Release Notes for This Release

33.1

2024-03-27

PrivX 33.1 is an incremental release with security and bug fixes.

33.0

2024-02-15

Important Notes for This Release

Upgrade to 33 Only Supported from 32.x

Upgrade to this version is supported from the previous major release 32.x only! To upgrade from previous versions such as 31.x or 30.x, you must upgrade to 32.2 first, before you can upgrade to 33.

For more information about upgrading from older versions, see Upgrade from Older Releases.

After this release, we provide security and stability fixes for PrivX 33.x, 32.x, and 31.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.

PrivX Documentation Moved to New Documentation Platform

The move is transparent for users. You may access the latest version of PrivX docs as usual at https://privx.docs.ssh.com

If you need to access older documentation versions, specify the version in the URL. For example, PrivX 29 at https://privx.docs.ssh.com/v29

privx-cmd and PrivX-Agent support for old platforms ended

privx-cmd and agents from this release may not support old platforms:

• Windows 7, 8, Server 2008 and Server 2012.
• MacOS versions 10.14 and older.

If you use agents or privx-cmd for enabling native-client connections, ensure that the users' OS is updated.

Deprecation Warnings

Redis Support Ending
Redis support will be ended in a future release. We recommend you change to PostgreSQL for PrivX microservice notifications. Please Change Notification Mechanism to PostgreSQL if your PrivX still uses Redis for notifications.

SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.

By default PrivX will not trust certificates with SHA-1 signatures unless they are self-signed. Re-enabling trust for such certificates requires setting the GODEBUG=x509sha1=1 environment variable for PrivX microservices and tools.

Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.

CentOS/RHEL 7 support Ending

CentOS 7 and RHEL 7 will reach end of life on June 30, 2024. PrivX aims to end installation support for these platforms on the same timeline. Starting from PrivX 32, Rocky Linux 9 and RHEL 9 are officially supported. See Migrate from EOL Operating Systems.

New Features

• [PX-5699] Zero downtime upgrade in high-availability setup.
  • Allow users to log in and connect to hosts during upgrade.
  • Supports upgrade from previous major version.
• [PX-6167] Change logging level without restarting microservices.
• [PX-6455] Contextual information written to logs to help error investigation.
• [PX-4896] Restrict role requests to target users only.

Improvements

• [PX-6503] Implement an optional support of "Set-Cookie" header for Python SDK
• [PX-6586] Show number of active connections in PrivX restart dialog
• [PX-6427] "Pair New Device" button is not shown under Account page if PrivX is not registered to mobile gateway
• [PX-6013] New design of PrivX landing UI
• [PX-6473] Entra ID (Azure AD) user directory support for additional and custom attributes
• [PX-6424] PrivX install supports PostgreSQL 15 and 16
• [PX-6502] Content-Type header added to PrivX SDK requests
• [PX-6369] The role list no longer displays member counts automatically for performance reasons. Accurate role member counts are now shown on the role details page.
• [PX-6364] Trail integrity check improvements
• [PX-6627] Loading larger amount of secrets is faster
• [PX-6577] Statistics collection job waits to start until previous job is completed
• [PX-6565] GET /users/{id}/resolve to return user object and user's roles

Bug fixes

• [PX-6610] Issuing certificates fails when there is an expired access group CA certificate
• [PX-6576] Navibar autohide does not work in Firefox Carrier browser
• [PX-6566] Incorrect help texts on deployment page
• [PX-6515] Upgrade on Kubernetes doesn't clean up PrivX CA Key
• [PX-6482] Setting user directory TTL to 0 or below 0 behaves incorrectly
• [PX-6481] Web container (firefox) allows to install extensions
• [PX-6458] PrivX RPM upgrade backs up incorrect version of config file
• [PX-6417] Editing a Microsoft Graph user directory may result in multiple synchronization tasks running concurrently
• [PX-6387] workflow-engine send more queries to role-store than needed
• [PX-6348] Stopping PrivX directory sync does not work properly
• [PX-6343] MS Graph directory logs are too verbose
• [PX-6334] Numerous concurrent logins using the same user account result in a high number of slow database insert operations
• [PX-6211] AWS roles page is sometimes showing the same role multiple times
• [PX-6184] "User-authentication-failed" error should only be logged when login failed in the end.

Known Issues

• [PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI

  • Workaround: To correct SELinux context, copy the principals_command.sh to correct location:

    # scp -i key.pem principals_command.sh user@target:/tmp/
    # ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"

• [PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag

• [PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade

• [PX-1875] Web proxy login does not work, if login page does requests to multiple domains

• [PX-2947] No sound when viewing recorded rdp-mitm connection.

• [PX-3086] PrivX role mapping to AD OU not working as expected.

• [PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender

• [PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account

• [PX-4352] UI shows deleted local user after delete

• [PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.

  • Workaround: Restart affected Carrier and Web-Proxy services.

• [PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)

• [PX-4689] PrivX Linux Agent leaving folders in /tmp

• [PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.

• [PX-5558] PrivX does not support password change required option for user in auth flow via passkey.