Documentation forServ-U MFT & Serv-U FTP Server

Serv-U File Server 15.2.1 Release Notes

Release date: June 18, 2020

Last updated: July 3, 2020

These release notes describe the new features, improvements, and fixed issues in Serv-U File Server 15.2.1. They also provide information about upgrades and describe workarounds for known issues.

If you are looking for previous release notes for Serv-U File Server, see Previous Version documentation.

Additional Serv-U documentation includes:

Serv-U File Server version 15.2.1 is an alternative to version 15.2 and can be applied to any new or existing installation; however it is primarily intended for installations with automated users or FTP users without access to the Serv-U Web Client.

This version increases password security and automatically converts existing MD5 passwords using a more secure algorithm when users connect for the first time after upgrade.

Unlike Serv-U 15.2, 15.2.1 does not prompt users to change their passwords. Nevertheless, it is recommended to change these converted passwords when possible to further increase security.

Serv-U version 15.2 should be applied to installations purely with SFTP users or users who access through the Serv-U Web Client as they can be safely prompted to change their passwords after conversion.

New features and improvements

Serv-U 15.2.1 is a UI update and security focused release, including:

  • Increased password security: existing MD5 passwords converted using more secure algorithm

    Unlike Serv-U 15.2, 15.2.1 does not prompt users to change their passwords. Nevertheless, it is recommended that you change these converted passwords when possible to further increase security.
    MD5 passwords can be automatically changed in the first 90 days; after this period they will be set to expired, and expired passwords can only be changed by an administrator.

  • Improved Management Console user interface
  • Chinese and Korean characters support in file transfer
  • Performance and stability improvements
  • Improved Internet Explorer compatibility
  • 3DES algorithm deprecations

Previous releases

For earlier Serv-U releases, please visit the Previous Versions page.


Fixed issues

Serv-U 15.2.1 fixes the following issues.

Case Number Description
00026316 Account blocked correctly after multiple invalid connection attempts .

00041778, 00306421

Cross-script vulnerability resolved.

00094972, 00099773, 00110622

Email timestamp issue resolved.
00187216 Issue where some emails created by Serv-U had incorrectly encoded subject lines resolved.
00215869 Intermittent failure issue with SFTP connection using a public key resolved.
00225939 Memory leakage resolved.
00231005 Password stale event for disabled user issue resolved.
00260367, 00307404 User passwords data no longer stored using MD5.
00274228 SSL connection issue fixed.
00281288 Security scan issue with Nessus resolved.

00303169, 00303836, 00304567, 00305466, 00305946, 00306790, 00309591, 00310586, 00321060, 00321617

Web Client Pro and FTP Voyager java client load correctly.
00303908, 00404795 Antihammer connection count no longer counts connections that have not started authorization.
00305538 Excessive logging resolved.
00306553 SFTP transfer no longer stalls due to incorrect SH channel window size.
00309363 Domain Administrators can edit their own File-Sharing settings.
00331893 Same-Site cookie attribute security issue resolved.
00311034 SFTP connection issue fixed.
00360383 Port connections with different IPs allowed under specific conditions.
00371873, 00382154, 00383722 Chinese and Korean characters no longer cause Serv-U to freeze.
00382166 Issues resolved connecting to Serv-U using FXP client.
00408272 Incorrect time stamp issue resolved.
00418069 Public Key only option works correctly.
00426998 Incorrect version number after upgrade resolved.
00431509 Issues with using the %USER_FULL_NAME% macro over SFTP resolved.
00458537 Unblocked IP addresses connects correctly.
00462314 Group IP access rule works correctly.
00479058 Email issue with BlueImp STMP relay resolved.
00484194 Cross-site scripting vulnerability with Tenable Scan resolved.
00461232, 00489842, 00506151 JQuery pre-3.4.0 vulnerability (CVE-2019-11358) prevented with updated version of JQuery.
n/a Fixed issue with Critical Information Disclosure In HTTP Responses vulnerability.
SolarWinds would like to thank Mostafa Noureldin (@va_start) for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.
n/a

Fixed issue with Serv-U not validating argument path.
SolarWinds would like to thank Bill for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.

n/a Fixed issue in CHMOD FTP command vulnerability.
SolarWinds would like to thank Bill for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.
n/a

Fixed issue in Remote command execution vulnerability.
SolarWinds would like to thank Bill for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.


Legal notices

© 2020 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.