Maverick Synergy 3.0.25 - Mar 28, 2024
Bug Fixes
o Strict KEX should end at first SSH_MSG_NEWKEYS received and not wait for ours to be sent to.
o Disconnect causes premature cleaning up of SFTP subsystem resulting in wrong events.
--------------------------------
Maverick Synergy 3.0.24 - Feb 29, 2024
Bug Fixes
o Reverted an erroneous commit that re-enabled disableExtensionInfo configuration item.
--------------------------------
Maverick Synergy 3.0.23 - Feb 12, 2024
Bug Fixes
o Fixed possible infinite loop in PublicKeyAuthenticator when signature type is not supported by remote server.
o Fixes to Terrapin strict kex protocol changes to avoid over-eager disconnect when out-of-band messages are received and strict kex is not enabled.
--------------------------------
Maverick Synergy 3.0.22 - Dec 18, 2023
IMPORTANT SECURITY UPDATE
Security Updates
o This release includes a fix for the Terrapin Attack vulnerability https://terrapin-attack.com described in CVE-2023-48795. This fix implements "Strict Transport" mode patch created by OpenSSH.
Bug Fixes
o Ensure the host keys are listed during key exchange in the order defined in the SshServerContext supportedPublicKeys Component Factory.
o When authenticating with an RSA key and SHA1 signatures are disabled, automatically upgrade the key to an SHA2 signature (if supported).
--------------------------------
Maverick Synergy 3.0.21 - Nov 21, 2023
IMPORTANT SECURITY UPDATE
Security Fix
o Validate outgoing signature to prevent against Passive SSH Key Compromise vulnerability.
--------------------------------
Maverick Synergy 3.0.20 - Sep 22, 2023
Bug Fixes
o Logging indicates that an IP address will be temporarily banned even if banning has been disabled.
--------------------------------
Maverick Synergy 3.0.19 - Jun 22, 2023
Bug Fixes
o VirtualMappedFile sanitises paths replacing \ with / causing problems when a file legitimately has a backward slash on a supported system. You can now add -Dmaverick.disableBackslashReplace=true system property to disable this behaviour.
--------------------------------
Maverick Synergy 3.0.18 - May 23, 2023
Features
o Added supportedSignatures to SshContext for finer control over the signature algorithms supported.
Bug Fixes
o Complete support for SSH_MSG_EXT_INFO to inform clients that modern RSA signatures are supported.
--------------------------------
Maverick Synergy 3.0.17 - May 3, 2023
Bug Fixes
o SFTP v4 file type is accessible to all versions and not correctly set when using v3 of the protocol.
o Ensure Diffie Hellman prime is generated with maximum bits possible to prevent random key exchange errors.
--------------------------------
Maverick Synergy 3.0.16 - Jan 10, 2023
Bug Fixes
o Version 5 "supported" structure is expecting count of supported extensions whereas specification expects read to EOF.
o DynamicBuffer and ScpClientIO available method implementation does not adhere to contract and returns -1 when EOF instead of zero.
o OpenSshCertificate incorrectly sorts extensions resulting in failed authentication attempts when custom extensions are present.
o PrivateKeyFileAuthenticator will now additionally use certificate for authentication if a certificate file exists for the private key.
--------------------------------
Maverick Synergy 3.0.15 - Dec 1, 2022
Bug Fixes
o Nested virtual mounts are not returned correctly in file listings.
o ssh-ed448 keys were supported but could not be generated.
--------------------------------
Maverick Synergy 3.0.14 - Oct 20, 2022
Bug Fixes
o Fixes to CachingDataWindow to help prevent truncation of data if data remains unread and cache is closed.
o Channel data cache can be closed whilst a synchronized method is being executed.
o Release all event listeners from channel collection when all events are exhausted.
o Improvements to the way VirtualMappedFile caches children so that cache is cleared when events occur that could change contents of the directory.
o SFTP thread synchronizer releases lock on access to reading thread even when the thread had not taken the lock itself.
o Changed synchronization strategy in SshEngine to prevent slow shutdown. Also prevents the often seen RejectedExecutionException on shutdown.
o Update VFS dependency to 3.3.0 final release
o Throw an exception to avoid NPE when no file system is configured.
o Support sandboxing in DirectFileFactory.
o Support Windows 10/11 home folder locations in DirectFileFactory as well as previous Windows versions.
--------------------------------
Maverick Synergy 3.0.13 - Sep 2, 2022
Features
o A number of improvements to CallbackServer to make it easier to spin up a reverse SSH service.
Bug Fixes
o SshAgentClient will not connect to OpenSSH 8.9 agent because new extensions implemented by OpenSSH are fatal. The SshAgentClient now sends a failure message instead.
o VirtualFileFactory much check the parent is actually a directory when listing children because it is possible that the parent folder does not actually exist, for example, if the current path is the parent element of a mount (/public does not actually exist when /public/foo is mounted).
o When supported SFTP attributes is not null, only process flags when there is actually a value set.
o Added additional cleanup code after experiencing OOM in production use of the callback server using port forwarding.
o SshClientCommand would not pass on terminal resize events.
o Added debug for authenticated future to track apparent race condition in callback session.
o Moved AuthenticatedFuture instance from SshContext to TransportProtocol so that it can reference its transport in debug output.
o Option to disable the sanitization of the identification strings software/version/comments.
o Both the ConnectionProtocol and AuthenticationProtocol were notifying the authenticated future that it is complete. This has now been changed to just the ConnectionProtocol.
o CallbackSession would not cleanup a connected session if an error occurred during setup.
--------------------------------
Maverick Synergy 3.0.12 - Aug 17, 2022
Features
o Allow a command to be passed to VirtualChannelFactory which will be executed as an alternative shell. For example when combined with OSShellFactory "osshell" command it can create a native shell experience for the user.
o Support for zsh in "osshell" command.
o Abstract out command execution from Shell into AbstractOSCommand so it can be reused to create native commands.
o Implemented draft "copy-data" extension that allows files to be combined remotely on the server using their open file handle.
o Implemented draft "check-file-name" and "check-file-handle" extensions for returning hash values for entire files, or parts of.
o Improved verifyFiles method in SftpClient to use more recent draft extensions and now provides a choice of hash algorithm.
Bug Fixes
o Incorrect use of bitwise operators means removing permission twice will actually enable it.
o File system events don't have directory AbstractFile instance in attributes.
o FileSystemPolicy uses a CachedFileFactory implementation that should cache per-connection, not per-instance.
o Capture exception generated during SftpSubsystem initialization and throw an appropriate error so the channel gets cleaned up.
o Made Subsystem nextMessage a synchronized method to prevent multiple threads attempting to read at the same time.
o Premature change of authentication mechanism causes SSH_MSG_UNIMPLEMENTED.
o SFTP attributes encodes flags that are defined in later protocol versions causing WinScp to error when listing a directory.
o Removed non-compliant hmac-sha256 and hmac-sha512 algorithm types and changed HMAC preference to hmac-sha2-256.
o Introduced getRemoteIPAddress to SshConnection which should now be used instead of getRemoteAddress (which has been deprecated). If you are using the server behind a load balancer with the proxy protocol this will ensure you get the correct address string and not NullPointerExceptions when you attempt to access fields on the unresolved InetAddress that represents the real IP of the client.
o Allow configuration of environment and working directory in Shell command.
o Pass on window resize events in CallbackShell.
o Expand current working directory . to absolute path in default VFSFileFactory to avoid relative URI errors.
--------------------------------
Maverick Synergy 3.0.11 - Jun 29, 2022
Features
o Support for PuTTY Version 3 Private Key format (requires BouncyCastle dependency for Argon key derivation support)
o Support for ed448 public and private keys
o Added missing events for SFTP operations; EVENT_SFTP_GET_ATTRIBUTES for stat and EVENT_SFTP_DIRECTORY_OPENED for the opening of a directory.
o Added openRemoteClient method for using the existing connection as a jump host.
Bug Fixes
o Fixed NPE when SCP is enabled on AbstractSshServer but no ChannelFactory has been set.
o VFSFileFactory fails to resolve file with no default path is set and local file scheme is not supported. Added maverick.vfsDefaultPath system property that allows override of the default path.
o Ensure mounts in VirtualFileFactory are initialized with VFSFileFactory with a default path of the mount path.
o getTotalBytesIn / getTotalBytesOut methods on Connection<T extends SshContext> were present but not on implemented interface SshConnection.
--------------------------------
Maverick Synergy 3.0.10 - May 4, 2022
Bug Fixes
o Refactor of VirtualFileFactory to provide consistent resolution of children.
o Intermediate non-existent paths along a virtual mount path should be read only.
o Calling enableFile twice on the same logging path should not create an additional log context but should instead reconfigure the existing context.
o Added isMount method to VirtualFile to make it easier to determine if the file object is a mount or not.
o VirtualMounts are now processed and cached in the VirtualFileFactory constructor.
o There is no method to reset the logging contexts.
o DirectFileJava7 attempts to set name of group/user using the SftpFileAttributes method that only accepts a numerical GID/UID.
o PublicKeyAuthenticator setKeyPair method incorrectly stores unmodifiable collection causing UnsupportedOperationException when keys are removed during authentication.
--------------------------------
Maverick Synergy 3.0.9 - March 21, 2022
Bug Fixes
o New generic JCE based Ed25519 key implementation incorrectly writes the public key parameter to the private key field resulting in the key being unusable after reload from file.
o Setting the read-only attribute on a SftpFileAttributes when version is <5 causes WinSCP to error during directory listing.
o Azure SFTP disconnects if SSH identification string contains an additional hyphen in the software/version/comments part of the identifier. These are now replaced with an underscore character.
o You cannot turn off the default IP banning policy which sometimes might get in the way of testing scripts.
o Upload performance is constrained compared to download performance due to insufficient default window space in SFTP configuration. Default SFTP window space changed to 16MB.
--------------------------------
Maverick Synergy 3.0.8 - March 4, 2022
Features
o Removed hard dependency on BouncyCastle JCE for ed25519 keys. This now supports any JCE provider that supports ed25519 algorithm.
o Refactored support for incomplete and non-functional feature in client to use HTTP, SOCKS4 and SOCKS5 proxies.
Bug Fixes
o SftpFileAttributes setGroup and setUsername never set flag SSH_FILEXFER_ATTR_OWNERGROUP.
o SftpFileAttributes does not use values set by setGroup/setUsername in v4 binary blob.
o SftpFileAttributes does not validate UID/GID are numeric values.
o Added getMount to VirtualFile interface for consistent mount returning function across virtual file types. Deprecated getParentMount on VirtualFileObject for same reasons.
o Added security options for PROXY protocol which are restrictive by default to ensure a user cannot spoof their IP address.
--------------------------------
Maverick Synergy 3.0.7 - Dec 14, 2021
Features
o Proxy protocol v1 is now supported for IP resolution through load balancers. Replaced remote address on Connection object with unresolved InetAddress containing the IP and port of the source connection.
o Further improvements to callback client and server.
o Added getSessionCount method to SshConnection.
o Added ExpiryConfiguration callback interface to ExpiringConcurrentHashMap to allow an external service to provide an expiry setting.
o VirtualShell now supports configuring the native command used when the user executes the 'osshell' command.
o Added ChannelFactoryListener interfaces to modify channels during creation by the DefaultServerChannelFactory.
o Require each channel to declare its channel type through the getChannelType method.
Bug Fixes
o SessionChannelNG does not delegate subsystem creation to a protected method, making it impossible to override behaviour.
o Default ping mechanism is now only used when idle time configuration is zero.
o Idle state mechanism incorrectly generates idle events every second after reaching the idle threshold.
o Failed to negotiate algorithm reports incorrect list of algorithms in exception text.
o addInterface in SshEngineContext should throw an error when an interface cannot start when the server is already running.
o Guard against NullPointerException in ComponentFactory configureSecurityLevel method.
o Close event from RootShell was not providing RootShell instance as an event source.
o Incorrect XOR of flag causes NPE in SftpFileAttributes setTimes methods.
o ConcurrentModificationExceptions discovered with local forwarding under load when implementation uses ChannelEventListeners for feedback.
o Fixes to VirtualShell "raw" mode to prevent duplicate reading of the session streams when a command needs direct access to the session.
o Fixed replacements when UnknownHostException captured in virtual shell welcome message.
o Wrapping SshConnection in SshClient can now optionally disable disconnection.
o Allow SshClientCommand runCommand execution from another class by making it public.
o Callback client reconnect interval is now fixed to interval provided rather than accumulative delay.
o Ensure channel without a data cache evaluates window space on channel data received.
o Use ConcurrentHashMap in ExecutorOperationSupport listener collection.
o A callback server should be identifiable by its identification string, e.g. SSH-2.0-CallbackServer
--------------------------------
Maverick Synergy 3.0.6 - Oct 19, 2021
Features
o Improvements and refactoring of reverse SSH connection "callback" API after testing in the reference product.
Bug Fixes
o SSH.com key fails to parse due to check length operation on array constructed from the declaration of length; however, an additional byte to protect the MPINT from being negative was added to the length. Causing the final check length operation to fail.
o SftpClient pattern matching put methods use wrong parent path resulting in incorrect file transfer results.
o Implemented the setting of attributes bits in SFTP v6 SftpFileAttributes.
o VirtualMount needed a default set of permissions in order to provide a valid long name response.
--------------------------------
Maverick Synergy 3.0.5 - Sept 20, 2021
Features
o Added setTimes method that allows SFTP v4 creation time attribute to be set, including sub-second times.
o Support signals. See AbstractSessionChannel.signal(String).
o Native session implementation and associated factory for "osshell" command to drop virtual session into a native session.
o VirtualMount option for lastModified and read-only flag which is now used by VirtualMountFile to return values.
Bug Fixes
o If PasswordAuthenticator is passed to SshClient.authenticate it should be translated into keyboard-interactive if the remote server only supports keyboard-interactive regardless of context preference to support password over keyboard-interactive.
o PasswordOverKeyboardInteractiveCallback should defer obtaining the password until authentication is being performed.
o Loading a license from a file was broken.
o OpenSSL private key file support broken due to incorrect reflection class name.
o Removed broken BouncyCastle OpenSSL public key file support as this was not complete and never implemented correctly.
o VirtualMountFile should not resolve child until absolutely necessary to prevent the list of mounts from becoming slow due to destination resolution.
o Regular expression file matching exists but is not used in matchRemoteFiles.
--------------------------------
Maverick Synergy 3.0.4 - Aug 18, 2021
Features
o Refactor of callback client; separated CallbackContextFactory and added SshConnection parameter to event methods.
o Added before/after methods to Utils.
o Create an SshClient from an existing SshConnection to allow wrapping of "jump" hosts.
o Added CallbackRegistrationService for management of callback clients within a callback server.
Bug Fixes
o Missing server-level collection of GlobalRequestHandlers.
o Changed use of VFS SFTP 3.2.0 from snapshot to final version.
o Made SwitchingCallbackContext constructor public.
o Don't print stack trace of unsupported command, just log the error.
o Allow protected access to child channel factories of ShellCommandFactory.
o Allow protected access to console and ShellCommandFactory of VirtualShellNG session implementation.
o Default callback identifier made consistent with SSH identification practices.
o Authentication future is not processed as part of client disconnect.
o BouncyCastle 1.69 cannot load ED25519 key.
o ClientAuthenticator should allow SshException to propagate.
o NPE when no license is set.
o Client authenticators need to signal failure of the authenticator to their parent future.
--------------------------------
Maverick Synergy 3.0.3-FINAL - Jul 21, 2021
Bug Fixes
o Configure default connection timeout value of 600 seconds and ensure zero value is treated as no timeout.
o VirtualMountFile and VirtualMappedFile now cache children until refreshed.
--------------------------------
Maverick Synergy 3.0.2-FINAL - Jul 20, 2021
Bug Fixes
o File listing in VirtualFileFactory returns duplicate path entries for parents of mount entries.
o VirtualMountFile no longer attempts to resolve its target file during construction and defers this until some operation is attempted on the file object.
o Change junixsocket dependency of maverick-sshagent to version 2.3.4 to remove its transitive dependency of log4j 1.2
--------------------------------
Maverick Synergy 3.0.1-FINAL - Jul 9, 2021
Bug Fixes
o Idle connection timeout issues after authentication.
--------------------------------
Maverick Synergy 3.0.0-FINAL - Jul 7, 2021
Features
o Added isRunning method to AbstractSshServer.
Bug Fixes
o VirtualMountFile fails when its path within its parent mount does not exist.
o Idle connection timeout issues after authentication.
--------------------------------
Maverick Synergy 3.0.0-RC7 - May 26, 2021
Features
o Added optional symlinkTo and readSymbolicLink methods to AbstractFile.
Bug Fixes
o Do not read or write SSH_FILEXFER_ATTR_SUBSECOND_TIMES if the parent time flag has not been specified.
o Refactored SFTP session cleanup to ensure events are always generated.
o EVENT_AUTHENTICATION_STARTED added and fired once to indicate client has started authentication service with username parameter, EVENT_USERAUTH_STARTED now is fired at the beginning of each separate authentication attempt with parameters for user and method being attempted.
o Fixed event started/finished attributes in authentication to encompass the entire authentication step, and separately on each individual attempt.
o Allow JVM default trusted CA certificate store password of "changeit" to be overridden with System property maverick.trustedCACertsPassword.
o Use ConcurrentLinkedQueue to prevent concurrent modification on shutdown hooks collection.
o Refactored support for OpenSSH certificate extensions to include support for custom extension definitions.
o Fixed broken server-side SCP and command initialization.
o Removed NONE value from SecurityLevel. This was only used in NoneCipher and NoneHmac, which are not installed by default and the option was confusing in other contexts.
o Add server socket channel to all permanent accept threads.
o Support for SHA2 signature usage in RSA certificates.
o Fixed VirtualMappedFile double slash problem when resolving actual file path.
o Double shutdown results n OutOfMemoryError.
o Creating a directory over SFTP should fail if the parent does not exist. This can be overridden with FileSystemPolicy method setMkdirParentMustExist.
--------------------------------
Maverick Synergy 3.0.0-RC6 - May 4, 2021
Bug Fixes
o Upgraded BouncyCastle dependencies to 1.68 (BC) and 1.0.2 (BC-FIPS)
o Upgraded commons-io dependency to 2.7.
o Authentication hangs if the server does not support KBI authentication or if `preferKeyboardInteractiveOverPassword` is false.
o The static executor field on SshContext can be shutdown and then reused by another SshClient, resulting in an exception.
--------------------------------
Maverick Synergy 3.0.0-RC5 - April 6, 2021
Bug Fixes
o FileLoggingContext fails with NPE when the log path is relative.
o Authenticators setup in SshClientContext would incorrectly be attempted multiple times.
o ClientStateListener authenticate method no longer passes a List of Authenticator objects to be started after it returns. Authentication should be initiated within the authenticate handler.
o Ensure that password authenticator future is triggered when wrapped within automatic keyboard-interactive conversion.
o Don't pass authenticator to PasswordOverKeyboardInteractiveCallback because there is no way for its future to be completed.
o OpenSSH certificate extension values and critical options not encoded correctly during sign operation.
o Fixed connection-based logging which was incorrectly preventing logging without an identification or user-configured value.
o Moved some VirtualFileFactory log statements to TRACE as they are even too chatty for DEBUG mode.
o Callback role switching was broken for normal SSH clients due to changes made in TransportProtocol relating to the posting of identification string.
o Moved connection error TRACE statement to DEBUG
o Callback mount URI should be passed to VFSFactory as the base path.
o AbstractFileSystem should be resilient to an error during getAttributes call in readDirectory call.
--------------------------------
Maverick Synergy 3.0.0-RC4 - Mar 17, 2021
Features
o Added shutdownAndExit method to SshEngine designed for calling before application shutdown (it is the applications responsibility to exit, this is just for clean up).
o Added context option to disable preference of using keyboard-interactive authentication over password.
Bug Fixes
o Fixed race condition where authentication client can receive failure message from the none authenticator.
o OpenSSH RSA certificate incorrectly attempted to be decoded as ECDSA.
o NPE when DefaultLoggingContext.shutdown is called and no file watcher has been initialized.
o Removed synchronization from EventServiceImplementation to prevent delays in event handlers from slowing down other threads.
--------------------------------
Maverick Synergy 3.0.0-RC3 - Feb 2, 2021
Bug Fixes
o Ensure console logger flushes out after a log statement has been written to console.
o Forwarding channel receiving SSH_MSG_CHANNEL_CLOSE before SSH_MSG_CHANNEL_EOF could hang due to reliance on remote EOF state being received prior to accepting channel close.
o Added default timeout support to CachingDataWindow during put operation.
--------------------------------
Maverick Synergy 3.0.0-RC2 - Jan 25, 2021
Bug Fixes
o Fixed implicit narrowing of long to int from code scan warning.
o SshServer required a method to be able to set the default Security Level.
o Made ByteArrayReader more resilient to length errors when processing messages.
--------------------------------
Maverick Synergy 3.0.0-RC1 - Dec 27, 2020
Features
o Major refactor to support more shared code with the Maverick Legacy APIs.
o Removed all dependencies from core maverick-synergy-client and maverick-synergy-server modules to enable clearer choice on third-party dependencies.
o CBC ciphers have been deprecated. You can enable CBC ciphers by calling ComponentManager.enableCBCCiphers();
o DSA keys have been deprecated. We will no longer generate them, but you can enable support for using them if the remote server requires them with ComponentManager.getInstance().enableAlgorithm("ssh-dss");
o SftpSubsystem will now detect SftpOperationWrapper interface on installed AbstractFileFactory implementation.
o Added event listener registration to SshConnection interface.
Bug Fixes
o Selector threads and executor service threads have now been marked as daemon threads.
--------------------------------