Latest news

Version 1.0.50 released

This version fixes some really old issues, the most significant one being excessive memory use for large memory listings.

When virtual quotas were used, transfers were not aborted after the limit was reached; files were only removed at the end of a transfer. That should now be fixed.

Support for MD5, SHA1 and the MySQL PASSWORD() function were removed for password hashing. You should now use scrypt, argon2 or the system crypt(3) function.

The server used to reject class E reserved network ranges. People reported that Linux containers may use them, so this is now accepted.

Finally, it is now possible to recursively include additional files in a configuration file, with the new Include directive.

Version 1.0.49 released

This version fixes two regressions introduced in version 1.0.48, that broke external authentication handlers.

Version 1.0.48 released

This is quite of a major release, with many internal changes, bug fixes, and new features.

  • SNI support has been added. A new service, pure-certd, can run external code written in any language in order to map SNI names to TLS certificates.
  • External authentication handlers get a new AUTHD_CLIENT_SNI_NAME environment variable set when the client uses SNI.
  • TLS certificates and keys can now be in different files.
  • make install does not overwrite existing configuration files any more. The example files layout has changed.
  • TLS 1.3 is enabled when using OpenSSL 1.1.x.
  • TLS < 1.2 is disabled by default.
  • Quirks for obsolete OpenSSL versions have been removed.
  • Username _ftp can be used as an alternative to ftp everywhere.
  • Password hashing parameters are now chosen according to locally available resources. The pure-pw command gets to new switches: -C (as a hint regarding the number of simultaneous login attempts) and -M (total memory, in MB, to reserve for password hashing).
  • New translation: Albanian, thanks to Moisi Xhaferaj.
  • The PRET command has been added. It can avoid opening useless data connections for nonexistent content.
  • Dot-files are always displayed. We don’t lie any more in some commands while not lying in other commands to respect the protocol.
  • Support for RFC 2640 has been removed from the free version, as it was early, experimental, slow, mostly broken and unmaintained code.
  • The NLST command doesn’t perform globbing any more.
  • The MLSD command now prepends the path to file names.

Version 1.0.47 released

  • If TLS was only enabled on the control channel (-Y 1), the STAT command would send its output as other directory listing commands, breaking the TLS stream. This has been fixed. Spotted by Carlo Cannas, thanks!
  • The system user _ftp can be used as an alternative to ftp for anonymous sessions.
  • Compatibility with libsodium > 1.0.12 was added (including minimal mode).
  • The prefix for Argon2-hashed passwords in LDAP has been changed to {argon2} (from {argon2i}). Ditto for MySQL and PostgreSQL: the authentication method is now called argon2 instead of argon2i, and includes both Argon2i and Argon2id.

Version 1.0.46 released

  • The server can now be linked against OpenSSL 1.1.x with the strict API.
  • Unmaintained contributions have been removed.
  • File globbing could take up to GLOB_TIMEOUT seconds (17 seconds by default) when matching some patterns, no matter what the configured recursion level was. This has been fixed, and upgrading is highly recommended. This was reported by Russ Cox, thanks!