also identified socket
option changes that improved TCP connection throughput.
MessageWay SFTP Perimeter Server - Issue #4246 (Program
changed: cygcrypto-1.0.0.dll)
Issue 4246:
See Important Note about Security Updates for this release above.
MessageWay SFTP Perimeter Server - Issue #4246 (Program
changed: cygssl-1.0.0.dll)
Issue 4246:
See Important Note about Security Updates for this release above.
( August 19, 2016 ) Issues closed in
mwsftp-6.1.0-mr04-cygwin
IMPORTANT NOTE about Security Updates for this release:
MessageWay now includes the OpenSSL 1.0.2h and FIPS 2.0.12 releases.
They
address many vulnerabilities that can be
found in the release notes on the Openssl.org site.
Specifically, see the
following link for further details about this release of OpenSSL:
https://www.openssl.org/news/openssl-1.0.2-notes.html
Specifically, see the following link for further details about this release of
FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.12.pdf
MessageWay SFTP Perimeter Server - Issue #4173 (Programs
changed: install.sh)
Issue 4173: Installer not creating host
key ssh_host_ed25519_key. Changes: This problem has been
fixed.
(
April 20, 2016
) Issues closed in
mwsftp-6.1.0-mr03-cygwin
IMPORTANT NOTE: When applying the latest SFTP Perimeter
server maintenance release in Cygwin on Windows, you must review the latest
MessageWay Installation Guide, section 'To Install the SFTP Perimeter
Server on Windows', and confirm that the 'libssp0: GCC
Stack-Smashing Protection runtime library' package is added to your Cygwin
environment.
IMPORTANT NOTE about Security Updates for this release (Issue-4025,
4144):
MessageWay now includes the OpenSSL 1.0.1r and FIPS 2.0.11 releases.
They address many vulnerabilities
that can be found in the release notes on the Openssl.org site.
Specifically, see the following link for further details about this release of
OpenSSL:
https://www.openssl.org/news/openssl-1.0.1-notes.html
Specifically, see the following link for further details about this release of
FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.11.pdf
MessageWay SFTP Perimeter Server - Issue #4145, 4160 (Programs
changed: mwsftp-server, mwsftpd - version 6.1.0.6)
Issue 4145:
Add SHA2 support to server and add KexAlgorithms to configuration file. Changes:
The sample configuration file mwsftpd.conf.samp has been updated to include
support for KexAlgorithms, including SHA2, and the server has been updated to
support SHA2 key exchange.
Issue 4160:
Changing directory to root ('/') within a client would cause server to abort. Changes:
Changing directory to root ('/') within a client will now cause server to return
'Permission Denied' (EACCESS).
MessageWay SFTP Perimeter Server - Issue #4025, 4144 (Program
changed: cygcrypto-1.0.0.dll)
Issue 4025, 4144: See Important
Note about Security Updates for this issue above.
( May 15, 2015 ) Issues closed in
mwsftp-6.1.0-mr02
IMPORTANT NOTE about SSH Security Updates for this release
(Issue-3974):
This server now incorporates the updated OpenSSH 6.6
version. Details about this release can be reviewed on the openssh.org site.
IMPORTANT NOTE about Security Updates for this release (Issue-3975):
MessageWay now includes the OpenSSL 0.9.8ze and FIPS 1.2.2 releases.
They address the following higher profile vulnerabilities and many others
that can be found in the release notes on the Openssl.org site.
CVE-2014-0160, Heartbleed vulnerability, the OpenSSL 0.9.8.ze is not
vulnerable to the issue outlined in this CVE report.
CVE-2014-0224,
SSL/TLS MITM vulnerability, the OpenSSL 0.9.8.ze version contains the updates to
address this vulnerability.
CVE-2014-3566, POODLE
vulnerability, MessageWay no longer supports the SSLv3 protocol for secure
sessions.
CVE-2015-0204, FREAK vulnerability, the OpenSSL
0.9.8.ze version contains the updates to address this vulnerability.
MessageWay SFTP Perimeter Server - Issue #3949, 3974, 4002, 4012,
4014, 4026 (Programs
changed: mwsftp-server, mwsftpd)
Issue 3949:
Using an SOSFTP Client to delete a message in MessageWay fails with 'Access
Denied' error. The SOSFTP Client uses an Open mode O_RDWR when attempting
to delete a message in MessageWay. MessageWay SFTP Perimeter Server only
supports Open modes O_RDONLY and O_WRONLY. Changes: This
problem has been fixed.
Issue 3974: See Important Note about SSH Security
Updates for this issue above.
Issue 4002: The ssl-poodle vulnerability has created
the need to disable SSLv3 as a valid SSL protocol. Changes:
SSLv3 is no longer available in MessageWay and now only TLS is used. All
MessageWay configuration files have been updated to reflect this change going
forward, but existing configuration files will still work as is because the SSL
option will simply be ignored.
Issue 4012: Add DenyUsers functionality to SFTP
Perimeter Server to help prevent 'brute force attacks' from using up valuable
system resources in the service interface. Changes: New
parameter DenyUsers can now be configured in mwsftpd_config file to specify list
of users that should not be allowed thru to the service interface via SFTP
Perimeter Server.
Issue 4014: The SFTP Perimeter Server install is not
putting the moduli file into /usr/local/etc, causing error messages to be
written to system event log when SFTP Perimeter Server is used.
Changes: The SFTP Perimeter Server install now copies the moduli file
into /usr/local/etc if not there already.
Issue 4026: Vulnerability reported against the SSH
cipher list. Changes: The sample configuration file mwsftpd.conf.samp has
been updated to offer a recommended set of ciphers and MACs functions.
Recommended ciphers in preferred order include aes128-ctr, aes256-ctr,
aes128-cbc, aes256-cbc and 3des-cbc. The recommended MACs function is
hmac-sha1. Beware that older clients that are based on previous
generations of DLLs or Libraries that implement SSH may have problems.
These older clients may not have a wide selection of ciphers and may require a
cipher no longer included in the recommended settings. It is difficult to
tell which clients may be impacted without further testing.
MessageWay SFTP Perimeter Server - Issue #3975 (Program
changed: cygcrypto-1.0.0.dll)
Issue 3975: See Important
Note about Security Updates for this issue above.
MessageWay SFTP Perimeter Server - Issue #3975 (Program
changed: cygssl-1.0.0.dll)
Issue 3975: See Important
Note about Security Updates for this issue above.
( October 24, 2013 ) Issues closed in
mwsftp-6.1.0-hf01
MessageWay SFTP Perimeter Server - Issue #3565, 3763, 3858, 3877 (Programs
changed: mwsftp-server, mwsftpd)
Issue 3565: When a client uploads a file to the SFTP Server using a
relative file name, the upload fails. Changes: The
SFTP server now accepts both relative and absolute file names.
Issue 3763: Standard
SFTP server directory listings are sorted
alphabetically by file name. The MessageWay SFTP Perimeter Server displays lists with newest file
first. There is no option that would allow users to control dir listing sort format.
Changes: A new parameter has been added to the Global section of the
mwsftpd.conf file. Users can set the parameter FilenameSort=True to sort
directory lists by filename, overriding the default sort order by date and time.
Please refer to the new parameter in the sample configuration file
mwsftpd.conf.samp. Copy and paste the description from the comments
section and the parameter into your configuration file, and set the parameter to
suit your needs. Don't forget to restart
your FTP server to make any changes to your configuration file take effect.
Issue 3858: For Windows platforms, Cygwin files will no longer be
delivered with the mwsftpd install. Changes: Users should follow the revised
instructions in the topic "To Install the SFTP Perimeter Server on Windows" in
the MessageWay Installation Guide to download
Cygwin and install it before installing mwsftpd.
Issue 3877: If the SFTP perimeter server is configured with
SuppressCanceledAndDownloadDirs=True, any attempt to obtain a directory listing
for a hierarchical file system location where there are no available files and
no sub locations will terminate the session. The problem does not occur with
flat file system locations and it does not occur in the FTP perimeter server.
Changes: This problem has been fixed. |
