Release Notes for This Release

34.3.1

2024-10-11

This minor release fixes Carrier browser images(firefox, firefox_lite). Upgrade involves downloading new browser images and tagging them to match the current PrivX Carrier version.

This example shows how to upgrade the Firefox lite container image on PrivX Carrier 34.3:

docker pull public.ecr.aws/sshprivx/privx_browser_firefox_lite:34.3.1
docker tag public.ecr.aws/sshprivx/privx_browser_firefox_lite:34.3.1 public.ecr.aws/sshprivx/privx_browser_firefox_lite:34.3

34.3

2024-09-30

34.3 is an incremental release focusing on stability fixes.

34.2

2024-08-06

PrivX 34.2 is an incremental release focusing on stability fixes.

Bug Fixes

  • [PX-6946] Directory user with TOTP MFA enabled can't login into PrivX in restricted mode during zero-downtime upgrade
  • [PX-6985] Role request rejection from one approver does not finalize the rejection.
  • [PX-6988] Workflow created via API without specifying max_active_requests does not work
  • [PX-6811] ssh: bookkeeping of tried authentication methods is broken

34.1

2024-04-26

PrivX 34.1 is an incremental release with security and bug fixes.

  • [PX-6790] Session recording for native RDP client connections does not work

  • [PX-6801] Configuring routing prefix for HA Carriers results in a duplicated name error

  • [PX-6813] Connection search timeout

34.0

2024-04-08

PrivX 34.0 is a maintenance release focusing primarily on stability improvements.

Important Notes for This Release

Issues related to role store API change (2024-06-18)

We have discovered an issue from the improvement "[PX-6584] Role store API support pagination", affecting PrivX version 34.0 and 34.1:

  • Due to a bug, PrivX GUI cannot fetch more than 1000 roles. This issue will be fixed in PrivX 35. We'll consider a point release of PrivX 34.2 if needed.

Fetching all roles via PrivX API works. The default limit value is 50. If you need to fetch more roles, please use the offset parameter. For more information about the new functionality, see our API documentation.

Issues in RDP native-client connections! (2024-04-17)

We identified a major bug in PrivX 34.0 that affects native RDP client connections. If you use RDP native-client connectivity, we recommend against upgrading to this version. We are working on a point release to fix this issue.

For more detailed information about the issue, please contact SSH support.

RDP connections via the PrivX GUI work as intended.

Upgrade to 34 Only Supported from 32.x and later

Upgrade to this version is only supported from versions 32.x and later! To upgrade from previous versions such as 31.x, you must upgrade to 32.x first, before you can upgrade to 34.

Supported upgrade paths to this release are:

  • Upgrade with downtime: 32.x, 33.x
  • Zero-downtime upgrade: 33.x

For more information about upgrading from older versions, see Upgrade from Older Releases.

After this release, we provide security and stability fixes for PrivX 34.x, 33.x, and 32.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.

Deprecation Warnings

PostgreSQL 11.x Support Ended

PostgreSQL 11.x has reached end of life since Nov. 2023 and official support for this version will be ended in future releases.

SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.

By default PrivX will not trust certificates with SHA-1 signatures unless they are self-signed. Re-enabling trust for such certificates requires setting the GODEBUG=x509sha1=1 environment variable for PrivX microservices and tools.

Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.

CentOS/RHEL 7 support Ending

CentOS 7 and RHEL 7 will reach end of life on June 30, 2024. PrivX aims to end installation support for these platforms on the same timeline. Starting from PrivX 32, Rocky Linux 9 and RHEL 9 are officially supported. See Migrate from EOL Operating Systems.

New Features

  • [PX-6201] Support Universal SSH Key Manager as a host directory

Improvements

  • [PX-6609] Support Microsoft Graph custom attributes
  • [PX-6584] Role store API support pagination
  • [PX-6674] Configurable timeout values for PrivX Web Proxy
  • [PX-6580] PrivX UI: improved instruction on PrivX Authorizer (mobile app) pairing
  • [PX-6444] New sub-admin permissions: mobilegw-view and mobilegw-manage
  • [PX-6578] Improved connection-manager error responses
  • [PX-6682] Connection and event search default time range set to one week
  • [PX-6198] Redis is no longer supported for notifications
  • [PX-6597] Enforce reasonable minimum value to 2 minutes for access_token_valid, refresh_token_valid, session_valid and authorize_token_valid in oauth-shared-config.toml
  • [PX-6204] Allow setting maximum TLS version for RDP connections

Bug fixes

  • [PX-6647] Search SSH trail in maintenance mode causes page reload
  • [PX-6606] Windows line endings break offline license
  • [PX-6677] Non-admin users should be able to see service status of Auxiliary Instances
  • [PX-6621] Setting equal port min and port max in Extender service may crash the service
  • [PX-6616] license-manager: changing statistics collection opt-in in PrivX UI does not reflect to all HA nodes before license refresh
  • [PX-6620] Connection trail and metadata removal end time keeps on changing
  • [PX-6695] "Allow modified url params" in web host does not allow credentials being filled properly

Known Issues

  • [PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI

    • Workaround: To correct SELinux context, copy the principals_command.sh to correct location:

      # scp -i key.pem principals_command.sh user@target:/tmp/
      # ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
  • [PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag

  • [PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade

  • [PX-1875] Web proxy login does not work, if login page does requests to multiple domains

  • [PX-2947] No sound when viewing recorded rdp-mitm connection.

  • [PX-3086] PrivX role mapping to AD OU not working as expected.

  • [PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender

  • [PX-3887] RDP connection to Remote Desktop Server(RDS) Farm is not supported.

  • [PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account

  • [PX-4352] UI shows deleted local user after delete

  • [PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.

    • Workaround: Restart affected Carrier and Web-Proxy services.
  • [PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)

  • [PX-4689] PrivX Linux Agent leaving folders in /tmp

  • [PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.

  • [PX-5558] PrivX does not support password change required option for user in auth flow via passkey.

  • [PX-6669] Kerberos login does not work if LDAP user does not have sAMAccountName

Was this page helpful?