Serv-U File Server 15.2 release notes
Release date: June 11, 2020
Last updated: June 17, 2020
These release notes describe the new features, improvements, and fixed issues in Serv-U File Server 15.2. They also provide information about upgrades and describe workarounds for known issues.
If you are looking for previous release notes for Serv-U File Server, see Previous Version documentation.
Additional Serv-U documentation includes:
- Serv-U Installation and Upgrade Guide
- Serv-U 15.2 Administrator Guide
- System Requirements
- Getting Started with Serv-U
Serv-U File Server version 15.2 should not be applied to installations with automated users or FTP users without access to the Serv-U Web Client. This is because they will be immediately prompted to change password, which is not possible without login via the web client, and so their access will not work. For this type of installation Serv-U 15.2.1 should be used instead.
New features and improvements
Serv-U 15.2 is a UI update and security focused release, including:
- Increased password security: every user needs to create a new password
- Improved Management Console user interface
- Chinese and Korean characters support in file transfer
- Performance and stability improvements
- Improved Internet Explorer compatibility
- 3DES algorithm deprecations
Previous releases
For earlier Serv-U releases, please visit the Previous Versions page.
Fixed issues
Serv-U 15.2 fixes the following issues.
| Case number | Description |
|---|---|
| 00026316 | Account blocked correctly after multiple invalid connection attempts . |
|
00041778, 00306421 |
Cross-script vulnerability resolved. |
|
00094972, 00099773, 00110622 |
Email timestamp issue resolved. |
| 00187216 | Issue where some emails created by Serv-U had incorrectly encoded subject lines resolved. |
| 00215869 | Intermittent failure issue with SFTP connection using a public key resolved. |
| 00225939 | Memory leakage resolved. |
| 00231005 | Password stale event for disabled user issue resolved. |
| 00260367, 00307404 | User passwords data no longer stored using MD5. |
| 00274228 | SSL connection issue fixed. |
| 00281288 | Security scan issue with Nessus resolved. |
|
00303169, 00303836, 00304567, 00305466, 00305946, 00306790, 00309591, 00310586, 00321060, 00321617 |
Web Client Pro and FTP Voyager java client load correctly. |
| 00303908, 00404795 | Antihammer connection count no longer counts connections that have not started authorization. |
| 00305538 | Excessive logging resolved. |
| 00306553 | SFTP transfer no longer stalls due to incorrect SH channel window size. |
| 00309363 | Domain Administrators can edit their own File-Sharing settings. |
| 00331893 | Same-Site cookie attribute security issue resolved. |
| 00311034 | SFTP connection issue fixed. |
| 00360383 | Port connections with different IPs allowed under specific conditions. |
| 00371873, 00382154, 00383722 | Chinese and Korean characters no longer cause Serv-U to freeze. |
| 00382166 | Issues resolved connecting to Serv-U using FXP client. |
| 00408272 | Incorrect time stamp issue resolved. |
| 00418069 | Public Key only option works correctly. |
| 00426998 | Incorrect version number after upgrade resolved. |
| 00431509 | Issues with using the %USER_FULL_NAME% macro over SFTP resolved. |
| 00458537 | Unblocked IP addresses connects correctly. |
| 00462314 | Group IP access rule works correctly. |
| 00479058 | Email issue with BlueImp STMP relay resolved. |
| 00484194 | Cross-site scripting vulnerability with Tenable Scan resolved. |
| 00461232, 00489842, 00506151 | JQuery pre-3.4.0 vulnerability (CVE-2019-11358) prevented with updated version of JQuery. |
| n/a | Serv-u Administrator can no longer see 3rd party passwords. SolarWinds would like to thank Mostafa Noureldin (@va_start) for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability. |
CVE fixed issues
SolarWinds would like to thank our Security Researchers below for reporting on this issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.
| CVE-ID | Vulnerability Title | Description | Severity | Credit |
|---|---|---|---|---|
| CVE-2021-25179 | XSS via the HTTP Host header | This vulnerability allows XSS to be inserted into the HTTP host header using a man-in-the-middle attack. This may possibly redirect the application flow to an arbitrary external/unexpected host. | High | Gabriele Gristina |
Legal notices
© 2020 SolarWinds Worldwide, LLC. All rights reserved.
This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.
SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.