Serv-U File Server 15.2.2 release notes
Release date: December 21, 2020
Last updated: April 9, 2021
These release notes describe the new features, improvements, and fixed issues in Serv-U File Server 15.2.2. They also provide information about upgrades and describe workarounds for known issues.
If you are looking for previous release notes for Serv-U File Server, see Previous Version documentation.
Additional Serv-U documentation includes:
- Serv-U Installation and Upgrade Guide
- Serv-U 15.2 Administrator Guide
- System Requirements
- Getting Started with Serv-U
New features and improvements
Serv-U 15.2.2 contains the following new features:
- Support for the following KEX algorithms (key exchange algorithms) for SSH
- diffie-hellman-group-exchange-sha256
- diffie-hellman-group14-sha256
- diffie-hellman-group16-sha512
- OpenSSL has been updated
- Periodic buffer flush interval during SFTP file upload setting added to Limits:
To access this setting, navigate to the Limits and Settings screen for Global or Domain, and select Advanced from the Limit Type dropdown. The default is 300 seconds.
- Performance and stability improvements
- Security enhancements
- Serv-U 15.2.2 is signed with new code-signing certificate
If you upgrade from version 15.1.7 or older, 15.2.2 increases password security and automatically converts existing MD5 passwords using a more secure algorithm when users connect for the first time after upgrade.
If an account is not used within 90 days of the upgrade, access is restricted and the user will not be able to log in afterward. The administrator will be required to change their password.
Previous releases
For earlier Serv-U releases, please visit the Previous Versions page.
Fixed issues
Serv-U 15.2.2 fixes the following issues:
| Case Number | Description |
|---|---|
| n/a | Public Key Authentication memory leak resolved. |
|
658371, 654049, 645181,642642, 640814, 637749, 635320, 627109, 623216, 598885, 596970, 595555, 584662, 581139, 580863, 573286, 571535, 568615, 560739, 546652 |
jQuery updated to 3.5.1 to avoid security vulnerability. |
| 632492, 624270, 619235, 606383, 586950, 579071, 560739 | Issue resolved where anti-hammer counting regression led to memory leaks and 100%CPU consumption. |
| 625116, 552322 | Minor logic issue with Argon2id password hashing implementation fixed. |
| 622549 - to here | Serv-U Groups and Users being disabled and going down randomly |
| 619978 | Serv-U account is disabled and cannot be reactivated in version 15.2.1 -IPG GIS INC. |
| 606573 | Old password is incorrect when changing password for Serv-U web client users |
| 605297 | Missing Content Security Policy |
| 599765 | We are getting Invalid old password error. |
| 594359 | Penetration testing has found a vulnerability |
| 580065 | When Create a new user and force to change the password at next login users get "old Password is Wrong" |
| 579545 | Security Policy |
| 579071 | After upgrade ServU to latests 15.2.1 Service has been stopping.. |
| 573524 | jQuery Update on Serv-U Gateway |
| 563940 | %USER_FULL_NAME% does not get replaced correctly when used in the Physical Path of a Virtual Path value |
| 557670 | The $FileSize variable is not correct |
| 556475 | Serv-U Version 15.2 User Password Issue |
| 549919 | backup consistently fails because of an aborted connection |
| 541643 | SSH/Data Streaming issues with Linux MFT |
| 513015 | Error receiving file, transfer is aborted before file is fully received. |
| 444013 | Failed uploading Large Files ( 2 GB) |
| 351225 | Referrer-Policy and the Feature-Policy headers in Serv-U |
| 257327 | Re: 00159561: SFTP failed transfer "Error receiving file" |
| 231205 | NSX manager failing to SSH into serv-u for vcenter backups |
| 225939 | Serv-U Memory Leak |
| 168793 | SFTP failed transfer via Cisco backup application |
| 127858 | Cisco CUCM fails to back up |
For Serv-U 15.2.1 fixes, see the 15.2.1 Release Notes.
For Serv-U 15.2 fixes, see the 15.2 Release Notes.
CVE fixed issues
SolarWinds would like to thank our Security Researchers below for reporting on this issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.
| CVE-ID | Vulnerability Title | Description | Severity | Credit |
|---|---|---|---|---|
| CVE-2020-35481 + CVE-2021-3154 | Macro Injection | These vulnerabilities allow an unauthenticated attacker to dump user passwords in a cleartext form. | Critical | Nicolas Verdier, Tehtris |
| CVE-2020-35482 | Reflective XSS | The web client share details URL was vulnerable to a XSS attack. An attacker needed to perform social engineering and pose as an authenticated user. | High | Nicolas Verdier, Tehtris |
| CVE-2020-27994 | Directory Traversal | This vulnerability allowed a non-privileged user to list other directories located outside their home directory. | Medium | Jack Misiura, The Missing Link |
| CVE-2020-28001 | Stored XSS | An authenticated user with write permissions to create directories was able to embed a XSS script to a directory name. | High | Jack Misiura, The Missing Link |
Legal notices
© 2021 SolarWinds Worldwide, LLC. All rights reserved.
This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.
SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.