1.3.9 Release Notes
                  ------------------------

This file contains a description of the major changes to ProFTPD for the
1.3.9 release cycle, from the 1.3.9rc1 release to the 1.3.9 maintenance
releases.  More information on these changes can be found in the NEWS and
ChangeLog files.

1.3.9
---------

  + Fixed memory usage issue with SFTP channels.

  + Added Polish translation.

  + Updated bundled libtool.m4 for better MacOSX support.


1.3.9rc3
---------

  + When started with root privileges, ProFTPD now drops all supplemental
    group memberships, retaining only the UID/GID of the configured User/Group.

  + Properly use all configured ECDSA SSH hostkeys, not just the first
    configured ECSA SSH hostkey.

  + Fixed issue with RADIUS authentication when using mod_radius and newer
    FreeRADIUS, due to BlastRadius mitigation.


  + New Directives

      SFTPAuthPublicKeys

        This directive can be used to enable support for only the specified
        list of public key algorithms, as for key-based user authentication.
        See doc/contrib/mod_sftp.html#SFTPAuthPublicKeys for more.


  + Changed Directives

      SFTPExtensions +limits
        The mod_sftp module now implements the "limits@openssh.com" custom
        SFTP extension, used by newer OpenSSH limitations for discovering
        server-side limits, such as larger SFTP READ/WRITE buffer lengths.
        See doc/contrib/mod_sftp.html#SFTPExtensions.


1.3.9rc2
---------

  + Implemented SSH mitigations for the "Terrapin" SSH attack (CVE-2023-48795).

  + Fixed compiling of 3rd party modules whose names match very specific
    regular expression patterns.


  + Changed Directives

      SFTPOptions NoStrictKex

        By default, mod_sftp uses a "strict KEX" mode as a mitigation for the
        "Terrapin" SSH attack (CVE-2023-48795).  Use of this strict mode
        may unexpectedly cause interoperability issues; this new SFTPOption
        can be used to disable this mode if necessary.  See
        doc/contrib/mod_sftp.html#SFTPOptions for more.


1.3.9rc1
---------

  + Clients are disconnected if there is an error adding them to the
    ScoreboardFile.  Previously, such errors were logged, but the session
    allowed to continue.

  + Implemented the "chacha20-poly1305@openssh.com" SSH cipher algorithm.

  + Implemented support for OpenSSH FIDO security keys in mod_sftp.

  + The mod_auth_otp module now requires per-user entries in its tables
    by default.  This is a change from previous versions, when such per-user
    entries were optional.


  + New Directives

      IfSessionOptions PerUnauthenticatedUser

        The mod_ifsession module only applies its user/group-specific
        configurations after the client has authenticated itself.  Some
        sites, however, may wish for user-specific configurations to be
        applied based on the unauthenticated username supplied by the client,
        such as in cases where the conditional configuration in question will
        affect the authentication process.  The new PerUnauthenticatedUser
        IfSessionOption can be used to achieve this; see
        doc/contrib/mod_ifsession.html#IfSessionOptions for more.

      ScoreboardOptions AllowMissingEntry

        Clients are now disconnected if they cannot be added to the
        ScoreboardFile.  Some sites may require the previous behavior; use
        this new AllowMissingEntry ScoreboardOption to do so.  See
        doc/modules/mod_core.html#ScoreboardOptions for more information.


  + Changed Directives

      AuthOTPOptions OptionalTableEntry

        Now that the mod_auth_otp module requires an entry for each user,
        sites may need to re-enable the previous opt-in behavior.  Use the
        OptionalTableEntry AuthOTPOption for this.  Read
        doc/contrib/mod_auth_otp.html#AuthOTPOptions for details.

      DelayOnEvent Connect

        The DelayOnEvent directive can now be used to inject randomized
        delays, "jitter", at the start of a session.  This can be used to
        spread out the processing of a large number of connections that
        occur at the same time, such as on a schedule/cron.  See
        doc/modules/mod_delay.html#DelayOnEvent for details.

      ExtendedLog SEC class

        SSH key exchange requests are now classified as "security" related
        messages, and thus are logged in ExtendedLog configurations that use
        the SEC logging class.

      LDAPDefaultGID, LDAPDefaultUID Auto

        Retrieving the UID, GID to use for users configured in ActiveDirectory
        domains, based on the default/expected attributes, is not always
        possible.  In such cases, the new "Auto" value for the default UID,
        GID to use by mod_ldap allows for retrieving the actual UID, GID
        by system user lookup, which is handled for AD domains by the special
        `sssd` program, for example.

      LogFormat %{transfer-speed}

        The LogFormat directive now supports a variable, %{transfer-speed},
        for logging the average data transfer speed.

      SFTPCiphers chacha20-poly1305@openssh.com

        The mod_sftp module now implements OpenSSH's
        "chacha20-poly1305@openssh.com" algorithm.

      SFTPExtensions userGroupNames

        The mod_sftp module supports the custom OpenSSH
        "users-groups-by-id@openssh.com" SFTP extension, used to retrieve
        the textual user/group names for given lists of UIDs, GIDs.

      SFTPOptions FIDOTouchRequired FIDOVerifyRequired

        OpenSSH FIDO security keys, such as Yubikeys, are now supported
        for SSH authentication by the mod_sftp module.  These keys allow
        for policies such as proof of user presence, and/or proof of user
        verification.  These new SFTPOptions can be used to configure your
        site policies for such keys; see doc/contrib/mod_sftp.html#SFTPOptions
        for more information.


  + Developer Notes

    Removed the unused `pr_ctrls_parse_msg` Controls API function.