                    1.3.3 Release Notes
                  ------------------------

This file contains a description of the major changes to ProFTPD for the
1.3.3 release cycle, from the 1.3.3rc1 release to the 1.3.3 maintenance
releases.  More information on these changes can be found in the NEWS and
ChangeLog files.

1.3.3
---------

  + Fixed mod_ban whitelisting using mod_ifsession.
  + Fixed per-user/group/class "HideFiles none" configurations.

1.3.3rc4
---------

  + Fixed mod_tls compilation using OpenSSL installations older than 0.9.7.
  + Fixed mod_sftp compilation on AIX.
  + Fixed RADIUS authentication on 64-bit platforms
  + Fixed memory leak in SCP downloads.

  + New configuration directives

    SQLPasswordUserSalt

      The SQLPasswordUserSalt directive can be used to configure per-user
      salt data to be added to the encrypted password for a user.  The salt
      can be the user name, or it can be the result of a SQL query.  More
      information can be found in
      doc/contrib/mod_sql_passwd.html#SQLPasswordUserSalt.


1.3.3rc3
---------

  + Added Taiwan translation.

  + Added support in mod_sftp for the following SFTP extensions:

      check-file
      copy-file
      vendor-id
      version-select
      posix-rename@openssh.com
      fstatvfs@openssh.com
      statvfs@openssh.com

  + Added a workaround in mod_tls to deal with the vulnerability found in
    SSL/TLS protocol during renegotiation (CVE-2009-3555).  Good
    descriptions of this vulnerability can be found here:

      http://extendedsubset.com/?p=8
      http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html

    The workaround implemented in mod_tls (Bug#3324) is one of the suggested
    mitigation approaches: the server now refuses all client-initiated
    SSL/TLS session renegotiations.

  + Updated to the bundled libtool to 2.2.4 (plus patch) to deal with a
    libtool vulnerability (CVE-2009-3736).

  + Added support for SHA256 and SHA512 passwords to the mod_sql_passwd
    module.

  + New configuration directives

    SFTPExtensions

      The SFTPExtensions directive can be used to selectively enable/disable
      mod_sftp's support for specific SFTP extensions.  See
      doc/contrib/mod_sftp.html#SFTPExtensions for more details.

  + Changed configuration directives

    CapabilitiesSet

      The CAP_FOWNER capability can now be explicitly requested when
      using the mod_cap module:

        <IfModule mod_cap.c>
          CapabilitiesSet +CAP_FOWNER
        </IfModule>

      For operations allowed on files, this capability overrides the
      restriction that the file owner ID must match the process user ID.


1.3.3rc2
---------

  + When handling .ftpaccess files, proftpd was merging them into the
    main configuration such that the .ftpaccess files configurations would
    override the main configuration.  This was never the intended behavior,
    and has been fixed (Bug#3279).

    However, this does mean that sites which use .ftpaccess files may see
    a change in the behavior of their proftpd.

  + Changed scoreboard format (Bug#3286), need for "ServerType inetd"
    server to manually delete their old ScoreboardFiles.  Otherwise they
    will see "error opening scoreboard: bad version (too old)" errors.

  + Changed SQL connection policy (Bug#3290).  Important for clients which
    connect but don't authenticate (e.g. mod_ban, mod_dnsbl, mod_wrap2_sql,
    etc which will reject connected clients prior to authentication); saves
    on unnecessary database connections in such cases.  For sites which
    require the old behavior, there is a new "PERCONNECTION" connection
    policy.

    NOTE: If you are using mod_sql for logging purposes only, e.g. you have
    the following in your mod_sql config:

      SQLEngine log

    then this connection policy change may affect you.  If the database
    connection is opened after a chroot has occurred (via DefaultRoot or
    <Anonymous> login), the database connection may fail.  And since now
    the connection is delayed until first use, and the first use for logging
    may occur after the chroot, the logging may fail.  For such sites, then,
    you will need to use the "PERCONNECTION" connection policy explicitly.

  + Support for "implicit" FTPS.  To enable this, use:

      TLSOptions UseImplicitSSL

    WARNING: Using this setting will cause mod_tls to handle ALL connections
    to the vhost as implicit FTPS connections.  It is NOT possible to support
    both plain FTP (or explicit FTPS) clients AND implicit FTPS clients on the
    same address/port.  Therefore this setting should ONLY ever be used in
    order to support braindead/broken FTPS clients, and then only for as long
    as it takes to fix/replace those broken clients.

    Note that "implicit" FTPS was explicitly DROPPED from the RFC which
    defines FTP over SSL/TLS; the only clients which use this feature are
    outdated clients based on older, now-invalidated versions of the
    specification.  Please update your FTPS clients to one which uses
    explicit FTPS as soon as possible.

  + Re-enable turning off the Nagle algorithm; this drastically helps speed
    up transfers of multiple small files.

  + New modules

    mod_sql_passwd
      This module supports MD5 and SHA1 passwords, encoding using base64 or
      hex, from SQL tables.  See doc/contrib/mod_sql_passwd.html for details.

  + New configuration directives

    AuthUnixOptions

      In Bug#1896, support for checking some AIX-specific functions for
      whether a login should be accepted was added; this happens only on AIX
      server, of course.

      However, some AIX admins like to configure "rlogin=false", yet still
      want to allow FTP logins.  To enable this specific behavior, a new
      AuthUnixOptions directive was added, with a setting which is only
      honored on AIX:

        AuthUnixOptions aixNoRLogin

      If this setting is used on any other server, it is silently ignored.
      Bug#3300 has the full details.

  + Changed configuration directives

    ExtendedLog

      You can now disable logging in an <Anonymous> section to an ExtendedLog
      which was opened outside of the <Anonymous> section, i.e.:

        ExtendedLog /path/to/ext.log ALL

        <Anonymous /path/to/anon>
          ...
          ExtendedLog /path/to/anon-ext.log ALL

          # Disable the logging to the higher-level ExtendedLog by
          # configuring again here, but changing the command class to 'NONE'
          ExtendedLog /path/to/ext.log NONE
          ...
        </Anonymous>

    HiddenStores

      The HiddenStores directive can now be used to customize and change
      the prefix which is prepended to the HiddenStore files.  The default
      prefix is ".in.", but if you wish to use a different prefix for any
      reason, you can use something like:

        HiddenStores foo

      This will cause the prefix to be ".foo.".

    SQLOptions

      When the connection to the database is lost, mod_sql now will try
      only once to automatically reconnect (if such reconnect functionality
      is supported by the database, e.g. MySQL or Postgres).  To disable this
      reconnect behavior, there is a new "noReconnect" SQLOptions setting:

        SQLOptions noReconnect

      See Bug#3270 for the full details of this behavior change.  It should
      be transparent for most sites.


1.3.3rc1
---------

  + Added French, Bulgarian, Korean translations.

  + RPM 4.2 or later is required by the proftpd.spec file provided in the
    distribution.

  + If the --localstatedir configure option is used, proftpd's build system
    used to automatically append "/proftpd" to the configured path.  This
    behavior has been fixed; proftpd's build system will now use the
    configured --localstatedir path as is.

    Note that this may cause issues if you have an existing build script
    for compling proftpd; the expected locations of files under the
    --localstatedir path will change.

  + New command-line options:

    The -S, --serveraddr command-line option has been added.  This option
    can be used to specify the IP address of the host machine.  By
    default, proftpd attempts to resolve the host IP address by using DNS
    resolution of the hostname.  However, in cases where DNS is not
    configured for the host machine, this approach does not work.

    To specify the desired IP address, use -S when starting proftpd, e.g.:

      /usr/local/sbin/proftpd -S 1.2.3.4 ...

    And if you want proftpd to listen on all interfaces, you can specify
    a wildcard socket using an IP address of 0.0.0.0:

      /usr/local/sbin/proftpd -S 0.0.0.0 ...

  + New modules:

    mod_exec

      This module enables execution of external scripts based on actions/events
      during a session.  See doc/contrib/mod_exec.html for details.

    mod_sftp

      This module implements the SSH2, SFTP, and SCP protocols.  See
      doc/contrib/mod_sftp.html for more information.

    mod_sftp_pam

      This module uses PAM to provide a 'keyboard-interactive' SSH2
      authentication method for mod_sftp.  More information can be found in
      the documentation for mod_sftp_pam, in doc/contrib/mod_sftp_pam.html.

    mod_sftp_sql

      This module uses SQL (via mod_sql) for looking up authorized SSH2 
      public keys for user and hostbased authentication.  More information
      is available in doc/contrib/mod_sftp_sql.html.

    mod_shaper

      This module can be used to provide data transfer rate "shaping"
      across the entire server.  See the documentation at
      doc/contrib/mod_shaper.html.

    mod_tls_shmcache

      This module provides an external SSL session cache using shared
      memory; see the TLSSessionCache configuration directive.  More
      information on this module can be found in
      doc/contrib/mod_tls_shmcache.html.

  + New configuration directives:

    RewriteHome

      The RewriteHome directive can be used to support rewriting the
      home directory for a user, based on regular expression rules.
      One such use case is where some portion of the home directory is
      retrieved e.g. from an LDAP directory, but you need to apply some
      custom prefix to the LDAP attribute.

      To enable this feature, first you need to add the following to your
      proftpd.conf:

        RewriteHome on

      Next, you need to configure the mod_rewrite rules for rewriting your home
      directory; this feature depends on mod_rewrite for the rewriting.
      The pseudo-command used by mod_rewrite for rewriting home directories is
      "REWRITE_HOME".  Thus would you use:

        <IfModule mod_rewrite.c>
          RewriteEngine on
          RewrlteLog /path/to/rewrite.log

          RewriteCondition %m REWRITE_HOME
          RewriteRule (.*) /my/new/prefix$1
        </IfModule>

    ScoreboardScrub

      The ScoreboardScrub directive can be used to turn on/off proftpd's
      periodic "scrubbing" of its ScoreboardFile, where the ScoreboardFile
      is scanned for entries of dead sessions:

        ScoreboardScrub on|off|secs

      Note that if scoreboard scrubbing is turned off, the ScoreboardFile
      can still be scrubbed on demand, either by using mod_ctrls_admin's
      "ftpdctl scoreboard scrub" action, or by using the new ftpscrub
      command-line utility.

    TLSControlsACLs

      With the addition of support for external session caches, the
      mod_tls module now supports some ftpdctl actions for interacting
      with those session caches.  The TLSControlsACLs directive can be
      used to configure ACLs for the ftpdctl actions supported by mod_tls,
      and is analogous to other ACLs directives for other modules which
      support ftpdctl actions.

    TLSPKCS12File

      The TLSPKCS12File directive of the mod_tls module is used to
      configure mod_tls to use the certificate and private key contained
      in the indicated PKCS#12 file.  Some sites already use PKCS#12 files
      for containing their other certificates, and thus find it useful to
      have PKCS#12 support in mod_tls.

    TLSSessionCache

      The TLSSessionCache directive configures an external SSL session
      cache, which can be used for storing and shared SSL sessions across
      multiple processes.  An external SSL session cache is an optional
      facility which speeds up parallel FTPS session connections.

      See doc/contrib/mod_tls.html#TLSSessionCache for more information.

  + Changed configuration directives:

    AllowOverride

      This directive no longer supports the optional user/group/class
      parameters.  If you wish to have per-user/group/class conditional
      use of the AllowOverride directive, you will need to use the
      mod_ifsession module.  For example, instead of:

        AllowOverride off user !admin

      you will need to use:

        <IfUser admin>
          AllowOverride on
        </IfUser>

        <IfUser !admin>
          AllowOverride off
        </IfUser>

      Note that the "!admin" section is necessary.  If you set
      "AllowOverride off" unconditionally, then use a mod_ifsession context,
      you would end up with two AllowOverride settings, and the code might not
      be able to distinguish properly which setting to use.  Thus you need to
      make both the "on" and "off" cases conditional, and mutually exclusive.

      Configurations which use the user/group/class conditional parameters
      to AllowOverride will now generate configuration errors.

    BanOnEvent

      The BanOnEvent directive of the mod_ban module now supports
      TimeoutLogin events.

    <VirtualHost>

      You can now specify an IP address of "0.0.0.0" in a <VirtualHost>
      definition.

    IdentLookups

      The default IdentLookups value is now 'off'.  The RFC1413 IDENT lookup
      adds latency to the login process, so much so that it is a FAQ to
      configure "IdentLookups off".  In addition, the IDENT protocol is not
      secure; it can easily be spoofed using man-in-the-middle attacks.  Sites
      that require IDENT lookups must now explicitly configure
      "IdentLookups on".

      Note that in order to use IdentLookups, you must compile proftpd with
      the mod_ident module.  If you use the --disable-ident configure
      option, then proftpd will not recognize the IdentLookups directive.
      Thus in your proftpd.conf, you should use something like:

        <IfModule mod_ident.c>
          IdentLookups on
        </IfModule>

      if you want to use RFC1413 lookups.

    LogFormat, SQLNamedQuery

      There is a new variable, %{protocol}, which describes the protocol
      that the client is using.  This variable can have values of "ftp",
      "ftps", "ssh2", "sftp", and "scp".

      Note that for SSH2 connections, the value will be "ssh2" until SFTP or
      SCP channels are opened; this means that during login, the %{protocol}
      value will be "ssh2".

      There is also a new %w variable which is only valid for RNTO commands.
      The %w value will be the original name of the file being renamed
      (mnemonic: "whence" a renamed file comes).

    RewriteCondition, RewriteRule

      Use of environment variables in mod_rewrite rules is now supported
      via the "%{ENV:var}" syntax.

    SQLGroupInfo

      The SQLGroupInfo now supports custom queries for retrieve group
      information.  Note that instead of a single custom query, several
      different queries are needed; different lookups are called for
      depending on the situation and configuration of mod_sql (e.g.
      using the 'groupset' or 'groupsetfast' SQLAuthenticate parameters).

      See doc/contrib/mod_sql.html#SQLGroupInfo and
      doc/howto/SQL.html#SQLUsersetfast for more details.

    SQLUserInfo

      The support for custom SQLUserInfo queries has been extended to
      support custom queries to be used when the 'userset' or 'usersetfast'
      SQLAuthenticate parameters are used.

      For more information, see doc/contrib/mod_sql.html#SQLUserInfo and 
      doc/howto/SQL.html#SQLUsersetfast.

    TLSOptions

      The NoSessionReuseRequired option has been added.  As of
      ProFTPD 1.3.3rc1, mod_tls only accepts SSL/TLS data connections
      that reuse the SSL session of the control connection, as a security
      measure.  Unfortunately, there are some clients (e.g. curl) which
      do not reuse SSL sessions.

      To relax the requirement that the SSL session from the control
      connection be reused for data connections, use the following in the
      proftpd.conf:

        <IfModule mod_tls.c>
          ...
          TLSOptions NoSessionReuseRequired
          ...
        </IfModule>

    TLSRequired

      The TLSRequired directive can now be used in <Directory> sections and
      in .ftpaccess files.  When used in these configuration contexts, only
      the TLSRequired values that require SSL/TLS protection on data transfers
      are honored.  With this, it is now possible to mark specific files or
      directories as requiring SSL/TLS protection to be accessed via data
      transfer.

    TransferLog

      The "service-name" field of the TransferLog usually contains just
      "ftp".  In order to support TransferLogs for SFTP and SCP transfers,
      the service-name field of the TransferLog format may now show
      "sftp" or "scp".  It may also show "ftps" instead of "ftp", if the
      data transfer occurred while the client is using FTP over SSL/TLS.

      NOTE: This change, while correct, may cause issues for log parsers.

  + Deprecated configuration directives:

    AnonymousGroup

      Support for this directive has been removed.

  + Developer Notes

    If you are a module developer, then you will want to know of the following
    API/internals changes:

      * The original USER value sent by the client is no longer stored in
        the config tree.  That is, the following no longer works:

          user = get_param_ptr(main_server->conf, C_USER, FALSE);

        Instead, the original USER value is stashes in the session.notes
        table.  Thus the above line of code can be replaced with:

          user = pr_table_get(session.notes, "mod_auth.orig-user", NULL);

        A similar change occurred for the anonymous "password" sent, but
        this will probably not apply to most modules.

 
Last Updated: $Date: 2010/02/24 17:54:53 $
