1.0.50

• Support for MD5, SHA1 and MySQL PASSWORD() function were removed for password hashing. You should now use scrypt, argon2 or the system crypt(3) function.
• Soft fail if a USER command is received without TLS and the server is configured to enforce TLS. Previously, the session was immediately closed, but that was too brutal for some clients.
• Allow connections from the class E network range -- apparently required in some cases when using Linux containers.
• Large file listings used to require way more stack allocations than necessary, possibly reaching hard-coded limits and causing a forced
  session close. This has been fixed.
• The SPSV command has been removed.
• Under some circunstances, the server would not start when configured with directory aliases. This has been fixed.
• PostgreSQL: hard-coded global configuration strings were not escaped. This has been fixed.
• A warning is now printed when a transfer happens in ASCII mode, as this is rarely intentional.
• Compilation with --without-ascii is now possible again.
• Configuration options for features that have been disabled at compile-time are not parsed any more.
• When virtual quotas were configured, files were removed after an upload if the size quota was exceeded, but not during the upload. This
  has been fixed.
• A configuration file can now include other files with the Include directive.

1.0.49

• This version fixes a regression introduced in version 1.0.48 that broke the external authentication feature. Reported by Peter Hudec, thanks!
• Sockets from pure-authd and pure-extauth are now always owned by root in order to cope with the absence of CAP_DAC_OVERRIDE on Linux. Suggested by Arkadiusz Miśkiewicz, thanks!

1.0.48

• SNI support has been added. A new service, pure-certd, can run
  external code written in any language in order to map SNI names to TLS certificates.
• External authentication handlers get a new
  AUTHD_CLIENT_SNI_NAME environment variable set when the client uses SNI.
• TLS certificates and keys can now be in different files.
• make install does not overwrite existing configuration files any
  more. The example files layout has changed.
• TLS 1.3 is enabled when using OpenSSL 1.1.x.
• TLS < 1.2 is disabled by default.
• Quirks for obsolete OpenSSL versions have been removed.
• Username _ftp can be used as an alternative to ftp everywhere.
• Password hashing parameters are now chosen according to locally
  available resources. The pure-pw command gets to new switches: -C (as
  a hint regarding the number of simultaneous login attempts) and -M
  (total memory, in MB, to reserve for password hashing).
• New translation: Albanian, thanks to Moisi Xhaferaj.
• The PRET command has been added. It can avoid opening useless data
  connections for nonexistent content.
• Dot-files are always displayed. We don't lie any more in some
  commands while not lying in other commands to respect the protocol.
• Support for RFC 2640 has been removed from the free version, as it
  was early, experimental, slow, mostly broken and unmaintained code.
• The NLST command doesn't perform globbing any more.
• The MLSD command now prepends the path to file names.

1.0.47

• If TLS was only enabled on the control channel (-Y 1), the STAT command would send its output as other directory listing commands, breaking the TLS stream. This has been fixed. Spotted by Carlo Cannas, thanks!
• The system user _ftp can be used as an alternative to "ftp" for anonymous sessions.
• Compatibility with libsodium > 1.0.12 was added (including minimal mode).
• The prefix for Argon2-hashed passwords in LDAP has been changed to {argon2} (from {argon2i}). Ditto for MySQL and PostgreSQL: the authentication method is now called argon2 instead of argon2i, and includes both Argon2i and Argon2id.

1.0.46

• The server can now be linked against OpenSSL 1.1.x with the strict API.
• Unmaintained contributions have been removed.
• File globbing could take up to GLOB_TIMEOUT seconds (17 seconds by default) when matching some patterns, no matter what the configured recursion level was. This has been fixed, and upgrading is highly recommended. This was reported by Russ Cox, thanks!

People with commercial support can immediately download updated binary packages for FreeBSD, NetBSD, OpenBSD, Dragonfly BSD, IllumOS, any Linux distribution, as well as the Windows port and the iOS library.

1.0.45

• TLS v1.0 sessions are now refused.
• Version 1.0.44 didn’t properly parse the TLSCipherSuite directive. This has been fixed.

1.0.44

• The Perl and Python wrappers are gone. The daemon can now use a configuration file without requiring external dependencies.
• Pure-FTPd can now be linked against OpenSSL 1.1.x
• The QUIT command didn't work properly when the server was compiled without support for RFC2640. This has been fixed.
• 3DES was removed from the default cipher suite.

1.0.43

• Passwords can now be hashed using Argon2.
• The -J switch didn't work any more in 1.0.42. This has been fixed.
• The default cipher suite was simplified.
• Authentication against system accounts is compatible with OpenBSD 6.0.
• Fixed: protocol conformance when TLS sessions are refused.
• Altlog records can now be sent to stdout/stderr.

1.0.42

• Compilation fix for OpenBSD and Bitrig when Pure-FTPd is not compiled with libsodium.
• The connection is now dropped if HTTP commands are received.
• LDAP force_default_gid and force_default_uid now work as documented.
• The ONLY_ACCEPT_REUSED_SSL_SESSIONSswitch (introduced in Pure-FTPd 1.0.22 circa 2009, but disabled by default back then due to client compatibility concerns) is now on by default, except in broken clients compatibility mode.

1.0.41

• MariaDB and MySQL 5.5+ are now fully supported
• MySQL <= 4.0.0 is not supported any more
• Some Linux distributions ship a version of OpenSSH without support for ECC. Pure-FTPd can now be compiled on these.
• New command-line switch: -2/--certfile= to set the path to the certificate file when using TLS.