Release Notes 10.x - 19.x
19.2
PrivX 19.2 version addresses some of the issues found in previous versions.
Improvements and bug fixes
- [PX-4295] Smart card authentication does not work. No smart card icon is shown on Windows Server 2016 logon screen
- [PX-4341] Requests to /status endpoint in proxies/mitms may cause unnecessary extender / carrier / web-proxy related calls
- [PX-4349] Document max_instances config variable in extender / carrier / web-proxy toml templates
- [PX-4396] Refresh-verify cookie does not have expire time
19.1
19.1 is a maintenance release over 19.0.
- [PX-4144] RoleContext role blocked incorrectly
- Security fixes
19.0
Deprecation warnings
CentOS 8 support will be terminated once the operating system reaches end of life (around December 2021). PrivX support will continue normally on other supported platforms.
18.0
Important Notes
Workaround for Legacy Certificates
If your existing PrivX installation has been integrated to systems that use legacy X.509 certificates (certificate CN equals FQDN, and does not contain a Subject-Alt-Name extension), then follow these steps when upgrading to PrivX 18:
Install PrivX-18 RPM without automatic postinstall:
# SKIP_POSTINSTALL=1 yum install PrivX-18.0-....
Enable legacy-x509-certificate support:
# echo "GODEBUG=x509ignoreCN=0" >> /opt/privx/scripts/local-env
Run postinstall manually:
# /opt/privx/scripts/postinstall.sh
Update your legacy certificates as soon as possible! This workaround for supporting legacy X.509 certificates is temporary and not guaranteed to be available in future releases.
License Upgrade for Future Upgrade Support
If your initial PrivX deployments started with version 15 or earlier it is likely running with a Nalpeiron license, which will be unsupported in future PrivX releases. To enable upgrading to future PrivX versions, request and set up a new license according to Converting to New License Format.
Upgrading to the Latest Version
- Upgrading to this version is supported from three previous major versions (17.x, 16.x, 15.x)
- If you are planning to upgrade from an older version, please contact support.
Supported Releases
We produce security and stability fixes for the three latest major releases (18.x, 17.x, 16.x).
New Features
- [PX-2336] VNC protocol support
- Graphical VNC connections via PrivX GUI
- Video playback for VNC session recordings
- Note: Requires SSH service for tunneling. For more information about setting up VNC connection targets, see Setting up Hosts
- [PX-2496] Licensed host count changes, disabling unlicensed hosts
- [PX-3112] SOCKS and http proxy support for SSH Bastion
- When paired with public-key authentication, connections via SSH Bastion can be automatically authenticated against PrivX. For more information about SSH-Bastion connections via ProxyCommand, see SSH Connections with Native Clients
- [PX-3219] Additional settings configurable via the PrivX GUI, under Administration→Settings
- [PX-3351] Customizable SSH certificate template support for PrivX. Allows GitLab and GitHub certificate authentication via PrivX.
- [PX-3534] Support static IP addresses for PrivX license backend
- [PX-3619] Role request search
- [PX-3628] Restart PrivX from GUI, under Administration→Settings
- [PX-3663] Support for OAuth2 server endpoint for fetching PrivX access tokens
- [PX-3670] Support for SCIM server directory type for importing users and hosts
- [PX-3702] Support for initialization and availability status in file transfer
- [PX-3721] Create directory, file & directory rename, and file & directory move support
- [PX-3734] Paste on right click in SSH
- [PX-3748] Support display_path in addition to path in file transfer LS command
- [PX-3761] Allow host/subnet specific SFTP protocol version override
Improvements
- [PX-2521] License max hosts & max audited hosts enforcing in proxies and Bastions
- [PX-2742] LDAP-rule error should also describe the role name as well as offending rule
- [PX-2853] user-store: listen at a different port than 8084 due to omsagent Network Performance Monitoring (npm) solution
- [PX-3387] Include PrivX EULA in all binary packages
- [PX-3392] Add SSH Terms and Conditions/Service agreements to all PrivX components
- [PX-3393] Pre-fill default username on PrivX login page
- [PX-3428] Added TLS 1.3 support for PrivX web connectivity
- [PX-3441] Audit events for hosts do not show the modifications for the host
- [PX-3473] Audit events do not show who approved the request
- [PX-3474] Approved workflow requests disappear from other approvers
- [PX-3551] Service env variables must survive upgrades
- [PX-3616] Keywords search to access requests
- [PX-3679] GUI for host disabling/enabling
- [PX-3689] Additional fields to audit events
- [PX-3727] Log host tags to audit events
- [PX-3860] Support for container machine ids for PrivX licenses
Bug Fixes
- [PX-1980] Most audit events are missing username information
- [PX-2085] Cannot follow symlinks with PrivX SFTP client
- [PX-2665] Cannot reuse service address before host is deleted permanently from the database
- [PX-3269] Role comments are shown to all users on home page.
- [PX-3328] Create Vault API wrong response
- [PX-3456] RDP session with native client through PrivX drops, inconsistent with other RDP scenarios
- [PX-3581] deploy.py --clean and --show-config return exit code 1
- [PX-3583] Disabling a directory doesn't delete the hosts
- [PX-3586] Too long service address or foreign-key violation results in duplicate service address error
- [PX-3588] RDP resizing: connection reconnected without resizing browser
- [PX-3631] SSH proxy does not show banner messages
- [PX-3637] Multipart/form-data logins for web service will fail, if password field name is defined in web service config
- [PX-3638] Fix excludeMultiplePermissions()
- [PX-3642] Duplicate entries in host store blocking connections to both hosts
- [PX-3643] Webpage rendering issue when moving from full screen RDP session to PrivX homepage
- [PX-3653] SSH cert auth failing for personal account when mapped to multiple roles
- [PX-3656] timeout_when_no_connmgr is in minutes (not seconds)
- [PX-3678] ssh-mitm must not forward hostkeys-00@openssh.com global requests
- [PX-3699] Extender status not displayed under Service Status
- [PX-3700] LTS11 to LTS17 upgrade: directory setting not moved
- [PX-3701] RHEL8 missing local-env placeholder file
- [PX-3704] login-rate-limit: too_many_attempts error code is not shown when exceeding burst_size_limit
- [PX-3707] - Optional components not displayed in the GUI
- [PX-3709] rdp-proxy panics if DPI params not received
- [PX-3714] SSH Bastion: publickey client authenticated connections fail when target connection uses keyboard-interactive auth with stored passphrase
- [PX-3720] Creating directories with the RDP file transfer API makes directories that are not possible to upload to
- [PX-3733] rdp-proxy: file transfer API command "MV" does not work correctly
- [PX-3735] Upgrade failed on migration-tool
- [PX-3737] SSH Bastion: tunnel file transfer API request path validation is too strict
- [PX-3738] ssh-proxy: file transfer API request path validation is too strict
- [PX-3740] Skip connectivity test for VNC connections and allow extender connections via SSH tunnel
- [PX-3743] Data copied to clipboard in PrivX UI is stored into connection's audit trail
- [PX-3746] SFTP protocol version 4 is broken
- [PX-3799] Increase allowed maximum values for some settings properties
- [PX-3810] Old /help is still defined in nginx conf
- [PX-3811] nginx conf for status and robots.txt are incorrect
- [PX-3812] Secret editor field font should not default to monospace when using custom schemas
- [PX-3813] Host modified-event does not unescape services when showing diff
- [PX-3814] Nginx conf issues
- [PX-3819] license-manager might panic on license deactivation/activation
- [PX-3821] Prefilled username in login is wiped after failed login
- [PX-3824] License invalidation / host disabling does not cut ongoing connections
- [PX-3826] Connection-authenticated (301) event not consistent
- [PX-3839] HSTS header validity period fixes
- [PX-3841] License refresh and analytics enable/disable fails in one instance in HA env after license has been deactivated
- [PX-3868] Increased RDP file transfer buffer to 2 MB for compatibility
- [PX-3874] Fixed LDAP library panic after badly timed socket close
- [PX-3878] Connection manager panic during shutdown
Known Issues
[PX-1517] - Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, copy the
principals_command.sh
to correct location:# scp -i key.pem principals_command.sh user@target:/tmp/ # ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
[PX-1711] - RDP fails to connect to target in maintenance mode, need support for /admin flag
[PX-1835] - Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:- Before upgrading, please copy the .toml files to another folder.
- After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files.
[PX-1875] - Web proxy login does not work, if login page does requests to multiple domains
[PX-2947] - No sound when viewing recorded rdp-mitm connection.
[PX-3086] - PrivX role mapping to AD OU not working as expected.
[PX-3183] - Belgian French keyboard layout change does not work in web and xrdp connections
[PX-3529] Wrong CA key is copied on the host when running the deployment script using extender
17.1
This is an incremental release over 17.0.
Excluding issues related to PX-3707 Optional components not displayed in the GUI, the Important Notes and ### Known Issues** from 17.0 also apply to this release.
Bug Fixes
- [PX-3699] Extender status not displayed under Service Status
- [PX-3707] Optional components not displayed in the GUI
- [PX-3714] SSH Bastion: public-key client authenticated connections fail when target connection uses keyboard-interactive authentication with stored passphrase.
17.0
Important Notes
New Streamlined HA Upgrades
Keyvault config files are now automatically synchronized between PrivX servers and do not need to be copied manually. For more information about HA upgrades, see High-Availability Deployment: Upgrade.
Workaround for Legacy Certificates
If your existing PrivX installation has been integrated to systems that use legacy X.509 certificates (certificate CN equals FQDN, and does not contain a Subject-Alt-Name extension), then follow these steps when upgrading to PrivX 17:
Install PrivX-17 RPM without automatic postinstall:
# SKIP_POSTINSTALL=1 yum install PrivX-17.0-....
Enable legacy-x509-certificate support:
# echo "GODEBUG=x509ignoreCN=0" >> /opt/privx/scripts/local-env
Run postinstall manually:
# /opt/privx/scripts/postinstall.sh
Update your legacy certificates as soon as possible! This workaround for supporting legacy X.509 certificates is temporary and not guaranteed to be available in future releases.
License Upgrade for Future Upgrade Support
If your initial PrivX deployments started with version 15 or earlier it is likely running with a Nalpeiron license, which shall be obsoleted in a future PrivX release. To enable upgrading to future PrivX versions, request and set up a new license according to Converting to New License Format.
Reset Custom Disclaimers
Custom disclaimers are reset during upgrade. You should back up your custom disclaimers before upgrade, then recreate them after upgrade. For more information about setting custom disclaimers, see Custom Disclaimers.
Automatic Removal of Duplicate Services
Previous versions allowed entering duplicate host-service addresses, which were not supported and may have resulted in undefined behavior. When upgrading to this version, duplicates are automatically removed. For details about any removed services, check the installation logs.
Optional components not displayed in the GUI (updated on Mar. 8th, 2021)
Optional components (PrivX Extender, PrivX Carrier and PrivX Web Proxy) are not visible in the PrivX admin UI status page. The issue will be fixed by PrivX 17.1 point release
Upgrading to the Latest Version
- Upgrading to this version is supported from three previous major versions (16.x, 15.x, 14.x)
- If you are planning to upgrade from an older version, please contact support.
Supported Releases
We produce security and stability fixes for the three latest major releases (17.x, 16.x, 15.x).
New Features
- [PX-1694] - Deployment script will notify user, if OpenSSH version is too old. New configuration flags for deploy script.
- [PX-2311] - Allow filtering users on OIDC source level
- [PX-3217] - Administer PrivX settings via WebUI (rolestore,hoststore,monitor and trailindex)
- [PX-3337] - Possibility to remove old connection metadata.
- [PX-3350] - Filter for connections with access roles
- [PX-3357] - Change default behavior to open connection in a new tab
- [PX-3424] - Renaming of navigation items on WebUI
- [PX-3479] - Copy on select in SSH terminal.
- [PX-3540] - Support for ctrl-shift-c and ctrl-shift-v in the SSH web client.
- [PX-3492] - Synchronized clipboard support for web RDP on Chrome and Edge browsers.
Bug Fixes
- [PX-1230] - When AWS role federation is enabled, description is shown instead of name in PrivX
- [PX-1903] - User and audit event searching: Inconsistent behavior with special offset and limit values
- [PX-2094] - Services handle search params in a non-consistent way
- [PX-2163] - 'PrivX Configuration' host setting is not enforced
- [PX-2946] - Multiple directories scanning the same cloud hosts update the same hosts in db
- [PX-2948] - Race condition in host-store service uniqueness check
- [PX-2992] - Backend accepts negative values for floating time in direct role assignment
- [PX-3033] - Allow HA upgrade without copying config files between HA nodes
- [PX-3071] - Keydown gets stuck for web carrier connections
- [PX-3242] - Use (dn= instead of (cn= in superuser default and documentation
- [PX-3251] - Housekeeping for workflow_roles table
- [PX-3290] - Add a permission for granting access roles to audited connection
- [PX-3311] - Web login does not fill credentials on HP iLO 4 or Dell iDRAC environments. See Carrier config file for details.
- [PX-3316] - services read config files in wrong order
- [PX-3317] - services missing db related attributes in service-specific tomls
- [PX-3325] - Role permission error with two user directories
- [PX-3332] - Add "View" menu items to hamburger menus where items have detail pages.
- [PX-3339] - Guacd segfault after resizing browser multiple times
- [PX-3340] - Change "extender" to "web access gateway" for consistency.
- [PX-3346] - Remove HostServices cache and enforce service address uniqueness at db level
- [PX-3349] - Hyphen (-) is not allowed in api client name
- [PX-3372] - Access roles for transcript search
- [PX-3375] - Audit events do not log year or node info to timestamps
- [PX-3382] - Caching: creating and getting resources immediately sometimes return 404 not found
- [PX-3413] - Correct spelling of "log in" when used a verb
- [PX-3414] - authorizer / connection manager: enhanced auditevents and connection metadata w.r.t principal key authentication
- [PX-3420] - privx-agent-ctl does not show directory username in target selection list
- [PX-3433] - New command line options for deploy script
- [PX-3437] - Generating keyvaults keys cannot handle some special characters in init_db.sh script
- [PX-3442] - Misleading error is returned if api client do not have a valid permissions for ops
- [PX-3444] - Role-store returns non-existing users in role member listing
- [PX-3445] - Show all connections with access roles
- [PX-3451] - Search by deleted access role respond with result(s).
- [PX-3453] - Add some username length validations for hosts
- [PX-3460] - initial_install.sh does not check value of env var PRIVX_DISABLE_SELINUX
- [PX-3466] - Connection search as service returns invalid results
- [PX-3472] - Disclaimer JSON is not validated
- [PX-3485] - Wrong Native Client Address is shown to customer
- [PX-3501] - Caching issue: search returns count of 50 when there are 52 entries in the database
- [PX-3513] - Clipboard download for web connections doesn't work
- [PX-3523] - Settings: invalid scope in URL does not result in some forms of 4xx error
- [PX-3526] - Updating a user with a duplicate tag is possible.
- [PX-3528] - LDAP default user filter does not work
- [PX-3536] - Service-starting event missing for settings service
- [PX-3542] - API: wrong permission enums used in API tests
- [PX-3547] - Carrier web sockets: Firefox certstore does not accept all certificates in the bundle
- [PX-3567] - License manager: panic found in system test
- [PX-3571] - RDP/Web windows resize: resizing is not triggered when PrivX browser is resized during RDP/Web connection initialization
- [PX-3572] - Some available RDP keymaps are missing from the UI
- [PX-3573] - License manager: set_license.sh no longer works out of the box
- [PX-3576] - access-role-revoked audit event is triggered without any real temporary access being revoked
- [PX-3584] - Firewall commands are not run in postinstall if SELINUX is disabled
- [PX-2665] - Cannot reuse the service address of a deleted host until its hosts_deleted_age has elapsed.
Improvements
- [PX-2334] - Simplified certificate login allowing roles to be created for accessing host without reconfiguring target hosts. This is an alternate way for configuring hosts.
- [PX-3026] - API documentation improvements
- [PX-3446] - Officially support Amazon Linux
- [PX-3505] - Allow filtering out AWS roles by name
- [PX-3516] - Add external ID support for assume-role requests for additional security
- [PX-3525] - Allow fetching assume-role temporary credentials for roles on other AWS accounts
- [PX-3530] - Allow fetching temporary AWS API tokens via API clients
- [PX-3532] - Common env variable file for services
- [PX-3641] - Remove duplicate host-service addresses on install.
Known issues
[PX-1517] - Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, copy the
principals_command.sh
to correct location:# scp -i key.pem principals_command.sh user@target:/tmp/ # ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
[PX-1711] - RDP fails to connect to target in maintenance mode, need support for /admin flag
[PX-1835] - Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:- Before upgrading, please copy the .toml files to another folder.
- After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files.
[PX-1875] - Web proxy login does not work, if login page does requests to multiple domains
[PX-1980] - Several audit events are missing username information.
[PX-2947] - No sound when viewing recorded rdp-mitm connection.
[PX-3086] - PrivX role mapping to AD OU not working as expected.
[PX-3183] - Belgian French keyboard layout change does not work in web and xrdp connections
[PX-3529] Wrong CA key is copied on the host when running the deployment script using extender
[PX-3637] - Multipart/form-data logins for web service will fail, if password field name is defined in web service config
[PX-3707] - Optional components not displayed in the GUI
16.1
2020-12-08
Bug fixes and improvements
- Bug fix for fetching cloud metadata with license
16.0
2020-11-24
Important notes for this release
Version 16 introduces a fix for Extenders in HA deployments where the load-balancer IP address is dynamic. If you run such an environment you will need to update your Extenders' configurations and certificates. To do this, perform the following after regular upgrade steps:
- Set privx_public_ip_address = ” ” in /opt/privx/etc/shared-config.toml and restart PrivX:
# systemctl restart privx
- Unregister your Extenders.
- Re-obtain certificates by running the following on your Extenders:
# opt/privx/scripts/extender-postinstall.sh --request-cert
- Re-download Extender configurations to your Extenders.
- Apply changes by restarting Extender services:
# systemctl restart privx-extender
If you are performing a fresh install while having a license from prior to this release, you will need to request a new license from licensing@ssh.com
New features
- [PX-273] - Ephemeral private key rotation for SSH
- [PX-1697] - Allow using AWS role ARN to scan hosts on other AWS accounts
- [PX-2027] - Support principal key import for roles
- [PX-2714] - Connection duration to connection-closed event
- [PX-2722] - Authentication to PrivX via SSH Bastion using public key
- [PX-2731] - Allow access to connections using access roles
- [PX-3182] - Allow defining web host specific domain restrictions for web access
- [PX-3194] - Add advanced search helper description to search fields.
- [PX-3224] - Disclaimer improvements
Bug fixes and improvements
- [PX-2909] - Override SSH algorithms per target host or pattern
- [PX-2912] - Add the license backend address to the license page
- [PX-2965] - Fixed connection-manager status check for RDP Bastion playback
- [PX-2994] - Support dynamic ELB endpoint: shared-config.privx_public_ip_address can not be set to a reasonable value with ELB
- [PX-3147] - Show host comments on connections page
- [PX-3177] - Default disclaimer example in shared-config.toml is invalid
- [PX-3179] - If host scanning or tag import is disabled, hosts deployed with deploy script don't have any names
- [PX-3180] - Focus can go to login form despite popup disclaimer
- [PX-3185] - Remove extra event attribute on connection page search results
- [PX-3191] - Contextual role restrictions do not work for API clients
- [PX-3199] - Race condition in SSH Bastion channel close
- [PX-3232] - Unused cache configs on rolestore.toml
- [PX-3233] - Auth service should use unified audit event keys
- [PX-3234] - RDP file upload fails if 'Overwrite existing files' is checked and file does not exist on target
- [PX-3257] - Panic in host-store house-keeping
- [PX-3264] - Race condition is auth service startup
- [PX-3266] - Expose API clients as role-store users
- [PX-3274] - Prevent granting access role to connection for already granted roles
- [PX-3280] - The PrivX UI / help documents get indexed by crawlers
- [PX-3291] - API clients are not allowed to access workflow engine APIs
- [PX-3301] - Google GSuite is nowadays Google Workspace
- [PX-3302] - trail-index: crash when attempting playback for trail with missing files
- [PX-3306] - Fix data validations for workflow-engine requests
- [PX-3315] - Workflow : add role through API but system marks the role added as ROLE REMOVED
- [PX-3318] - Notification mechanism does not work well with local caches
- [PX-3329] - PrivX web proxy does not support text/x-gwt-rpc content type
- [PX-3353] - Fixed installation and backup restore issue for PostgreSQL 11. Added support for PostgreSQL 13.
- [PX-3354] - Allow sending keycodes via menu for RDP/web containers
- [PX-3356] - Forwarded connection failed where it is expected to succeed
- [PX-3365] - Prevent Extender name and routing prefix namespace clashes when modifying or unregistering Extender.
Note: For existing deployments, ensure your Extenders and routing prefixes have unique names. - [PX-3368] - Directory login is attempted even if directory has been disabled
- [PX-3370] - Prevent superuser creating trusted clients with too broad permissions
And security fixes
Known issues
- [PX-1230] - When AWS role federation is enabled, description is shown instead of name in PrivX
- Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles.
- [PX-1517] - Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, use cp to copy the principals_command.sh to correct location:
# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
- [PX-1711] - RDP fails to connect to target in maintenance mode, need support for /admin flag
- [PX-1835] - Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:
Before upgrading, please copy the .toml files to another folder.
After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files. - [PX-1875] - Web proxy login does not work, if login page does requests to multiple domains
- [PX-1980] - Several audit events are missing username information.
- [PX-2665] - Cannot reuse the service address of a deleted host until its hosts_deleted_age has elapsed.
- [PX-2947] - No sound when viewing recorded rdp-mitm connection.
- [PX-3086] - PrivX role mapping to AD OU not working as expected.
- [PX-3183] - Belgian French keyboard layout change does not work in web and xrdp connections
15.1
2020-11-24
PrivX 15.1 is an incremental release over the previous version 15.0, introducing security and stability fixes.
15.0
2020-10-01
Important notes for this release
For fresh installations of PrivX version 15 and later, the default audit-event and trail-retention time has been changed to 180 days (used to be unlimited).
Upgrading to this version from 12.x may take longer due to the new microservices and migrations introduced in this release. Depending on the size of your deployment, the postinstall step may take up to tens of minutes longer than usual.
New features
- [PX-1238] - Feature to sort/search hosts by status (running, stopped..)
- [PX-2693] - Roles for API clients
- [PX-2729] - Restrict role requests with a role permission
- [PX-2730] - License-manager statistics collector (disabled by default)
- [PX-2986] - Inform user that sessions will/might be recorded
- [PX-3005] - Option for showing disclaimer messages for PrivX users at login
- [PX-3085] - Saved searches UI
- [PX-3120] - Better indication for when you try to add an invalid role
- [PX-3122] - Improve tolerance to broken role rule trees
- [PX-3125] - Less intrusive style for find box in terminal
- [PX-3128] - RDP clipboard style refinements
- [PX-3129] - Support shift-enter to search backwards in terminal
- [PX-3134] - Implicit pick on blur
- [PX-3136] - Auto complete tag with 0 chars
- [PX-3139] - More robust UI if service options are missing for a service
- [PX-3142] - Filter roles only if they don't have a principal key - not based on name
- [PX-3156] - Don't use tag auto complete if user doesn't have permissions
Bug fixes and improvements
- [PX-2349] - privx-admin and privx-user roles don't have public keys
- [PX-2626] - Email notification is not sent for the user When access request is created on behalf of another user
- [PX-2740] connection-manager: terminating SSH connection triggers trail-open-failed event
- [PX-2966] - Error when editing scanned hosts
- [PX-2968] - approvals tab to show all the processed records regardless of role restriction
- [PX-2971] - Reduce microservice I/O causing TIME_WAIT sockets
- [PX-3001] - go routine leak in directory and host scan and in cloud events lib
- [PX-3002] - Azure event logger is broken
- [PX-3006] - Browser text search on PrivX SSH terminal does not work
- [PX-3007] - Web Proxy does not support sites using Authorization: Basic header on regular login page
- [PX-3011] - monitor-service sql query for getting/deleting components is unnecessarily complex
- [PX-3012] - monitor-service status endpoint has a race condition related to system stats
- [PX-3038] - Carrier browser container firefox version is always the latest available
- [PX-3044] - Workflow-engine crashes when creating role with name longer than 128 characters
- [PX-3050] - Using LDAP directory type for Active Directory causes "User not found" errors
- [PX-3053] - workflow-engine: gomail lib is forcing the username to be an email address
- [PX-3066] - deploy.py does not set file permissions correctly with non-default umask
- [PX-3067] - Incorrect version table name for license manager
- [PX-3069] - workflow-engine: approvals tab lists requests incorrectly
- [PX-3072] - tags search is not case insensitive
- [PX-3081] - license-manager crash on entering license key
- [PX-3090] - deploy.py, sys.stdin.encoding returns None on some envs
- [PX-3107] - role-store: floating role activation may drop other explicit roles from the user
- [PX-3123] - Userstore upgrade does not set all fields when creating roles. Rolestore does not force IPMask validity
- [PX-3127] - workflow-engine - When user is not allowed to view the request the error code should be 403
- [PX-3130] - Cannot create host with API client
- [PX-3131] - Role created from api client does not have public key
- [PX-3138] - rdp-proxy and ssh-proxy playback endpoints should require privx-user permission
- [PX-3149] - privx-agent: nohup not working as expected
- [PX-3150] - UI: "Overwrite existing files" option allows multiple concurrent uploads of the same file
- [PX-3154] - rdp-proxy: playback crash when attempting playback for trail with missing files
- [PX-3158] - Crash when logging out on workflow page
- [PX-3159] - Can't create log collector
- [PX-3161] - Work-around for stuck keys in RDP / Web sessions
- [PX-3175] - Create proper indexes to audit_event table
- [PX-3178] - Connection manager does not handle empty keywords in connection search
Known issues
[PX-1230] - When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles.[PX-1517] - Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, use cp to copy the principals_command.sh to correct location:# scp -i key.pem principals_command.sh user@target:/tmp/ # ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
[PX-1711] - RDP fails to connect to target in maintenance mode, need support for /admin flag
[PX-1835] - Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:
Before upgrading, please copy the .toml files to another folder.
After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files.PX-1875] - Web proxy login does not work, if login page does requests to multiple domains
PX-1980] - Several audit events are missing username information.
PX-2665] - Cannot reuse the service address of a deleted host until its hosts_deleted_age has elapsed.
PX-2738] - privx-on-aws deployment fails, if one stack already exists
[PX-3086] - PrivX role mapping to AD OU not working as expected.
[PX-3183] - Belgian French keyboard layout change does not work in web and xrdp connections