Differences
This shows you the differences between the selected revisions of the page.
| history 2026-06-03 | history 2026-06-15 16:07 (current) | ||
| Line 3: | Line 3: | ||
| This is a full list of changes for each release of WinSCP. See also [[project_history|Project history]] and [[incompatible_changes|Incompatible changes between versions]]. | This is a full list of changes for each release of WinSCP. See also [[project_history|Project history]] and [[incompatible_changes|Incompatible changes between versions]]. | ||
| - | ===== [[6.6.2]] 6.6.2 (not released yet) ((2026-05-29)) ===== | + | ===== [[6.6.2]] 6.6.2 (not released yet) ((2026-06-15)) ===== |
| * Experimental 64-bit version of WinSCP. [[bug>618]] | * Experimental 64-bit version of WinSCP. [[bug>618]] | ||
| Line 11: | Line 11: | ||
| * Minor security issue: fixed a remotely triggerable crash in NIST ECDSA signature verification. [[pbug>ecdsa-remotely-triggerable-assertion]] | * Minor security issue: fixed a remotely triggerable crash in NIST ECDSA signature verification. [[pbug>ecdsa-remotely-triggerable-assertion]] | ||
| * Bug fix: spurious //"Network error: Socket is not connected"// when authenticating to some HTTP proxies. [[pbug>http-proxy-auth-wsaenotconn]] | * Bug fix: spurious //"Network error: Socket is not connected"// when authenticating to some HTTP proxies. [[pbug>http-proxy-auth-wsaenotconn]] | ||
| - | * Translations updates: Finnish and Italian. | + | * TLS/SSL core upgraded to OpenSSL 3.5.7. |
| - | ··* TLS/SSL core upgraded to OpenSSL 3.5.6. | + | |
| * XML parser upgraded to Expat 2.8.1. | * XML parser upgraded to Expat 2.8.1. | ||
| * Restored faster C TLS/SSL AES implementation. | * Restored faster C TLS/SSL AES implementation. | ||
| * Configurable warning when opening large file in an internal editor. [[bug>2437]] | * Configurable warning when opening large file in an internal editor. [[bug>2437]] | ||
| * Informing that when preserving directory timestamps is enabled, using multiple connections for transfer is not possible. [[bug>2439]] | * Informing that when preserving directory timestamps is enabled, using multiple connections for transfer is not possible. [[bug>2439]] | ||
| + | * Warning when pasting a session URL with unsafe settings. | ||
| * When opening session in PuTTY to a host for which WinSCP has multiple host keys cached, using the last key or the key that PuTTY has cached. [[bug>2440]] | * When opening session in PuTTY to a host for which WinSCP has multiple host keys cached, using the last key or the key that PuTTY has cached. [[bug>2440]] | ||
| * Always (re)registering drag&drop shell extension during installation, even when the extension is not replaced. | * Always (re)registering drag&drop shell extension during installation, even when the extension is not replaced. | ||
| Line 23: | Line 23: | ||
| * Reading all system settings from 64-bit registry. | * Reading all system settings from 64-bit registry. | ||
| * Allow assigning ''null'' to ''Session.SessionLogPath''. [[bug>2438]] | * Allow assigning ''null'' to ''Session.SessionLogPath''. [[bug>2438]] | ||
| + | * Avoiding using ''SSH_FXF_EXCL'' together with ''SSH_FXF_TRUNC'' SFTP file opening flags. [[bug>2444]] | ||
| + | * Optimized file system monitoring when looking for dummy directory during drag&drop downloads. [[bug>2445]] | ||
| + | * Change: Not allowing WebDAV redirects to other hosts by default. [[bug>2447]] | ||
| + | * Change: Not allowing WebDAV redirects to an unencrypted URL by default. [[bug>2448]] | ||
| * Bug fix: Failure when trying to connect via HTTP proxy to FTP host with excessively long login details. [[bug>2435]] | * Bug fix: Failure when trying to connect via HTTP proxy to FTP host with excessively long login details. [[bug>2435]] | ||
| * Bug fix: Buffer overflow in Console interface tool. [[bug>2436]] | * Bug fix: Buffer overflow in Console interface tool. [[bug>2436]] | ||
| * Bug fix: Failure setting ''Session.DebugLogPath'' when running in impersonated context. [[bug>2441]] | * Bug fix: Failure setting ''Session.DebugLogPath'' when running in impersonated context. [[bug>2441]] | ||
| + | * Bug fix: Message boxes from secondary windows (like the internal editor) caused application to move to the background when when the main window was minimized. [[bug>2443]] | ||
| + | * Bug fix: Heap over-read via crafted encrypted filename. [[bug>2449]] | ||
| + | * Bug fix: Slashes in filenames can cause path traversal when invalid filename characters replacement is disabled. [[bug>2450]] | ||
| ===== [[6.6.1]] 6.6.1 beta ((2026-04-01)) ===== | ===== [[6.6.1]] 6.6.1 beta ((2026-04-01)) ===== | ||
| Line 119: | Line 126: | ||
| * Bug fix: Failure when clicking tab close button while the session is already being closed. [[bug>2416]] | * Bug fix: Failure when clicking tab close button while the session is already being closed. [[bug>2416]] | ||
| - | ===== [[6.5.7]] 6.5.7 (not released yet) ((2026-06-03)) ===== | + | ===== [[6.5.7]] 6.5.7 (not released yet) ((2026-06-12)) ===== |
| - | * Translations completed: Croatian and Serbian. | + | * Translations completed: Croatian, Finnish, Georgian, Italian and Serbian. |
| * TLS/SSL core upgraded to OpenSSL 3.3.7. | * TLS/SSL core upgraded to OpenSSL 3.3.7. | ||
| - | * Back-propagated fix from 6.6.2 beta release: | + | * Back-propagated fixes from 6.6.2 beta release: |
| * Bug fix: Failure setting ''Session.DebugLogPath'' when running in impersonated context. [[bug>2441]] | * Bug fix: Failure setting ''Session.DebugLogPath'' when running in impersonated context. [[bug>2441]] | ||
| * Security issue: fixed a remotely triggerable double-free in RSA key exchange. [[pbug>rsakex-double-free]] | * Security issue: fixed a remotely triggerable double-free in RSA key exchange. [[pbug>rsakex-double-free]] | ||
| * Minor security issue: fixed a remotely triggerable crash in NIST ECDSA signature verification. [[pbug>ecdsa-remotely-triggerable-assertion]] | * Minor security issue: fixed a remotely triggerable crash in NIST ECDSA signature verification. [[pbug>ecdsa-remotely-triggerable-assertion]] | ||
| + | * Bug fix: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. CVE-2026-45447 fix from OpenSSL 3.4.6. | ||
| ===== [[6.5.6]] 6.5.6 ((2026-03-25)) ===== | ===== [[6.5.6]] 6.5.6 ((2026-03-25)) ===== | ||