Release Notes for This Release

20.0

Important Notes

Old license back end is no longer supported
A new license back end has been taken into use from PrivX 16, and the old back end will no longer be supported by PrivX 19 and future releases. Read Changing to the New License Back End to check if you need to take any actions.

Deprecation Warnings

CentOS 8 End of Support Imminent
CentOS 8 support will be terminated once the operating system reaches end of life (around December 2021). PrivX support will continue normally on other supported platforms. Going forward, Rocky Linux will be supported in PrivX 21 and later.

SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.

Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.

Workaround for Legacy Certificates
If your existing PrivX installation has been integrated to systems that use legacy X.509 certificates (certificate CN equals FQDN, and does not contain a Subject-Alt-Name extension), then follow these steps when upgrading to PrivX 20:

  1. Install PrivX-20 RPM without automatic postinstall:
    # SKIP_POSTINSTALL=1 yum install PrivX-20.0-....
    
  2. Enable legacy-x509-certificate support:
    # echo "GODEBUG=x509ignoreCN=0" >> /opt/privx/scripts/local-env
    
  3. Run postinstall manually:
    # /opt/privx/scripts/postinstall.sh
    

📘

Note

Update your legacy certificates as soon as possible! This workaround for supporting legacy X.509 certificates is temporary and the support will be terminated in PrivX 22 and later.

Upgrading to the Latest Version

  • Upgrading to this version is supported from three previous major versions (19.x, 18.x, 17.x)
  • If you are planning to upgrade from an older version, please contact support.

Supported Releases

We produce security and stability fixes for the three latest major releases (20.x, 19.x, 18.x).

New Features

Improvements and bug fixes

  • [PX-4095] Support for OAuth2 scopes in authorize request
  • [PX-4072] The user should see only usable secrets on connection page
  • [PX-4182] PrivX HTTP response for SCIM POST for duplicates returns incorrect status code
  • [PX-4181] Missing number of hosts on the directories page for SCIM directory
  • [PX-4144] RoleContext-role-blocked incorrectly
  • [PX-4142] The certificate data given to the RDP client differs in format from that used in host objects
  • [PX-4141] connection-manager: disconnected timestamp remains after connection goes from Timeout to Connected status
  • [PX-4138] SSH-Bastion: incorrect session added audit event for forwarded-tcpip channels
  • [PX-4136] License manager generates no audit events
  • [PX-4103] Save button disabled when creating secret
  • [PX-4101] AWS NLB health check results into SSH-MITM error log prints
  • [PX-4096] "password authentication failed" error seen in postinstall output when PostgreSQL user password contains colon ":"
  • [PX-4074] redemption_cert.sh uses wrong openssl command when passphrase-protecting the private key
  • [PX-4064] UI: restart dialog does not detect that back end has started after restart
  • [PX-4041] SSH-MITM panics if client connection is closed before target connection fails
  • [PX-4038] SSH2 public key parsing fails for ssh-keygen-g3 generated keys
  • [PX-4037] Host-store not starting when using file_based license without license
  • [PX-3966] API reference doc's /authorizer: faulty principal response schema
  • [PX-3962] Go language packages upgrades
  • [PX-3951] Virtual smartcard allows arbitrary signing operations after RDP smartcard login
  • [PX-3943] MFA API enable/disable endpoints fixes
  • [PX-3942] GET /role-store/api/v1/users/{user_id}/resolve endpoint - missing information in response
  • [PX-3928] API reference doc's/workflow-engine: faulty response in create workflow and request
  • [PX-3921] API reference doc's: faulty response object in connection-manager
  • [PX-3899] Body parameters are not seen in api/docs but they are required
  • [PX-3895] API reference docs for license manager. Response schema object has faulty data types
  • [PX-3869] Rolestore API docs: include_deleted does not exist
  • [PX-3837] Wrong error message when local user login with incorrect password
  • [PX-3692] User store/trusted client's body params are not up to date inside the API reference doc
  • [PX-3590] Secret name does not strip white spaces
  • [PX-3589] Duplicate name error not visible on Secret creation
  • [PX-2864] Old approve role members can still approve workflow requests, even if role has been removed from workflow approvers

Known Issues

  • [PX-1517] - Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
    • Workaround: To correct SELinux context, copy the principals_command.sh to correct location:

      # scp -i key.pem principals_command.sh [email protected]:/tmp/
      # ssh -i key.pem [email protected] "sudo cp /tmp/principals_command.sh /etc/ssh/"

      
  • [PX-1711] - RDP fails to connect to target in maintenance mode, need support for /admin flag

  • [PX-1835] - Extender/Carrier/WebProxy configs are not migrated on upgrade
    NOTE: In case of manual changes in the extra component .toml files:
    • Before upgrading, please copy the .toml files to another folder.

    • After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files.

  • [PX-1875] - Web proxy login does not work, if login page does requests to multiple domains

  • [PX-2947] - No sound when viewing recorded rdp-mitm connection.

  • [PX-3086] - PrivX role mapping to AD OU not working as expected.

  • [PX-3529] Wrong CA key is copied on the host when running the deployment script using extender
  • [PX-4035] Token refresh does not work and tabs do not share session state on Safari 14.1.1
  • [PX-4218] RDP native clients do not work when root permissions have been disabled in Kubernetes environment (default config)

Did this page help you?