wolfSSL Inc is proud to announce an important incremental update to wolfSSH: v1.4.13!
In this release, we fix a severe user authentication bug in wolfSSHd. It is highly recommended that anyone using wolfSSHd upgrade to this version immediately (see Vulnerabilities in the change log below).
We have added a STM32Cube Expansion Pack for building in that environment. The daemonization and test coverage of wolfSSHd has been improved. We also improved support for transferring large files with SFTP. We also have a testbed for checking wolfSSH with LwIP using both FreeRTOS and Linux.
The release information from the change log is reposted below:
wolfSSH v1.4.13 (Apr 3, 2023)
New Feature Additions and Improvements
- Improvement to forking the wolfSSHd daemon.
- Added an STM32Cube Expansion pack. See the file _ide/STM32CUBE/README.md_ for more information. (https://www.wolfssl.com/files/ide/I-CUBE-wolfSSH.pack)
- Improved test coverage for wolfSSHd.
- X.509 style private key support.
Fixes
- Fixed shadow password checking in wolfSSHd.
- Building cleanups: warnings, types, 32-bit.
- SFTP fixes for large files.
- Testing and fixes with SFTP and LwIP.
Vulnerabilities
- wolfSSHd would allow users without passwords to log in with any password. This is fixed as of this version. The return value of crypt() was not correctly checked. This issue was introduced in v1.4.11 and only affects wolfSSHd when using the default authentication callback provided with wolfSSHd. Anyone using wolfSSHd should upgrade to v1.4.13.
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.