Release Notes for This Release
35.3
2024-09-30
35.3 is an incremental release focusing on stability fixes.
35.2
2024-08-09
35.2 is an incremental release focusing on stability fixes.
35.1
2024-08-06
35.1 is an incremental release focusing on stability fixes.
Bug Fixes
- [PX-6946] Directory user with TOTP MFA enabled can't login into PrivX in restricted mode during zero-downtime upgrade
- [PX-6985] Role request rejection from one approver does not finalize the rejection.
- [PX-6988] Workflow created via API without specifying max_active_requests does not work
35.0
2024-06-25
35.0 is a major release with new features such as password management for Active Directory and Entra domains, and Carrier support for Podman.
After this release, we provide security and stability fixes for PrivX 35.x, 34.x, and 33.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.
Supported upgrade paths to this release are:
- Upgrade with downtime: 32.x, 33.x, 34.x
- Zero-downtime upgrade: 34.x
Important Notes for This Release
Upgrade not supported with old PostgreSQL versions
You cannot upgrade to PrivX 35 if your PrivX deployment uses PostgreSQL version 10 or earlier. You must upgrade the PrivX database to PostgreSQL version 11.x or later before upgrading PrivX.
Note that PostgreSQL 11 has already reached EOL and PrivX support for it will be dropped soon, so we recommend upgrading to at least PostgreSQL 12.x or later.
If postinstall.sh fails to correctly determine your PostgreSQL version during upgrade, see this guide for troubleshooting.
Increased upgrade duration
Upgrading to this version may take somewhat longer, especially in environments with many hosts and principals.
Deprecation Warnings
CentOS/RHEL 7 support Ending
CentOS 7 and RHEL 7 will reach end of life on June 30, 2024. PrivX aims to end installation support for these platforms on the same timeline. Starting from PrivX 32, Rocky Linux 9 and RHEL 9 are officially supported. See Migrate from EOL Operating Systems.
PostgreSQL 11.x Support Ending
PostgreSQL 11.x has reached end of life since Nov. 2023 and official support for this version will be ended in a future release.
SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.
By default PrivX will not trust certificates with SHA-1 signatures unless they are self-signed. Re-enabling trust for such certificates requires setting the GODEBUG=x509sha1=1
environment variable for PrivX microservices and tools.
Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.
API Endpoint GET /role-store/api/v1/roles Breaking Changes
Starting from PrivX version 36 the API endpoint GET /role-store/api/v1/roles
will start using a default limit=50
and enforcing a maximum allowed limit=1000
.
Due to these changes API clients can no longer rely on fetching all roles with one API call. The API clients are required to make multiple API calls with explicit limit
and increasing offset
until all roles - as indicated by the API response's count
property - have been fetched.
New Features
- [PX-6004] Password rotation for domain accounts
- Automatically rotate domain-account passwords according to custom password policies
- Allow PrivX users to access domain accounts without knowing the password
- Mechanisms for checking out domain-account passwords, can be enabled where necessary.
- [PX-5494] PrivX Carrier supports Podman containerization
- Instead of Docker as root, you can run Carrier on Podman with an unprivileged account.
- [PX-3439] Allow defining SSH host key via host tags
- [PX-6797] Bookmark contexts are permission aware
Improvements
- [PX-6772] Remove "serialize-ops" HSM feature from CloudHSM
- [PX-6759] Contextual information written to SSH and RDP bastion logs to help error investigation
- [PX-6532] Kerberos key and config files dropped from backup scripts
- [PX-6347] Performance enhancement with MS Graph user directory
- [PX-6740] Connection tags are made case-sensitive
- [PX-6842] Upgrade script only kill nginx process bound to port 443
Bug Fixes
- [PX-6314] Duplicate components sometimes appear in monitoring status page
- [PX-6651] Disabling UEBA causes errors in log
- [PX-6654] connection-manager: SQL query to connection_tags does not always return the correct count
- [PX-6712] Timestamp properties are not properly validated
- [PX-6747] role-store fails to return error while persist user info
- [PX-6750] Customised backup directory name not accepted in restore.sh
- [PX-6776] "Configuration-error 1" event not created when certificate about to expire
- [PX-6811] User is not prompted for password when MaxAuthTries configured on ssh target host is reached
- [PX-6838] Carrier browser does not fullscreen when it does not have public internet access
Known Issues
[PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, copy the
principals_command.sh
to correct location:# scp -i key.pem principals_command.sh user@target:/tmp/ # ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
[PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
[PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
[PX-1875] Web proxy login does not work, if login page does requests to multiple domains
[PX-2947] No sound when viewing recorded rdp-mitm connection.
[PX-3086] PrivX role mapping to AD OU not working as expected.
[PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender
[PX-3887] RDP connection to Remote Desktop Server(RDS) Farm is not supported.
[PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account
[PX-4352] UI shows deleted local user after delete
[PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.
- Workaround: Restart affected Carrier and Web-Proxy services.
[PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)
[PX-4689] PrivX Linux Agent leaving folders in /tmp
[PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.
[PX-5558] PrivX does not support password change required option for user in auth flow via passkey.
[PX-6809] Local account password rotation does not support Windows server behind PrivX extenders
[PX-6893] Target Domain account password login may fail against Windows OpenSSH servers
[PX-6940] Target domain account login to Windows Tectia server does not work
[PX-7033] Unable to add or modify hosts with only Hosts-view & Host-manage permission
- Workaround: Also grant target-domains-view permission to users who need to add hosts, then retry adding/modifying hosts.
[PX-7039] monitor-service fatal error if PrivX was inactive for over a month.
Note: This will be fixed in PrivX 36 and later.
Notable API Changes
- New optional property
target_domain
has been added to the host principal object used in the host-store hosts API endpoints. - Password policy object in the secrets-manager API has changed:
- Allowed value range for property
rotation_interval
has changed, new minimum value isPT1H
, new maximum value isPT8640H
- Allowed value range for property
retry_interval
has changed, new minimum value isPT10S
, new maximum value isPT1H
- New required property
max_concurrent_checkouts
has been added, minimum value is1
, maximum value is100
- New required property
max_checkout_duration
has been added, minimum value isPT30S
, maximum value isPT8H
- New boolean property
rotate_on_release
has been added, default value isfalse
- New boolean property
verify_after_rotation
has been added, default value isfalse
- Property
delete_version_after
has been removed, secrets-manager will ignore it in POST/PUT requests - Property
fallback_to_previous
has been removed, secrets-manager will ignore it in POST/PUT requests
- Allowed value range for property
- New endpoints have been added to Authorizer API under
/authorizer/api/v1/secrets
path - New endpoints have been added to Secrets-manager API under
/secrets-manager/api/v1/targetdomains
path - New API permissions
target-domains-view
andtarget-domains-manage
have been added
Was this page helpful?