ca96080337
* Version 1.0.49: - This version fixes a regression introduced in version 1.0.48 that broke the external authentication feature. Reported by Peter Hudec, thanks! - Sockets from `pure-authd` and `pure-extauth` are now always owned by `root` in order to cope with the absence of `CAP_DAC_OVERRIDE` on Linux. Suggested by Arkadiusz MiÅkiewicz, thanks! * Version 1.0.48: - SNI support has been added. A new service, `pure-certd`, can run external code written in any language in order to map SNI names to TLS certificates. - External authentication handlers get a new `AUTHD_CLIENT_SNI_NAME` environment variable set when the client uses SNI. - TLS certificates and keys can now be in different files. - `make install` does not overwrite existing configuration files any more. The example files layout has changed. - TLS 1.3 is enabled when using OpenSSL 1.1.x. - TLS < 1.2 is disabled by default. - Quirks for obsolete OpenSSL versions have been removed. - Username _ftp can be used as an alternative to ftp everywhere. - Password hashing parameters are now chosen according to locally available resources. The `pure-pw` command gets to new switches: `-C` (as a hint regarding the number of simultaneous login attempts) and `-M` (total memory, in MB, to reserve for password hashing). - New translation: Albanian, thanks to Moisi Xhaferaj. - The `PRET` command has been added. It can avoid opening useless data connections for nonexistent content. - Dot-files are always displayed. We don't lie any more in some commands while not lying in other commands to respect the protocol. - Support for RFC 2640 has been removed from the free version, as it was early, experimental, slow, mostly broken and unmaintained code. - The `NLST` command doesn't perform globbing any more. - The `MLSD` command now prepends the path to file names. * Version 1.0.47: - Unlike other directory listing commands, the STAT command should use TLS on the control channel even if TLS has been disabled on the data channel. It wasn't the case; this has been fixed. Thanks to Carlo Cannas. - Return a 451 error code instead of 226 on aborted uploads. - The system user "_ftp" can be used as an alternative to "ftp" for anonymous sessions. - Compatibility with libsodium > 1.0.12 was added (including minimal mode). * Version 1.0.46: - The server can now be linked against OpenSSL 1.1.x with the strict API. - Unmaintained contributions have been removed. - Globbing: the number of * in an expression has been limited to 3. * Version 1.0.45: - TLS v1.0 sessions are now refused. - Version 1.0.44 didn't properly parse the TLSCipherSuite directive. This has been fixed. * Version 1.0.44: - The Perl and Python wrappers are gone. The daemon can now use a configuration file without requiring external dependencies. - Pure-FTPd can now be linked against OpenSSL 1.1.x - The QUIT command didn't work properly when the server was compiled without support for RFC2640. This has been fixed. - 3DES was removed from the default cipher suite. * Version 1.0.43: - Passwords can now be hashed using Argon2. - The -J switch didn't work any more in 1.0.42. This has been fixed. - The default cipher suite was simplified. - Authentication against system accounts is compatible with OpenBSD 6.0. - Fixed: protocol conformance when TLS sessions are refused. - Altlog records can now be sent to `stdout`/`stderr`. * Version 1.0.42: - Compilation fix for OpenBSD and Bitrig when Pure-FTPd is not compiled with libsodium. - The connection is now dropped if HTTP commands are received. - LDAP force_default_gid and force_default_uid now work as documented. - The ONLY_ACCEPT_REUSED_SSL_SESSIONS switch (introduced in Pure-FTPd 1.0.22 circa 2009, but disabled back then due to client compatibility concerns) is now on by default, except in broken clients compatibility mode. * Version 1.0.41: - libmariadb is looked for in addition to libmysqlclient - MySQL: my_make_scrambled_password() is not always an exported symbol any more, so pure-ftpd now ships a reimplementation. - openssl/ec.h is not available on some Linux distributions that disable EC in OpenSSL. This is being tested by autoconf. - New command-line switch: -2/--certfile= to set the path to the certificate file when using TLS. * Version 1.0.40: - Support for TCP_FASTOPEN added on Linux - The LDAP configuration file didn't allow a default gid without also defining a default uid. This is no longer the case. - OpenBSD's glob() left the glob_t structure uninitialized if the pattern was larger than PATH_MAX, causing globfree() to free() an unwanted pointer. The bug was introduced in Pure-FTPd 1.0.34. * Version 1.0.39: - Explicitly include openssl/ec.h for OpenSSL 0.9.8 (CentOS 5) - Retry if SSL_shutdown() returns -1 and SSL_ERROR_WANT_(READ|WRITE) * Version 1.0.38: - The default cipher suite is now ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SH - TLS forward secrecy support was added. DH parameters are loaded from TLS_DHPARAMS_FILE, if present. ECDH is also supported - Default curve is prime256v1 (TLS_DEFAULT_ECDH_CURVE). The best curve is automatically selected when using LibreSSL. - scrypt hashed passwords can be used in the MySQL, PostgreSQL and LDAP backends. * Version 1.0.37: - The -C: prefix can be added to the cipher suite in order to make valid client certificates mandatory. This is no longer a compile-time option. - The Clear Command Channel (CCC) command is now supported. - pure-config.py is compatible with Python 3. - SSL (v2, v3) is refused by default. - The PureDB backend supports the scrypt function in order to hash passwords. This is the preferred algorithm, but requires the presence of libsodium. - DES-hashed passwords are not supported any more. - LDAP uid and gid values can over overridden in the LDAP configuration file. - New LDAPUseTLS directive for LDAP. - RC4 was killed. * Version 1.0.36: - The safe_write()/safe_read() factorization broke extauth. Using safe_read_partial() to read from the extauth pipe wasn't enough. Bug reported by Rasmus Fauske. - Improved autoconf detection of -fstack-protector and -fPIE - If 10 digits are not enough to print the size of a file in an ls-like output, bump the max number of digits to 18. This adds support for files up to 1 exabyte. - Pure-FTPd can be compiled with Cygwin, ASLR/DEP is enabled by default on Windows, and ASCII downloads on Windows have been fixed. - A new undocumented macro, ALLOW_EVERYTHING_IN_FILE_NAMES, allows any characters in a file name. Disabled by default. - Don't display dot files (except . and ..) if dot_read_ok is 0 in donlist() - but not in sglob() yet. This change is purely cosmetic. There are many ways to figure out if a file exists. |
||
---|---|---|
.. | ||
patch-Makefile.in |