VShell FTPS and the OpenSSL Heartbleed Vulnerability

VShell 4.0.2 has been released to address the Heartbleed vulnerability.

This information applies only to VShell FTPS versions. VShell (SSH2/SFTP), regardless of platform and version, is not affected by the Heartbleed vulnerability because it does not provide FTPS connectivity.

VShell FTPS for Windows has never used OpenSSL. VShell FTPS for Windows is not affected by the Heartbleed vulnerability.

VShell FTPS for supported UNIX platforms uses OpenSSL for FTPS protocol support. Depending on the platform, VShell FTPS for UNIX may or may not be vulnerable to the Heartbleed vulnerability:

On Mac OS X, VShell FTPS 4.0.0 and 4.0.1 uses and ships with a version of OpenSSL that is vulnerable to the Heartbleed bug. The VShell 4.0.2 maintenance release will address this by shipping with a version of OpenSSL (1.0.1g) that contains the fix for the Heartbleed bug. Besides 4.0.0 and 4.0.1, no other VShell versions are affected on the Mac OS X platform.

On AIX 7.1, Ubuntu 12/13, and RHEL 6, VShell FTPS dynamically links OpenSSL version 1.0.1. This means that vshell-ftpsd will load the version of OpenSSL 1.0.1 that is installed on the system. On these platforms, it is highly recommended that the OpenSSL version be upgraded to the non-vulnerable 1.0.1g version. Upgrading VShell is not necessary on these platforms, but vshell-ftpsd will need to be restarted after an OpenSSL upgrade so the non-vulnerable version will be loaded.

On all other UNIX platforms, VShell FTPS is using OpenSSL version 0.9.8 or 1.0.0, neither of which is affected by the Heartbleed vulnerability.

In addition to upgrading VShell or OpenSSL on vulnerable systems, it is recommended that any SSL certificates used by VShell FTPS be regenerated and user passwords should be changed.

For more information, please visit the VanDyke Software Security Advisory page.

Download the VShell 4.0.2 maintenance release.

For a complete list of changes, please see the history file:

VShell 4.0.2 (Official) History File

Send us your feedback! Email your questions, requests, or bug reports to support@vandyke.com.