Release Notes for This Release

23.1

2022-04-19
PrivX 23.1 is an incremental release on top of PrivX 23.0 with golang security update.

  • [PX-4861] Update golang to 1.17.9

23.0

2022-04-07

Important Notes

End of life for Legacy Certificates
PrivX 22 and later will no longer support workaround for legacy X.509 certificates that do not contain server FQDN in Subject-Alt-Name extension field. Please upgrade your server certificates to include SAN extension before upgrading to PrivX 22 or later releases.


Deprecation Warnings

CentOS 8 is no longer supported
PrivX does not support CentOS 8 release because CentOS 8 reached end of life during December 2021. From PrivX 21, Rocky Linux 8 is supported. You may Migrate to Rocky Linux.

SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.

Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.

Supported releases and upgrade path

After this release, we produce security and stability fixes for PrivX 23.x, 22.x and 21.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.

Upgrading to this version is supported from three previous major versions (22.x, 21.x, 20.x). If you are planning to upgrade from an older version, please contact support.

New features

  • [PX-4124] Network Target Extender Support.
  • [PX-4364] Linux and Windows local accounts Password Rotation.
  • [PX-3117] Azure AD as a User Directory via Microsoft Graph API.
    • Will replace the to-be-deprecated Azure Graph API integration. For instructions about migrating to the newer directory type, also see here.
  • [PX-2315] Antivirus scan on file transfers in native scp and ssh-proxy connections.
  • [PX-4693] Host-deployment script supports MacOS, FreeBSD, Arch Linux, Gentoo Linux.
  • [PX-4383] Monitoring→Status pages displays more details about PrivX services and components.

Improvements

  • [PX-4512] PrivX to support PostgreSQL 14
  • [PX-4539] Remote desktop wallpaper supported for RDP-PROXY connections
  • [PX-4677] Support socket activated sshd with deploy.py script
  • [PX-4653] Upgrade and update dependencies for RDP Bastion
  • [PX-4633] Update Squid version to 5.3
  • [PX-4632] Update OpenSSL version to 1.1.1n
  • [PX-4532] Windows application restriction UI and text alignment
  • [PX-4297] Guacamole version 1.4 and FreeRDP version 2.5.0 upgrade
  • [PX-4252] OIDC settings in SCIM directory should be optional
  • [PX-4608] PrivX test against Solaris 11.4 with SSH-2.0-OpenSSH_7.5
  • [PX-4385] Prevent token refresh during PrivX UI restart action
  • [PX-4538] Host-deployment script supports custom attribute in account settings
  • [PX-4690] Host-deployment script supports setting other certificate templates (GitHub, GitLab, Tectia)
  • [PX-4526] When a role request includes multiple steps, email is sent after each step's approval
  • [PX-4748] Network access session client UI should indicate when it has lost connectivity to PrivX
  • [PX-4648] File transfer landing page is greyed out when user has only "File Transfer" option allowed
  • [PX-4499] Search and pagination functions added API clients list view
  • [PX-4473] Allow Kubernetes containers to be run with custom privx uid/gid

Bug fixes

  • [PX-4823] Create AWS directory is broken
  • [PX-4723] Extender client version and build number are incorrectly reported on status page
  • [PX-4716] Role revoking via workflows not working if "permanent" membership is not ticked
  • [PX-4701] Opening additional tabs in PrivX Carrier Firefox crashes the browser
  • [PX-4692] Monitor service instance status endpoint always returns HTTP 200
  • [PX-4688] Custom attribute value is not used as san-upn in X.509v3 certificate template
  • [PX-4678] Deploy script fails on Fedora 35 as 'hostname' command is not available
  • [PX-4651] Existing workflows only retain the "Permanent" option after upgrade
  • [PX-4629] Username attribute is not editable after save in host configuration
  • [PX-4626] RDP Bastion connection times out too quickly when client prompts for user credentials
  • [PX-4623] SSH web client newline treatment differs between pasting methods
  • [PX-4610] Incorrect host service status in some cases
  • [PX-4600] Incorrect file size in audit events
  • [PX-4573] PrivX does not recognize OpenLDAP pwdMustChange setting for user
  • [PX-4568] User with vault-add can not share personal secret when adding a new secret
  • [PX-4559] Sometimes users cannot login if PrivX and database restarted at the same time
  • [PX-4510] Deleted users still visible before UI refreshing
  • [PX-4492] Not all OIDC user attributes are persisted for HA setup
  • [PX-4422] Secret Vault UI fails to load after upgrade to PrivX 21
  • [PX-4394] All services do not always start in PrivX Kubernetes environment
  • [PX-4264] Incorrect instruction on the extender deployment page
  • [PX-4704] Health check should not trigger error message to sshd event logs

Known Issues

  • [PX-4853] Password rotation scripts on win 2012 does not work
    Windows 2012 R2 uses PowerShell 4.0, which is not supported by current password rotation templates.
  • [PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
    • Workaround: To correct SELinux context, copy the principals_command.sh to correct location:

      # scp -i key.pem principals_command.sh [email protected]:/tmp/
      # ssh -i key.pem [email protected] "sudo cp /tmp/principals_command.sh /etc/ssh/"

      
  • [PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag

  • [PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
  • [PX-1875] Web proxy login does not work, if login page does requests to multiple domains

  • [PX-2947] No sound when viewing recorded rdp-mitm connection.

  • [PX-3086] PrivX role mapping to AD OU not working as expected.

  • [PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender
  • [PX-4035] Token refresh does not work and tabs do not share session state on Safari 14.1.1
  • [PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account
  • [PX-4352] UI shows deleted local user after delete
  • [PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.
    • Workaround: Restart affected Carrier and Web-Proxy services.
  • [PX-4650] Setting ​access_token_valid to "1m" kicks the user out to the login page
  • [PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)
  • [PX-4689] PrivX Linux Agent leaving folders in /tmp
  • [PX-4752] Web UI may show network target connection live when it's actually dropped
  • [PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.
  • [PX-4837] Connections may stop working after password rotation is disabled on the host
    Cause: This is due to a bug, that when you leave an account password empty in host configuration, rotated password is not saved for future connection after password rotation flag is disabled on the host.
    Workaround: input any string as password to target account even if you aim to rotate password with admin account.

Did this page help you?