Release Notes for This Release



Deprecation Warnings

SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.

Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.

Supported releases and upgrade path

After this release, we produce security and stability fixes for PrivX 25.x, 24.x, and 23.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.

Upgrading to this version is supported from three previous major versions (24.x, 23.x, 22.x). For more information about upgrading from older versions, see Upgrade from Older Releases.

See updated installation instructions

New features

  • [PX-2879] SSH command restrictions.
    • Restrict the commands that can be run by users on SSH target accounts.
    • Restrictions may be customised per role.


  • [PX-5006] New API endpoints (cert, identity provider, and network access manager) supported by PrivX Go SDK
  • [PX-4913] Housekeeping task to remove old certificates from database
  • [PX-4870] Deployment script to support adding host tags
  • [PX-4768] Authentication certificate signature logged to Audit Event [401]
  • [PX-4685] Support Amazon Linux 2022 as PrivX installation server
  • [PX-4628] Show host name in PrivX ssh bastion interactive connection list
  • [PX-4583] Housekeeping task to remove the empty trail folders
  • [PX-4453] /var/log/privx/guacd.log is less verbose
  • [PX-4405] Make CA key expiration time known to admins
  • [PX-4380] Show warning if database or target host clocks are not in sync
  • [PX-4191] Kubernetes PrivX container images cleanup
  • [PX-4907] REST clients should fetch objects in batches of 1000 objects, where applicable
  • [PX-4862] New property in shared-config.toml allows skipping health check of hosts with host tags
  • [PX-5054] Support for ClearSwift ICAP gateway scan messages
  • [PX-5180] to support generic-pkcs11 params for non-interactive mode

Bug fixes

  • [PX-4560] Deleted roles are displayed as "Untitled" in UI
  • [PX-5128] Explicit members are not counted at all when showing role member counts
  • [PX-5124] API allows to create host without role id
  • [PX-5068] Incorrect error field contents in audit events when ssh-mitm sftp upload is blocked by ICAP
  • [PX-5065] fails without firewalld configuration commands
  • [PX-5059] Network target's disabled property is not handled properly
  • [PX-5056] Deployment script adds host to PrivX with role 'Untitled'
  • [PX-5055] AD directory status not updated, if bind password is incorrect
  • [PX-5026] PrivX 24 Kubernetes migration script doesn't have custom syslog configuration
  • [PX-5012] Connection more likely to fail for user who has many roles
  • [PX-5003] Hosts are incorrectly disabled when license update fails
  • [PX-4979] Carrier web urls break if using '&' characters in urls
  • [PX-4933] ssh-proxy: client IP address is not conveyed to authorizer in the REST API requests
  • [PX-4922] Audit log gets spammed if no connection to directory
  • [PX-4681] Deployment script gives unclear error message when deploying a host that already exists
  • [PX-4606] PrivX Server ports not opened if firewalld default zone isn't named public
  • [PX-4602] PrivX as ssh client doesn't send ECDH algorithms in correct order
  • [PX-4441] PrivX logs do not show the correct error when deployment script fails to modify /etc/sshd_config
  • [PX-4338] PrivX does not work nicely with OpenSSH MaxSessions 1
  • [PX-4334] Vault API query returns wrong count in case of offset larger than total items count
  • [PX-4952] User-logged-in audit event when using external JWT token exchange should show identity provider name
  • [PX-4932] remoteAddress in user store's audit event is which is incorrect

Known Issues

  • [PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
    • Workaround: To correct SELinux context, copy the to correct location:

      # scp -i key.pem [email protected]:/tmp/
      # ssh -i key.pem [email protected] "sudo cp /tmp/ /etc/ssh/"

  • [PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag

  • [PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
  • [PX-1875] Web proxy login does not work, if login page does requests to multiple domains

  • [PX-2947] No sound when viewing recorded rdp-mitm connection.

  • [PX-3086] PrivX role mapping to AD OU not working as expected.

  • [PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender
  • [PX-4035] Token refresh does not work and tabs do not share session state on Safari 14.1.1
  • [PX-4215] Successful OIDC login might generate too long auth code as query parameter causes access-token fetching to fail
  • [PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account
  • [PX-4352] UI shows deleted local user after delete
  • [PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.
    • Workaround: Restart affected Carrier and Web-Proxy services.
  • [PX-4650] Setting ​access_token_valid to "1m" kicks the user out to the login page
  • [PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)
  • [PX-4689] PrivX Linux Agent leaving folders in /tmp
  • [PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.
  • [PX-5186] SSH command restrictions whitelist patterns cannot be easily used to block input/output redirection
    • Workaround: Avoid wildcard patterns when possible

Did this page help you?