Fixes:

• Fixed an administrator permission evaluation error when deleting users, where the “User Management” permission was not sufficient to delete a user and the “Package Management” permission was also required. Now, the “User Management” permission is sufficient.

Minor changes:

• The environment information now also detects the nginx server version and, if enabled, sends it to the license server during license validation.

Fixes:

• Fixed an issue where a user-modified package expiration was incorrectly overwritten by the default expiration (configured by the administrator).

• Fixed an issue where it was possible to initiate file uploads to a package, leave some files unuploaded, and still confirm completion. This caused the files to enter an unexpected inconsistent state, which could subsequently cause package and file processing to become stuck. This is now correctly detected, the files remain in the uploading state, and they are automatically expired after the configured time period.

• API v2 does not correctly support uploading files to a package encrypted with a package password. This operation is now blocked for the 2.5 version branch and is not supported. Its correct implementation is planned for version 2.6.

• Updated the Netty library used by the SFTP server (fixes CVE-2026-42583, which is not exploitable within the SOFiE application implementation).

• Fixed message formatting in the package detail for a limited number of accesses.

• Added missing translations of audit log messages to the SK and HU localizations (for the user view or export of package audit logs).

Minor changes:

• When releasing a package or a file transferred by the AFiT module from quarantine, there is now an option to repeat the transfer by the module to the output (enabled by default). For installations without the AFiT module, nothing changes.

• A minor update of some dependencies (libraries) has been performed.

• Additional auxiliary diagnostic logs have been added for integration with Check Point SandBlast.

Fixes:

• Fixed an issue where login via OIDC did not correctly verify the type of OIDC provider (admin vs. user). This could, for example, result in a user being incorrectly logged into the admin interface, but such a logged-in admin had empty permissions and could not perform any actions.

Fixes:

• A bug was fixed that caused notifications about a new package not to be sent (since version 2.5.10).

• Fixes in the sofie script/command:

  • Handled so that everything works even on systems with a default language other than English.

  • Better handling of some possible states and messages.

  • Typos were fixed and some texts and help were adjusted.

New features:

• The ”sofie update“ and ”sofie upgrade“ commands now allow selecting a specific version to perform the update/upgrade to using an optional parameter. If it is not specified, the behavior remains unchanged. For details, see the updated Upgrade notes (Instructions for upgrading to a new version).

Minor changes:

• The ”sofie update“ and ”sofie upgrade“ commands now require confirmation (y/n) before executing the action. A new parameter -y or --yes can be used to suppress this behavior and perform the action automatically without confirmation, as before (suitable for automation).

Fixes:

• Fixed potential issues with expiration of file checks, especially when uploading in multiple sessions and via API. (Adjusted the processing of file checks and handling of sessions introduced since version 2.5.)

• Adjusted the maximum width of the package name in the package list and in the package detail in both the user and admin interface.

• Improved handling of events related to package and object updates in the package detail view for users (fixed for administrators in the previous version).

• Fixed display of the chart legend on the administrator Dashboard screen.

• Fixed a web interface error when canceling a package upload.

New features:

• Official support for increasing the number of concurrently executed file checks. Previously, it was supported only unofficially and the default state is set to 1, meaning serial execution. See more at: Upgrade notes (Instructions for upgrading to a new version)

Minor changes:

• Updates of some dependencies (frontend libraries and localizations) and related adjustments to deprecated parts.

Fixes:

• Missing actions for packages have been added in the view with the list of cooperative packages.

• Support for FQDN aliases has been fixed. Due to internal modifications in the nginx configuration, this did not work correctly and alternative domains (FQDN aliases) were redirected to the main domain.

• Fixes based on current pentest findings:

  • Timing of login attempts.

  • Limitation of specific DoS requests by introducing new limits, timeouts, and http2.

  • Backend enforces the same minimum password strength as the frontend.

  • Improvement of CSP (Content-Security-Policy) parameters.

  • Validation of datastore path settings; system directories (e.g. "/", "/bin", "/sbin", "/etc", "/proc", etc.) and all non-empty directories are not allowed.

  • Improved recovery process in case of corrupted local storage values; it no longer ends with a "white page", it may end with a logout.

  • Other minor fixes and adjustments.

• Fix for an error triggered when recipients were inserted quickly from the clipboard.

• Kafka client update – fixes message distribution into queues when parallelism > 1.

• Fixed an issue where tabs in the package detail could sometimes not be displayed for both users and administrators.

• Fixed specific web interface errors that could cause console errors and warnings and, in rare cases, malfunction.

• Optimized deleting of expired files and folders in the upload phase.

• Improved processing of events about package and object updates in the web interface.

• Other minor fixes in texts, translations, and design (including text wrapping and window overflow).

Minor changes:

• A new setting has been added for the expiration of individual files within a package: expiration of shredded files. These files have already been shredded = deleted from disk, but their metadata remained in the package. With a large number of shredded files (in a long-used or persistent package), this reduced clarity and slowed down work with the package. This new expiration setting now allows the metadata of shredded files to be removed from the package.

• The default setting for displaying package details has been changed for both users and administrators – by default, deleted files are no longer shown. This speeds up and clarifies the display, especially for packages with a large number of deleted files. If needed, the view can still be adjusted according to requirements (via the cogwheel on the right above the file list) and the files can be shown again.

• An option has been added to configure which columns are displayed in the file list in the package detail (via the cogwheel on the right above the file list). Fewer columns = faster display. For both users and administrators.

• Pagination has been added to file lists in the package detail for both users and administrators. As a result, the view now loads and renders faster. Without pagination, viewing packages with 1,000+ files was poorly usable.

• The number of files is now displayed in the Deleted, Quarantined, etc. tabs in the package detail.

• For administrators, lazy loading has been introduced in the package detail when displaying details of file checks (expandable “+” next to the file). This provides further speed-up of the file list display at the cost of a slight slowdown when displaying these check details.

• Optimization of processing notifications about package changes in administration.

• The permission “Share packages” has been added to the default user permissions (default group) for new installations. This will take effect only if the mode “selected only” is set for the function “Users can share packages”, which is not the default state.

• Improved sending of diagnostic data from the application in Settings – Configuration – Diagnostics. The progress and any errors (e.g. non-functional connection to the manufacturer’s server) can be viewed in a new panel “Output of the last attempt to send logs”. The button also indicates that sending is currently in progress to prevent accidental repeated submissions.

Fixes:

• Various optimizations and adjustments to speed up loading of the file list in the package detail, which became noticeably slower in version 2.5. Order-of-magnitude speed-up of loading the file list for SFTP.

• Faster loading of other general information in the package detail.

• Fixed an SFTP bug where some clients (e.g. OpenSSH sftp) remained stuck at the end of a downloaded file because they expected an EOF marker but received a zero data block instead.

• For files in the “uploading” state, the actions Move, Rename, Delete, and Shred were incorrectly offered. These are no longer offered. Instead, the correct action Cancel is displayed to the administrator and the file owner; this cancels the file upload (and the file is shredded).

  • This also affects the behavior of the API and SFTP, for which the same restrictions on available actions apply.

• Adjusted the conditions under which the “Recheck” action can be triggered for files. In addition to being decrypted, files must now also be clean or in quarantine (i.e. not uploading, waiting for check, etc.).

• Loading of shredded file check results was fixed.

• Fixed an unexpected error (caused by memory exhaustion) when exporting a large number of audit logs to CSV.

• Fixed the calculation of package size and the related display of package size. In the package detail for administrators, the occupied storage space is now displayed correctly (i.e. including deleted files), as well as in the list view (previously, the active size without deleted files was shown).

  • A one-time operation performed during this update will recalculate the sizes of existing packages to correct them if necessary.

• Trend Micro AV is no longer set as mandatory by default, the same as all other AV engines.

• Added proper handling of additional possible errors when sending diagnostic data.

• Fixed unnecessary preparation of some trace-level log messages even when logging at this level was not enabled (= another minor speed-up).

• Fixed an error in the audit log message where, if an account without an e-mail logged in via OIDC, “null” was incorrectly displayed instead of the user name.

• Fixed incorrectly duplicated messages in the audit log during user creation.

• A fix has been made to administrator login via OIDC: the email address is optional for administrators, but it was previously required.

• Various text fixes and typo corrections and other minor fixes.

Minor changes:

• The http-acme.conf file in nginx, which in new installations is used to configure automatic renewal of Let’s Encrypt certificates, will no longer be overwritten during updates. It is therefore possible to make manual changes that will be preserved (e.g. using a different certificate authority than LE).

Fixes:

• A bug present since version 2.5 that prevented adding an additional factor to a user whose account was from AD has been fixed.

Minor changes:

• UX adjustments from the previous version 2.5.5 have been extended for consistency to forms shown after creating a standard new package, a forwarded package, and when adding files to a package.

Fixes:

• Added missing translations to EN, SK, and HU localizations, where the CS version was shown instead of these languages for several texts. Fixed a translation issue in the HU localization.

• Fixed an issue where forwarding a package did not work when user packages are subject to approval.

• Fixed an error when forwarding an old package from a version prior to 2.5, where the absence of a profile in checks caused an unexpected exception and repeated creation of temporary files in the package directory.

Minor changes:

• Added a new item to Settings – Configuration – Security – Password rules – Password rules for packages – Mandatory access link password. Previously, this was governed together by the earlier item “Mandatory package password - logged in user”; it now has its own separate setting.

• An administrator can delete a package password even if a package password is mandatory.

• Improved UX for working with requests and links for users:

  • The link displayed after creating a new request is no longer active, but text-only. It can be easily copied using the copy icon right next to it. This is the request link intended for use by the request recipient to upload files.

  • A link to the detail of the corresponding linked package is now shown in the text below.

  • Icons for copying package and request links have been modified and unified.

  • In the package detail, a link to the request is now also shown in the General information section, in addition to the package link, if the package was created as a request for file upload.

Fixes:

• Fixed an issue where sending a request (without a password) did not work if the package password was mandatory for logged in users.

• Fixed a potential issue with configuration export not working (when a null attribute was present in ADFS).

• Fixes in the form for additional package editing (especially related to password change and password validation) and other minor UI fixes.

• Handling of an unexpected exception when an empty token is returned from ADFS.

Fixes:

• If the new feature for disabling email sending was used and some messages were still in the queue, erroneous attempts to send them occurred. These messages are now discarded and not sent.

• Fixed a potential erroneous (duplicate) cleanup of “WorkflowSession” and improved the related audit logs.

• Fixed an exception in the scheduled cleanup job (during limit processing) that could have caused the cleanup to stop working.

Minor changes:

• API v2 update:

  • If, in the API call when creating a file to be uploaded, the client provides its hash, which is optional, this hash will be stored on the server and other API calls will return it already while the file is in the UPLOADING state. Subsequently, after the file content upload is completed, a new hash will be calculated on the server side and compared with the hash provided by the client. If they do not match, the server will return an error to the client and the file upload is not successful. The file remains in the UPLOADING state and the client can repeat the content upload, or cancel it via another API call.

Fixes:

• A minor fix in the processing of “WorkflowSession” in atypical situations, so that sessions are cleaned up correctly.

Fixes:

• Fixed an unexpected exception when attempting to send notifications for an empty package.

• Fixed incorrect texts in headings in Settings → Configuration → Packages → File Expiration and Limit number of accesses.

Fixes:

• In version 2.5.0, requests were redesigned into access links. If there were any requests active at that time and waiting for file uploads, the old links to them stopped working after the upgrade to 2.5.0. The option to resend notifications also did not work for these converted requests. This has now been fixed. The old request link now redirects to the new access link. It is also possible to resend notifications, which will now contain the new access link.

• The list of files in the package detail was not refreshed correctly when a file was released from quarantine; this has been fixed.

• In the package detail, in the list of checks for files, the yellow bar is now displayed correctly if a check has not yet been performed and is waiting in the queue.

• Correct masking of some new secrets for audit logs and configuration export has been added.

• A bug was fixed where a contributor on a cooperative package could not upload files correctly via SFTP.

• Fixes in the new user view “Shared with me”: non-functional selection and filter fixes.

• Minor graphical issues (e.g. icon spacing) and texts have been fixed.

New features:

• Access links (sharing) for packages. Access to a package can now be granted using a unique access link. Details:

  • Any number of access links to a package can be created, and they can be created by the sender/author of the package (if allowed by the administrator, see Settings - Configuration - Packages - General - Users can share packages) or by an administrator.

  • A link can also be created for a specific subfolder within a package, where the link grants access only to the contents of this folder and not to the entire package.

  • For links, it is possible to set: access permissions (read-only, upload-only, read+write), expiration, password, limitation on the number of accesses, and accessibility (public, internal, private).

  • This makes it possible, for example, to share a package (or only its folder) for edits as well, using a password-protected unique link, with a third party that does not need to have an account in the application - an access link is sufficient. This is done via the “Share folder” button in the package detail.

  • Packages that were shared with the user via an access link are visible to the signed-in user in a new menu “Shared with me”. It works similarly to (and may in the future replace) the feature of cooperative packages and contributors.

• Adding the “Audit Log” feature to a package for users (senders and contributors). Suitable especially for cooperative packages, or packages with the new access links. It allows the sender and contributors, if enabled by the administrator, to view who and what was last done with the package (uploading files, moving, deleting, downloading, etc.). Using permissions, the administrator can define whether:

  • the user does not see the package audit log at all (original state)

  • sees the basic one (with basic events: work with files and links - suitable for regular users)

  • or sees the extended one (with all package events, including scans, encryption, etc. - for advanced users or administrators' users)

• Policies and configuration profiles, which allow the administrator to set different configuration for different users, groups, or IP addresses and ranges. Specifically:

  • Profiles for detection engines - in Detection settings, for individual detection engines it is possible to create several different profiles with different settings and specify which of them is the default.

  • Policies for detection engines - using profiles (see above), they enable different configurations and rules for scanning files in packages, including skipping scanning.

  • Policies for size limits - allow different limits on the size of packages and files uploaded by different users or groups.

  • Policies for package expiration - allow setting different expiration times for different users and groups.

• Support for user distribution groups. It allows the administrator to mark a user group as a distribution group and enter an email for it. Distribution groups are then offered to users (depending on the settings to all users, or only to those from the group) to fill in where contacts are entered, similarly to records from the user’s personal address book. In other words, it is possible to send packages “to a group” that the administrator has prepared for users.

• New Search function in Settings - Configuration for administrators. In the top right, there is a new field for searching in configuration (shortcut Ctrl+K), which enables quick search and jump to the desired option.

• Ability to sign in an administrator via ADFS or OIDC (like MS Entra). Until now, it was only possible with a local account in the application.

• The administrator can allow users new options for packages in quarantine, specifically:

  • In the section “Configuration - Packages - Access control” an option “Users can delete files in packages in quarantine” was added with a note that deleting the last file in quarantine will automatically release the package from quarantine.

  • Similarly, an option “Users can add and manage package files in quarantine” was added. A suitable addition if the mode “Allow download of clean files from quarantined packages” is set. It allows users to add and move files even in packages in quarantine.

• Expiration/deletion of individual files in a package. Previously, automatic expiration applied only to the entire package with all files. The new version allows setting file expiration in a package independently of the expiration of the entire package. Either from file creation or from the last access to the file. Suitable especially for longer-used or persistent cooperative packages with subfolders and a large amount of content.

• Notifications for packages and requests can be sent with the sender’s email included (controlled by the administrator in Settings - Configuration - E-mail). Specifically, the Reply-To header is set in the message, which does not break SPF/DKIM/DMARC.

• A “Network objects” catalog was introduced, where the administrator can define and name IP addresses, ranges, and their groups. These can currently be used for:

  • Different login forms (buttons) for different IP ranges. Based on IP ranges, it is possible to determine which ADFS or OIDC sources are displayed in the login form, i.e., internal network can have different (ADFS) than from the Internet (MS Entra), etc.

  • Detection engine policies.

• Ability to globally disable sending of all emails from the application (in Settings - Configuration - E-mail - Send emails).

Minor changes:

• Requests have been adjusted, but with emphasis on minimal impact on users. Specifically, the following changes:

  • Terminology - previously: Request to submit a package, now: Request files upload. However, the user still uses the same menu Send request to create it and essentially an identical form.

  • Requests are no longer displayed in Received packages of the user who created/sent them, but in Sent packages and additionally in the new menu Requests.

  • Technically, the request is now created as a new empty package of the user, to which an access link (see new features above) is created immediately with corresponding parameters (upload-only, limited to one access, optional password) to mirror the behavior of the original requests.

• The administrator can disable sending package notifications for a user (in the user’s profile/detail in the user list). Suitable for system/API accounts so that emails that nobody wants/reads are not sent to them.

• The user has the option to disable sending the notification for a new package (in the New package form), similarly to a request. The information and access link to the package must then be passed to recipients by the user in another way.

• The administrator can remove even individual files from quarantine, not only the whole package. Suitable if the mode “Allow download of clean files from quarantined packages” is set.

• The administrator can now change basic package properties, same as the user: i.e., name, note, and validity.

• In the administrators list, a preview of permissions is displayed like for users directly in the list.

• Email templates improved: they better reflect cooperative packages, persistent packages, additional file additions, public packages with a password, etc. New template for sharing package content (access links).

• API v2 changes:

  • Support for managing user groups added.

  • Pagination and basic filtering added in user and group lists.

  • For administrator API tokens, a setting “User impersonation enabled” was introduced, which determines whether the administrator token also allows performing user actions on behalf of a user. Previously, it was always allowed.

• In the API tokens section, the administrator can reissue an existing API token. The old token is invalidated and a new one is issued and displayed one-time. Previously, it was necessary to delete the token and create a new record, which lost token linking and settings.

• Display of packages in the queue adjusted. Previously, only new packages still waiting for inspection were shown here. Now, all packages that have files waiting for inspection are shown (e.g., newly added files into an old package).

• A session was introduced when adding and uploading files into a package. It prevents conflicts during simultaneous uploads into one package from multiple sources, allows correctly canceling unfinished/failed uploads, etc. It is transparent for users, they do not need to handle or know anything, it happens automatically.

• When creating a new user by an administrator, the default is to send a link to set a password instead of manually entering a password (but it is still possible to switch).

• A new permission “Reset password” was added, without which a local user cannot request a password reset. After the upgrade, all users who had login permission will automatically receive it, so the behavior does not change.

• Improved package size limits so they work not only for the first upload but also for ongoing edits.

• New submenu “User management” in the Settings menu, to which parts related to managing users, groups, administrators, etc. were moved.

• Better options for updating password hashes, specifically:

  • Historically, the algorithm (or its parameters) for calculating password hashes has already changed several times to meet current recommendations. However, this only manifested when changing the password of an existing user or creating a new user.

  • Now, if needed, the password hash is automatically updated to the current version of the algorithm upon user login.

  • In addition, accounts with an outdated password hash are indicated to the administrator in the user and administrator list. The administrator can, for example, send them a password reset link to force the update.

• The feature “Store password hashes” in Active Directory settings was removed. It could have unexpected consequences for some (during AD outage/maintenance/error, sign-in could work even if the account was meanwhile removed in AD, password changed, etc.).

• In the permission settings dialog (for user groups), there may be exclamation marks warning that this permission is now not used due to the application settings. It now includes a link and allows jumping directly to the corresponding part of settings so this can be changed.

• In the briefcase, the option to set a package password was removed (intended for sending “to yourself”).

• The AFiT module supports setting subdirectories for input and output.

• Support for RHEL 10 and compatible clones added for installation and running the application.

• Addition of a CLI script for importing and creating users from CSV.

• Improved evaluation of the last update for antiviruses and addition to the Dashboard screen.

• Addition of totals to the chart on the Dashboard screen.

• Tolerance for the validity time of TOTP codes was introduced when signing in with an additional factor. The administrator can set in Settings - Configuration - Users - Multi-factor authentication - TOTP time delay [s] in the range 0 to 30 and the default is 10 s.

• Package states “requested” and “uploading” were removed. This is related to the new features and changes above (access links, modified requests).

• It is now possible to enable and disable sending error reports (exceptions), or anonymize it (Settings - Configuration - Diagnostics). It is also possible to enable or disable sending basic information about the application environment (during regular license checks). We recommend keeping it enabled for better diagnostics of errors and compatibility.

• Change in evaluating available actions on objects in the web interface (e.g., packages), the frontend now dynamically adapts to the backend.

• For new installations, Let’s Encrypt certificate support was reworked. Use of “Certbot” was discontinued; the native nginx acme plugin is now used. Existing installations will remain unchanged.

• In Settings - Configuration - SFTP server, the static top warning about needing to have the sofie-sftp-server service enabled was replaced with a dynamic message that reflects the actual state of this service (whether it is running).

• The administrator can now switch the account type between local and remote in the user and administrator lists. Previously, in case of change it was necessary to delete the account and create it again as the desired type (local manually, remote left to be created automatically upon the user’s first sign-in). It should be used only in specific cases, for example if the administrator needs to prepare some settings for an account, creates it locally manually and then switches it to remote.

• Unauthorized attempts to access the application are now logged (blocked due to Settings - Configuration - Security - Access restriction) - at DEBUG level. The number of these logs per time can be limited in Settings - Configuration - Logging - Limit logging of unauthorized access attempts, to prevent log flooding (by default the limit is enabled to 3 per 60 seconds.

• Internal development changes: updates to internal libraries and dependencies were performed, refactoring of permission evaluation for actions within the application, refactoring of texts and translations, and others.

Fixes:

• Some entries in the audit log (e.g., about changing the user’s email/alias) did not have the source/account that performed the action filled in. Fixed.

• Manual cancellation of uploading previously showed it was canceled, but in the background it could still continue and might not be correctly “cleaned up”. Introducing upload sessions, see above, solves this.

• Improved dialogs for password check and limited number of accesses to a package, including fixing a bug where direct access to the link for adding a file to a package skipped these dialogs and the file could not be added.

• Removed found inconsistencies between the documentation and the API v2 implementation.

• Reduced the amount of SSE notifications backend->frontend, which removes unnecessary flickering (reloading) of the page in some situations.

• Fixed that in package lists from the administrator’s perspective, the ! icon with a warning that the package is not encrypted was incorrectly displayed even though encryption is enabled, also for empty packages (without files), where this did not make sense.

• Via SFTP, it is no longer possible to access a password-protected package because there is no way to enter this package password in the SFTP channel.

• Export of users to CSV was incorrectly limited by the set pagination; it is now limited by a maximum of 5000 records.

• Other various fixes, especially texts, appearance, function of some filters, etc.

Fixes:

• Fixed an issue where an internal package was not properly accessible to signed-in users if someone was listed as its recipient or contributor.

• Fixed an issue that prevented the creation of a new user group.

Fixes:

• Adjustment of a parameter in API v2 (sshPublicKeys) to ensure consistency across different calls.

• Removed the dependency of the "sofie" CLI script on the "ansible" RPM package. (The availability of ansible-playbook is still required.)

Fixes:

• Fixed potential exceptions when scanning certain specific files by internal modules, which caused the files to get stuck in queue. (Internal tests have been improved to automatically catch this issue in the future.)

Fixes:

• Updated the Apache Tika library to the latest version (3.2.2), which addresses a critical vulnerability (CVE-2025-54988). Due to the severity of the issue, we recommend updating as soon as possible.

• Updated other used libraries.

• Improved filtering of affected files during the expiration of stuck files in the uploading state — unaffected files are now correctly skipped.

Fixes:

• Fixed an issue where, under certain specific conditions, an incorrectly interrupted package upload was incorrectly moved to active packages (or to quarantine), even though it should have remained incomplete in the upload queue and been shredded after the configured timeout. Such erroneous packages could also contain invalid (not uploaded) files, which could not be downloaded or included in a ZIP download. The likelihood of this issue occurring increased in version 2.4.9.

• Fixed shredding (disk deletion) of files when shredding packages in the uploading state (i.e., packages that failed to upload completely and correctly).

• Fixed an issue introduced in version 2.4.9 where redundant attempts were made to shred already shredded files. In specific cases (e.g., older installations with files containing special characters in their names), this could result in certain packages getting stuck (not expiring into trash/archive/shredded as expected).

• Fixed audit logs USER_AUTH_SESSION_HIJACK and ADMIN_AUTH_SESSION_HIJACK, where some user attributes were incorrectly recorded in the admin log instead of administrator attributes.

• Fixed an unexpected exception when retrieving user information in cases where the user did not exist.

Fixes:

• Fixed an issue with integration with FortiSandbox where, in some cases (archives/containers with multiple files), the sandbox results could be retrieved without including results for all embedded files. Due to changes in the FortiSandbox API, this fix requires FSA version 5.0 or later. Older versions do not support the corrected behavior. We therefore recommend updating FortiSandbox to version 5.0+ first.

• Fixed an issue where an interruption of the upload of files to a package (e.g. due to lost connectivity) could result in some files being left in an inconsistent and stuck state. This issue primarily affected cooperative packages with files being uploaded subsequently and potentially concurrently.

• Fixed an issue where the download icon was incorrectly displayed to administrators for files that were not actually downloadable (e.g. still uploading).

Fixes:

• Fixed a bug introduced in version 2.4.7 that prevented the creation of a new user.

• Minor fixes and adjustments related to IPv6 in the nginx web proxy. The application does not fully support IPv6 yet, but the web server can run on IPv6.

Minor Changes:

• New antivirus supported in Detection settings – Trend Micro.

• The administrator can enable options in the user settings to skip sandbox, antivirus, or internal module checks. If any of these options are enabled, the corresponding engines will skip checks for packages sent by this user. This also applies to API calls executed under this user. In a future major version, this will be replaced with a more systematic solution.

Fixes:

• Added an index to improve folder handling performance in packages.

Fixes:

• Fixed an error when deleting a package after checks sent through API v1.

• Fixed the display of tags in a package detail for the administrator.

Minor Changes:

• Active filters in lists now have a prominent label indicating that they are active. Filters can be reset and disabled using the cross on the label without needing to expand the filter.

Fixes:

• If the closed environment is enabled (Settings - Configuration - Packages - Access Control) and also that additional files can be added to existing packages by the author or contributors, files can only be added from the same environment in which the package was originally created by the author. The transfer direction is always evaluated for the entire package, meaning that all files within it must come from the same environment. Adding additional files now also respects possible upload restriction for the given environment.

• The download direction (open ↔ closed environment) is now correctly evaluated for SFTP as well, ensuring that any restrictions set in the configuration are respected.

• Fixed validation of user duplicity when creating or editing a user by an administrator.

• Fixed an error when forwarding a password protected package.

• Fixed misspellings and minor text modifications.

Minor Changes:

• If the settings allow additional file uploads to an existing package, it is now possible to create empty packages (without files). Files can be added later. This is useful, for example, for cooperative packages.

• If a user has permission to set a package as persistent, they can now do so directly when creating the package, without needing to edit it afterward.