HomeDocumentationAPI Reference
Log In
These docs are for v29. Click to read the latest docs for v33.

Release Notes for This Release

Suggest Edits

29.1

2023-07-20

PrivX 29.1 is an incremental release on top of PrivX 29.0. This release contains a few important bug fixes*

  • [PX-6087] rdp-proxy can crash with an runtime error
  • [PX-6076] privx-carrier status update causes slow memory leak
  • [PX-5957] Installing PrivX 29 breaks dnf in Amazon Linux 2023
  • [PX-6140] Devtools and popups are not working in v29.0 carrier browser images

29.0

2023-05-04

Important Notes for This Release

Azure-Directory Migration to MS Graph

If you have set up Azure user/host directories using Azure AD Graph API, such directories will be automatically migrated to using MS Graph API when you upgrade to this release. After upgrade, you will still need to manually set the the following API permissions for the PrivX app in Azure Portal:

Microsoft Graph→Application Permissions

  • User.Read.All
  • Groups.Read.All

Azure AD Graph API shall be deprecated in June 2023.

For more information about setting up Azure directories with MS Graph, see Azure AD as a User Directory via Microsoft Graph API.

Web Proxy no longer uses Squid

Since PrivX 29, PrivX Web Proxy no longer uses Squid for proxying HTTPS traffic. Proxying features have now been implemented in PrivX Web Proxy binary. All Squid dependencies have been removed from RPM package.

If you still need Squid specific features for some reason, the latest PrivX core package is backwards compatible with earlier Carrier and Web Proxy components.

After upgrading PrivX core, Carrier, and Web Proxy to version 29, you need to re-download web-proxy-config.toml file via PrivX UI and replace your old config.

Required actions to optimize PrivX performance

As part of our ongoing effort to optimize PrivX performance, we have introduced additional indexing support from PrivX 28. Some improvement requires pg_trgm extension to PrivX database. Please read Improve Performance with Indexing before upgrade.

Routing prefix name does not allow mixed cases

PrivX web gateways and extenders can be grouped under same routing prefix to achieve high-availability. Routing prefix name used be treated as case sensitive, but name in connection target is treated as case-insenstive by ssh native client. To avoid potential configuration error, only lowercase letters and numbers are allowed in routing prefix names.

Deprecation Warnings

Redis Support Ending
We recommend you to use PostgreSQL PrivX inter microservice notifications. Please change notification mechanism to PostgreSQL if your PrivX still uses Redis for notifications. Redis support will be ended in future releases

PostgreSQL 9.x and 10.x Support Ending

PostgreSQL 9.x and 10.x have reached end of life since 2021 and 2022 respectively and support for these database versions will be dropped in a future PrivX release.

SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.

Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.

Supported releases and upgrade path

After this release, we produce security and stability fixes for PrivX 29.x, 28.x, and 27.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.

Upgrading to this version is supported from three previous major versions (28.x, 27.x, 26.x). For more information about upgrading from older versions, see Upgrade from Older Releases.

New Features

Improvements

  • [PX-5792] Possible to use existing database and database user in Kubernetes deployment
  • [PX-5679] Carrier container performance improvement by replacing lsof with ss command in exit.sh script
  • [PX-5741] Support multiple PrivX FQDNS in Kubernetes deployment
  • [PX-5338] SSH Bastion interactive mode performance improvement when host list is very long
  • [PX-5320] Support tags to network target
  • [PX-5781] Indexing to connection table for performance improvement
  • [PX-5496] Troubleshooting scripts support more options

Bug fixes

  • [PX-4438] File uploads might fail in web target connections
  • [PX-5237] PrivX core/Extender/Web-Proxy rpms should not depend on firewalld
  • [PX-5671] Deploying new carrier/web-proxy on existing carrier/web-proxy host fails because of invalid certificate
  • [PX-5726] Refreshing single MS Graph user does not obey group filters
  • [PX-5790] Carrier should fall back to default Firefox image if container name is not defined
  • [PX-5805] After selecting role, it is not possible to select a membership while creating a request for a role
  • [PX-5815] Typo on the Administration→Deployment page
  • [PX-5822] SCIM directory eq filter not working properly
  • [PX-5825] Incorrect version number in role-store.toml
  • [PX-5830] Incorrect version number in monitor-service.toml
  • [PX-5879] The path property for personal secrets API has a leading space
  • [PX-5883] Web host is resolved incorrectly, if there's duplicate url on different hosts
  • [PX-5885]
    Graph API and GSuite user directories do not recover from network errors
  • [PX-5891] Vulnerable docker lib used in extender
  • [PX-5761] workflow request for a deleted role should not be possible
  • [PX-5878] Extender routing prefix validation is not done properly. This disallows using other than lower case letters and numbers.

Known Issues

  • When upgrading PrivX Web Proxy to v29, make sure to stop Squid service first. In some cases, the discontinued Squid process won't get killed on the upgrade but needs to be stopped manually.
  • [PX-6014]
    Downloaded extender-config.toml is missing "privx_extender_service_enabled = true" setting. Admin should add that after downloading the config file.
  • [PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
    • Workaround: To correct SELinux context, copy the principals_command.sh to correct location:
 
      # scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"

  • [PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag

  • [PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
  • [PX-1875] Web proxy login does not work, if login page does requests to multiple domains

  • [PX-2947] No sound when viewing recorded rdp-mitm connection.

  • [PX-3086] PrivX role mapping to AD OU not working as expected.

  • [PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender
  • [PX-4215] Successful OIDC login might generate too long auth code as query parameter causes access-token fetching to fail (there's a workaround in Nginx config since PrivX 27.0)
  • [PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account
  • [PX-4352] UI shows deleted local user after delete
  • [PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.
    • Workaround: Restart affected Carrier and Web-Proxy services.
  • [PX-4650] Setting ​access_token_valid to "1m" kicks the user out to the login page
  • [PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)
  • [PX-4689] PrivX Linux Agent leaving folders in /tmp
  • [PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.
  • [PX-5394] SSH cert auth conn fail after rotating PrivX CA Key
  • [PX-5558] Privx does not support password change required option for user in auth flow via webauthn.
  • [PX-5760] RDP Proxy fails to start.
  • [PX-5798] Typing becomes slower while mouse is hovering over clickable link in web client
    • Workaround: In an open connection, click Settings, then under Advanced, disable Clickable Links.

Updated 9 months ago