The 6.4.7 releases contain the following new features:
Tectia Client, Server and ConnectSecure: the OpenSSL cryptographic library used in FIPS mode was upgraded to version 1.0.1e for Windows, Linux, Solaris and HP-UX (IA-64). Tectia Client, Server and ConnectSecure use only the fipscannister
object of the OpenSSL library, and therefore do not contain the Heartbleed vulnerability.
Tectia Server on Windows: It is now possible to export/import the password cache to/from an external encrypted file.
Tectia Server for IBM z/OS: "Load control" (a connection flood DoS attack mitigation feature); and new operations in the JES interface (deleting jobs and displaying the status of all the user's jobs).
All released products also include bug fixes and minor features.
The following includes a summary of the release notes for each product.
Tectia Client/ConnectSecure
New Features:
- Windows, Linux, Solaris, HP-UX(IA-64): Upgraded the OpenSSL cryptographic
library used in FIPS mode to version 1.0.1e. The OpenSSL library version
1.0.1e was compiled with -DOPENSSL_NO_HEARTBEATS. Tectia Client, Server and
ConnectSecure use only the fipscannister object of the OpenSSL library, and
therefore do not contain the Heartbleed vulnerability.
HP-UX (PA-RISC) and IBM AIX will continue to use the OpenSSL cryptographic
library version 0.9.8. This does not affect Tectia Server for Linux on IBM
System z, as the OpenSSL library is not provided.
Bug Fixes:
-
All Platforms: Active mode for static FTP tunneling no longer fails to work
when using IPv4 addresses.
-
All Platforms: Removed sshg3 options +w/--try-empty-password and -w from the
manuals and help, as the feature is no longer supported.
-
All Platforms: IPv6-wrapped IPv4 addresses are now rendered correctly in the
logs.
-
Windows: In Tectia Connections Configuration GUI, added an input check to all
fields that accept numbers. The accepted range is 1-65535 for port numbers,
and 0-2147483647 (0x7fffffff) for other fields.
-
All Platforms: With ssh-keygen-g3 in FIPS mode, it is now possible to
generate DSA keys larger than 1024 bits.
-
All Platforms: sftpg3 and scpg3 no longer fail to get the current user name
when using the option (user=%username%) in a connection profile.
-
Windows: In Tectia Connections Configuration GUI it is now possible to clear
previously added values of "Endpoint domain", "HTTP proxy URL" and "SOCKS
server URL".
-
Windows: In Tectia Connections Configuration GUI, fixed inconsistent behavior
that occurred when adding new LDAP servers.
-
Windows: The "Enable endpoint identity check" option in Tectia Connections
Configuration GUI had a wrong default value (Ask). It now has the correct
default value (Yes).
-
All Platforms: In scpg3, when transferring a file, if the character code
set conversion of the file name fails for some characters, the conversion of
the file name is no longer aborted.
-
Documentation: References to MFT Events have been removed from the
documentation, as this version of the product does not support it.
-
Documentation: Minor modifications to the documents.
Bug fixes in Tectia ConnectSecure only:
-
All Platforms: IPv6-wrapped IPv4 addresses no longer fail to be tunneled
when made via a dual layer socket.
-
Windows: In Tectia Connections Configuration GUI, "Connections from public
network to private network" for transparent tunneling, the default "IPv4
start address" has been changed from 188.1.1.1 to 198.18.0.1.
Tectia Server
New Features:
-
Windows: Added the possibility of exporting and importing the Tectia Server's
password cache.
-
Windows, Linux, Solaris, HP-UX(IA-64): Upgraded the OpenSSL cryptographic
library used in FIPS mode to version 1.0.1e. The OpenSSL library version
1.0.1e was compiled with -DOPENSSL_NO_HEARTBEATS. Tectia Client, Server and
ConnectSecure use only the fipscannister object of the OpenSSL library, and
therefore do not contain the Heartbleed vulnerability.
HP-UX (PA-RISC) and IBM AIX will continue to use the OpenSSL cryptographic
library version 0.9.8. This does not affect Tectia Server for Linux on IBM
System z, as the OpenSSL library is not provided.
Bug Fixes:
-
All Platforms: Fixed a crash in the Tectia Server when using keyboard
interactive with radius authentication when under stress.
-
All Platforms: Fixed a race condition that was causing public key
authentication to occasionally fail under stress.
-
All Platforms: Fixed a crash that occurred when Tectia Server was under
stress.
-
All Platforms: Tectia Server under heavy stress will no longer hang when
performing public key authentication.
-
Windows: In Tectia Server Configuration GUI, added an input check to all
fields that accept numbers. The accepted range is 1-65535 for port numbers,
and 0-2147483647 (0x7fffffff) for other fields that do not have specific
restrictions.
-
All Platforms: With ssh-keygen-g3 in FIPS mode, it is now possible to
generate DSA keys larger than 1024 bits.
-
All Platforms: fixed a memory leak that occurred in Tectia Server when
performing public key authentication under certain circumstances.
-
All Platforms: When Sft_server_fxp_request log messages are enabled, the
server will no longer audit unrequested log events.
-
Documentation: Minor modifications to the documents.
Tectia Server for IBM z/OS
New Features:
-
z/OS: Implemented "load control", a connection flood DoS attack mitigation
feature that uses a white list of IP addresses. The feature attempts to keep
Tectia Server up and running in the face of a Denial of Service attack that
tries to use so much of the server's resources that normal service would be
disrupted.
-
z/OS: Added the following operations to the JES interface of Tectia Server
for IBM z/OS: 1) Deleting jobs, 2) Displaying the status of all the user's jobs
Bug Fixes:
-
z/OS: Fixed a situation in which under certain conditions, some sshd2
processes were not being shut down after a third-party SSH client was
disconnecting.
-
All Platforms: Active mode for static FTP tunneling no longer fails to work
when using IPv4 addresses.
-
z/OS: File transfers with an ftadv profile no longer fail with an "invalid
code reached" message.
-
z/OS: The environment variable _CEE_RUNOPTS is no longer needed when running
Tectia client tools for z/OS programs.
-
z/OS: When handling JES spool files from a Windows client with sftpg3 or
scpg3, the commands "ascii" and "get jobid" no longer fail to convert to
ASCII.
-
All Platforms: Removed sshg3 options +w/--try-empty-password and -w from the
manuals and help, as the feature is no longer supported.
-
All Platforms: IPv6-wrapped IPv4 addresses are now rendered correctly in the
logs.
-
All Platforms: sftpg3 and scpg3 no longer fail to get the current user name
when using the option (user=%username%) in a connection profile.
-
All Platforms: IPv6-wrapped IPv4 addresses no longer fail to be tunneled
when made via a dual layer socket.
-
z/OS: Removed an obsolete file (ssh-broker-config-example-ftp-sftp.xml) from
the packages.
-
All Platforms: In scpg3, when transferring a file, if the character code
set conversion of the file name fails for some characters, the conversion of
the file name is no longer aborted.
-
z/OS: When configuring the IPv6 listener of Tectia Server with zones and
within brackets, Tectia Server will no longer refuse to start.
-
Documentation: Minor modifications to the documents.
For further information about the products and changes between the different versions,
and instructions on how to update the product, see the customer documentation and
release notes at the SSH product documentation site.
answered
Jun 18 '14 at 16:22
SSH KB ♦
509●250●248●238