Differences
This shows you the differences between the selected revisions of the page.
| history 2026-04-02 | history 2026-06-15 16:07 (current) | ||
| Line 2: | Line 2: | ||
| This is a full list of changes for each release of WinSCP. See also [[project_history|Project history]] and [[incompatible_changes|Incompatible changes between versions]]. | This is a full list of changes for each release of WinSCP. See also [[project_history|Project history]] and [[incompatible_changes|Incompatible changes between versions]]. | ||
| + | |||
| + | ===== [[6.6.2]] 6.6.2 (not released yet) ((2026-06-15)) ===== | ||
| + | |||
| + | * Experimental 64-bit version of WinSCP. [[bug>618]] | ||
| + | * Optionally not showing error message when connection is lost while idle. [[bug>2360]] | ||
| + | * SSH core and SSH private key tools (PuTTYgen and Pageant) upgraded to [[&url(puttychanges)|PuTTY 0.84]]. \\ It brings the following change: | ||
| + | * Security issue: fixed a remotely triggerable double-free in RSA key exchange. [[pbug>rsakex-double-free]] | ||
| + | * Minor security issue: fixed a remotely triggerable crash in NIST ECDSA signature verification. [[pbug>ecdsa-remotely-triggerable-assertion]] | ||
| + | * Bug fix: spurious //"Network error: Socket is not connected"// when authenticating to some HTTP proxies. [[pbug>http-proxy-auth-wsaenotconn]] | ||
| + | * TLS/SSL core upgraded to OpenSSL 3.5.7. | ||
| + | * XML parser upgraded to Expat 2.8.1. | ||
| + | * Restored faster C TLS/SSL AES implementation. | ||
| + | * Configurable warning when opening large file in an internal editor. [[bug>2437]] | ||
| + | * Informing that when preserving directory timestamps is enabled, using multiple connections for transfer is not possible. [[bug>2439]] | ||
| + | * Warning when pasting a session URL with unsafe settings. | ||
| + | * When opening session in PuTTY to a host for which WinSCP has multiple host keys cached, using the last key or the key that PuTTY has cached. [[bug>2440]] | ||
| + | * Always (re)registering drag&drop shell extension during installation, even when the extension is not replaced. | ||
| + | * Allowed Console interface tool to have ''.exe'' extension to avoid false positive detections by some antiviruses. [[bug>2434]] | ||
| + | * Using //"username"// and //"hostname"// as one word. | ||
| + | * Reading all system settings from 64-bit registry. | ||
| + | * Allow assigning ''null'' to ''Session.SessionLogPath''. [[bug>2438]] | ||
| + | * Avoiding using ''SSH_FXF_EXCL'' together with ''SSH_FXF_TRUNC'' SFTP file opening flags. [[bug>2444]] | ||
| + | * Optimized file system monitoring when looking for dummy directory during drag&drop downloads. [[bug>2445]] | ||
| + | * Change: Not allowing WebDAV redirects to other hosts by default. [[bug>2447]] | ||
| + | * Change: Not allowing WebDAV redirects to an unencrypted URL by default. [[bug>2448]] | ||
| + | * Bug fix: Failure when trying to connect via HTTP proxy to FTP host with excessively long login details. [[bug>2435]] | ||
| + | * Bug fix: Buffer overflow in Console interface tool. [[bug>2436]] | ||
| + | * Bug fix: Failure setting ''Session.DebugLogPath'' when running in impersonated context. [[bug>2441]] | ||
| + | * Bug fix: Message boxes from secondary windows (like the internal editor) caused application to move to the background when when the main window was minimized. [[bug>2443]] | ||
| + | * Bug fix: Heap over-read via crafted encrypted filename. [[bug>2449]] | ||
| + | * Bug fix: Slashes in filenames can cause path traversal when invalid filename characters replacement is disabled. [[bug>2450]] | ||
| ===== [[6.6.1]] 6.6.1 beta ((2026-04-01)) ===== | ===== [[6.6.1]] 6.6.1 beta ((2026-04-01)) ===== | ||
| Line 94: | Line 125: | ||
| * Bug fix: Message box texts and some control labels are not visible to screen readers. [[bug>2413]] | * Bug fix: Message box texts and some control labels are not visible to screen readers. [[bug>2413]] | ||
| * Bug fix: Failure when clicking tab close button while the session is already being closed. [[bug>2416]] | * Bug fix: Failure when clicking tab close button while the session is already being closed. [[bug>2416]] | ||
| + | |||
| + | ===== [[6.5.7]] 6.5.7 (not released yet) ((2026-06-12)) ===== | ||
| + | |||
| + | * Translations completed: Croatian, Finnish, Georgian, Italian and Serbian. | ||
| + | * TLS/SSL core upgraded to OpenSSL 3.3.7. | ||
| + | * Back-propagated fixes from 6.6.2 beta release: | ||
| + | * Bug fix: Failure setting ''Session.DebugLogPath'' when running in impersonated context. [[bug>2441]] | ||
| + | * Security issue: fixed a remotely triggerable double-free in RSA key exchange. [[pbug>rsakex-double-free]] | ||
| + | * Minor security issue: fixed a remotely triggerable crash in NIST ECDSA signature verification. [[pbug>ecdsa-remotely-triggerable-assertion]] | ||
| + | * Bug fix: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. CVE-2026-45447 fix from OpenSSL 3.4.6. | ||
| ===== [[6.5.6]] 6.5.6 ((2026-03-25)) ===== | ===== [[6.5.6]] 6.5.6 ((2026-03-25)) ===== | ||
| Line 99: | Line 140: | ||
| * Translations completed: Macedonian, and updated: Lithuanian, and Russian. | * Translations completed: Macedonian, and updated: Lithuanian, and Russian. | ||
| * TLS/SSL core upgraded to OpenSSL 3.3.6. | * TLS/SSL core upgraded to OpenSSL 3.3.6. | ||
| - | * Back-propagated improvement from 6.6–6.6.1 beta release: | + | * Back-propagated improvements from 6.6–6.6.1 beta release: |
| * New DigiCert EV code signing certificate valid until March 2029 is used for signing binaries. | * New DigiCert EV code signing certificate valid until March 2029 is used for signing binaries. | ||
| * XML parser upgraded to Expat 2.7.5. | * XML parser upgraded to Expat 2.7.5. | ||
| Line 172: | Line 213: | ||
| * Translations completed: Belarusian, Brazilian Portuguese, Catalan, Czech, Dutch, Finnish, French, German, Hungarian, Italian, Japanese, Korean, Polish, Portuguese, Romanian, Russian, Simplified Chinese, Slovak, Spanish, Swedish, Tamil, Traditional Chinese and Turkish; updated: Norwegian; and started: Georgian. | * Translations completed: Belarusian, Brazilian Portuguese, Catalan, Czech, Dutch, Finnish, French, German, Hungarian, Italian, Japanese, Korean, Polish, Portuguese, Romanian, Russian, Simplified Chinese, Slovak, Spanish, Swedish, Tamil, Traditional Chinese and Turkish; updated: Norwegian; and started: Georgian. | ||
| * SSH core and SSH private key tools (PuTTYgen and Pageant) upgraded to [[&url(puttychanges)|PuTTY 0.83]]. \\ It brings the following change: | * SSH core and SSH private key tools (PuTTYgen and Pageant) upgraded to [[&url(puttychanges)|PuTTY 0.83]]. \\ It brings the following change: | ||
| - | * Bug fix: crash in Pageant if an SSH connection is abandoned while waiting for a deferred decryption passphrase. | + | * Bug fix: crash in Pageant if an SSH connection is abandoned while waiting for a deferred decryption passphrase. [[pbug>pageant-aborted-decrypt-crash]] |
| * TLS/SSL core upgraded to OpenSSL 3.3.3. | * TLS/SSL core upgraded to OpenSSL 3.3.3. | ||
| * Installer upgraded to Inno Setup 6.4.1. | * Installer upgraded to Inno Setup 6.4.1. | ||
| Line 303: | Line 344: | ||
| * Bug fix: Caption of permissions group labels disappears when hovered over on Windows 11. | * Bug fix: Caption of permissions group labels disappears when hovered over on Windows 11. | ||
| - | ===== [[6.3.8]] 6.3.8 (not released yet) ((2025-10-31)) ===== | + | (*===== [[6.3.9]] 6.3.9 (hotfix) ((2026-06-01)) =====*) |
| + | (**) | ||
| + | (* * Back-propagated fix from 6.6.2 beta release:*) | ||
| + | (* * Security issue: fixed a remotely triggerable double-free in RSA key exchange. [[pbug>rsakex-double-free]]*) | ||
| + | (* * Minor security issue: fixed a remotely triggerable crash in NIST ECDSA signature verification. [[pbug>ecdsa-remotely-triggerable-assertion]]*) | ||
| + | (**) | ||
| + | ===== [[6.3.8]] 6.3.8 (hotfix) ((2026-04-08)) ===== | ||
| * TLS/SSL core upgraded to OpenSSL 3.2.6. | * TLS/SSL core upgraded to OpenSSL 3.2.6. | ||
| - | * Back-propagated fixes from 6.4.3–6.5.5 releases: | + | * Back-propagated fixes from 6.4.3–6.5.6 releases: |
| + | * New DigiCert EV code signing certificate valid until March 2029 is used for signing binaries. | ||
| * Change: Skipping symlinks in //Search for Text// extension. [[bug>2365]] | * Change: Skipping symlinks in //Search for Text// extension. [[bug>2365]] | ||
| - | * XML parser upgraded to Expat 2.7.3. | + | * XML parser upgraded to Expat 2.7.5. |
| * Bug fix: Local directories sometimes cannot be deleted. [[bug>2380]] | * Bug fix: Local directories sometimes cannot be deleted. [[bug>2380]] | ||
| * Bug fix: Failure or silently missing headers when when S3 request headers were too long. | * Bug fix: Failure or silently missing headers when when S3 request headers were too long. | ||