Release Notes for This Release
24.0
2022-06-27
Important Notes
End of life for Legacy Certificates
PrivX 22 and later will no longer support workaround for legacy X.509 certificates that do not contain server FQDN in Subject-Alt-Name extension field. Please upgrade your server certificates to include SAN extension before upgrading to PrivX 22 or later releases.
Deprecation Warnings
CentOS 8 is no longer supported
PrivX does not support CentOS 8 release because CentOS 8 reached end of life during December 2021. From PrivX 21, Rocky Linux 8 is supported. You may Migrate to Rocky Linux.
SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.
Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.
Supported releases and upgrade path
After this release, we produce security and stability fixes for PrivX 24.x, 23.x, and 22.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.
Upgrading to this version is supported from three previous major versions (23.x, 22.x, 21.x). For more information about upgrading from older versions, see Upgrade from Older Releases.
New features
- [PX-3980] Real-Time Auditing SSH Connections
- [PX-4044] Login to PrivX with JWT token from trusted token provider
- [PX-4831] Monitoring→Certificates displays certificates configured in PrivX
- [PX-4189] SCIM directory supports user import filter
- [PX-4419] ICAP antivirus check for file transfers using SFTP
- [PX-4298] Firefox browser in web carrier allows popups
Improvements
- [PX-4917] PrivX Router supports multiple RAC_IP_POOL / RAC_IP6_POOL in setup.sh
- [PX-4942] Upgrade Go versions to the 1.17.11
- [PX-4906] PrivX ICAP antivirus support WithSecure Atlant and Clearswift Secure ICAP Gateway
- [PX-4901] Request/Approval view supports more search filters
- [PX-4897] Guacamole log level aligned to RDP_PROXY_LOG_LEVEL in
/opt/privx/scripts/local-env - [PX-4813] Support OIDC v2.0 issuer urls with Azure
- [PX-4752] Network target client ping to detect disconnects
- [PX-4719] initial_install.sh prompt user for number of trusted load balancers
- [PX-4702] Monitoring→Status component auto-collapse when no errors
- [PX-4489] Option
--delegated-principals-allsupport by deployment script - [PX-4392] Set screen resolution in RDP-PROXY session
- [PX-4252] OIDC settings in SCIM directory is optional
Bug fixes
- [PX-5001] Privx ICAP does not scan the tmp folder for ssh-proxy and ssh-mitm in kubernetes env
- [PX-4988] API documentation fix for /authorizer/api/v1/ca/authorize
- [PX-4968] Deleting AWS directory does not delete aws roles from db
- [PX-4929] Workflowengine.log missing after installation
- [PX-4881] Workflows page in PrivX UI does not handle more than 50 workflows
- [PX-4842] Inaccurate error message when deleting password rotation script/policy which is in use
- [PX-4774] RDP smartcard deployment instruction on PrivX UI doesn't mention NLA
- [PX-4727] Possible to bypass domain restrictions on web targets by editing URL in URL bar
- [PX-4699] POST /authorizer/api/v1/ca/authorize returning OpenSSH certificates in incompatible format
- [PX-4239] Instruction fixes Deployment page for manual ssh host configuration
Known Issues
- [PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
- Workaround: To correct SELinux context, copy the
principals_command.shto correct location:# scp -i key.pem principals_command.sh user@target:/tmp/ # ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
- Workaround: To correct SELinux context, copy the
- [PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
- [PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
- [PX-1875] Web proxy login does not work, if login page does requests to multiple domains
- [PX-2947] No sound when viewing recorded rdp-mitm connection.
- [PX-3086] PrivX role mapping to AD OU not working as expected.
- [PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender
- [PX-4035] Token refresh does not work and tabs do not share session state on Safari 14.1.1
- [PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account
- [PX-4352] UI shows deleted local user after delete
- [PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.
- Workaround: Restart affected Carrier and Web-Proxy services.
- [PX-4650] Setting access_token_valid to "1m" kicks the user out to the login page
- [PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)
- [PX-4689] PrivX Linux Agent leaving folders in /tmp
- [PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.
Updated almost 2 years ago