Release date: June 18, 2020
Last updated: July 3, 2020
These release notes describe the new features, improvements, and fixed issues in
If you are looking for previous release notes for
Additional Serv-U documentation includes:
Serv-U File Server version 15.2.1 is an alternative to version 15.2 and can be applied to any new or existing installation; however it is primarily intended for installations with automated users or FTP users without access to the Serv-U Web Client.
This version increases password security and automatically converts existing MD5 passwords using a more secure algorithm when users connect for the first time after upgrade.
Unlike Serv-U 15.2, 15.2.1 does not prompt users to change their passwords. Nevertheless, it is recommended to change these converted passwords when possible to further increase security.
Serv-U version 15.2 should be applied to installations purely with SFTP users or users who access through the Serv-U Web Client as they can be safely prompted to change their passwords after conversion.
Serv-U 15.2.1 is a UI update and security focused release, including:
Unlike Serv-U 15.2, 15.2.1 does not prompt users to change their passwords. Nevertheless, it is recommended that you change these converted passwords when possible to further increase security.
MD5 passwords can be automatically changed in the first 90 days; after this period they will be set to expired, and expired passwords can only be changed by an administrator.
For earlier Serv-U releases, please visit the Previous Versions page.
Serv-U 15.2.1 fixes the following issues.
|00026316||Account blocked correctly after multiple invalid connection attempts .|
|Cross-script vulnerability resolved.|
00094972, 00099773, 00110622
|Email timestamp issue resolved.|
|00187216||Issue where some emails created by Serv-U had incorrectly encoded subject lines resolved.|
|00215869||Intermittent failure issue with SFTP connection using a public key resolved.|
|00225939||Memory leakage resolved.|
|00231005||Password stale event for disabled user issue resolved.|
|00260367, 00307404||User passwords data no longer stored using MD5.|
|00274228||SSL connection issue fixed.|
|00281288||Security scan issue with Nessus resolved.|
00303169, 00303836, 00304567, 00305466, 00305946, 00306790, 00309591, 00310586, 00321060, 00321617
|Web Client Pro and FTP Voyager java client load correctly.|
|00303908, 00404795||Antihammer connection count no longer counts connections that have not started authorization.|
|00305538||Excessive logging resolved.|
|00306553||SFTP transfer no longer stalls due to incorrect SH channel window size.|
|00309363||Domain Administrators can edit their own File-Sharing settings.|
|00331893||Same-Site cookie attribute security issue resolved.|
|00311034||SFTP connection issue fixed.|
|00360383||Port connections with different IPs allowed under specific conditions.|
|00371873, 00382154, 00383722||Chinese and Korean characters no longer cause Serv-U to freeze.|
|00382166||Issues resolved connecting to Serv-U using FXP client.|
|00408272||Incorrect time stamp issue resolved.|
|00418069||Public Key only option works correctly.|
|00426998||Incorrect version number after upgrade resolved.|
|00431509||Issues with using the %USER_FULL_NAME% macro over SFTP resolved.|
|00458537||Unblocked IP addresses connects correctly.|
|00462314||Group IP access rule works correctly.|
|00479058||Email issue with BlueImp STMP relay resolved.|
|00484194||Cross-site scripting vulnerability with Tenable Scan resolved.|
|00461232, 00489842, 00506151||JQuery pre-3.4.0 vulnerability (CVE-2019-11358) prevented with updated version of JQuery.|
|n/a||Fixed issue with Critical Information Disclosure In HTTP Responses vulnerability.
SolarWinds would like to thank Mostafa Noureldin (@va_start) for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.
Fixed issue with Serv-U not validating argument path.
|n/a||Fixed issue in CHMOD FTP command vulnerability.
SolarWinds would like to thank Bill for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.
Fixed issue in Remote command execution vulnerability.
© 2020 SolarWinds Worldwide, LLC. All rights reserved.
This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.
SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.