                    1.3.9 Release Notes
                  ------------------------

This file contains a description of the major changes to ProFTPD for the
1.3.9 release cycle, from the 1.3.9rc1 release to the 1.3.9 maintenance
releases.  More information on these changes can be found in the NEWS and
ChangeLog files.

1.3.9rc2
---------

  + Implemented SSH mitigations for the "Terrapin" SSH attack (CVE-2023-48795).

  + Fixed compiling of 3rd party modules whose names match very specific
    regular expression patterns.


  + Changed Directives

      SFTPOptions NoStrictKex

        By default, mod_sftp uses a "strict KEX" mode as a mitigation for the
        "Terrapin" SSH attack (CVE-2023-48795).  Use of this strict mode
        may unexpectedly cause interoperability issues; this new SFTPOption
        can be used to disable this mode if necessary.  See
        doc/contrib/mod_sftp.html#SFTPOptions for more.


1.3.9rc1
---------

  + Clients are disconnected if there is an error adding them to the
    ScoreboardFile.  Previously, such errors were logged, but the session
    allowed to continue.

  + Implemented the "chacha20-poly1305@openssh.com" SSH cipher algorithm.

  + Implemented support for OpenSSH FIDO security keys in mod_sftp.

  + The mod_auth_otp module now requires per-user entries in its tables
    by default.  This is a change from previous versions, when such per-user
    entries were optional.


  + New Directives

      IfSessionOptions PerUnauthenticatedUser

        The mod_ifsession module only applies its user/group-specific
        configurations after the client has authenticated itself.  Some
        sites, however, may wish for user-specific configurations to be
        applied based on the unauthenticated username supplied by the client,
        such as in cases where the conditional configuration in question will
        affect the authentication process.  The new PerUnauthenticatedUser
        IfSessionOption can be used to achieve this; see
        doc/contrib/mod_ifsession.html#IfSessionOptions for more.

      ScoreboardOptions AllowMissingEntry

        Clients are now disconnected if they cannot be added to the
        ScoreboardFile.  Some sites may require the previous behavior; use
        this new AllowMissingEntry ScoreboardOption to do so.  See
        doc/modules/mod_core.html#ScoreboardOptions for more information.


  + Changed Directives

      AuthOTPOptions OptionalTableEntry

        Now that the mod_auth_otp module requires an entry for each user,
        sites may need to re-enable the previous opt-in behavior.  Use the
        OptionalTableEntry AuthOTPOption for this.  Read
        doc/contrib/mod_auth_otp.html#AuthOTPOptions for details.

      DelayOnEvent Connect

        The DelayOnEvent directive can now be used to inject randomized
        delays, "jitter", at the start of a session.  This can be used to
        spread out the processing of a large number of connections that
        occur at the same time, such as on a schedule/cron.  See
        doc/modules/mod_delay.html#DelayOnEvent for details.

      ExtendedLog SEC class

        SSH key exchange requests are now classified as "security" related
        messages, and thus are logged in ExtendedLog configurations that use
        the SEC logging class.

      LDAPDefaultGID, LDAPDefaultUID Auto

        Retrieving the UID, GID to use for users configured in ActiveDirectory
        domains, based on the default/expected attributes, is not always
        possible.  In such cases, the new "Auto" value for the default UID,
        GID to use by mod_ldap allows for retrieving the actual UID, GID
        by system user lookup, which is handled for AD domains by the special
        `sssd` program, for example.

      LogFormat %{transfer-speed}

        The LogFormat directive now supports a variable, %{transfer-speed},
        for logging the average data transfer speed.

      SFTPCiphers chacha20-poly1305@openssh.com

        The mod_sftp module now implements OpenSSH's
        "chacha20-poly1305@openssh.com" algorithm.

      SFTPExtensions userGroupNames

        The mod_sftp module supports the custom OpenSSH
        "users-groups-by-id@openssh.com" SFTP extension, used to retrieve
        the textual user/group names for given lists of UIDs, GIDs.

      SFTPOptions FIDOTouchRequired FIDOVerifyRequired

        OpenSSH FIDO security keys, such as Yubikeys, are now supported
        for SSH authentication by the mod_sftp module.  These keys allow
        for policies such as proof of user presence, and/or proof of user
        verification.  These new SFTPOptions can be used to configure your
        site policies for such keys; see doc/contrib/mod_sftp.html#SFTPOptions
        for more information.


  + Developer Notes

    Removed the unused `pr_ctrls_parse_msg` Controls API function.
