Release Notes for This Release
40.0
2025-06-02
40.0 is a major release that adds beta-level support for FIPS-approved mode of operations. Setting up this PrivX major version is recommended if you require running PrivX in compliance with FIPS. Otherwise, we recommend skipping setup/upgrade to this major version.
You can set up PrivX 40.0 in FIPS-approved mode of operations with your current PrivX license. A new license will be required for enabling FIPS-approved mode of operations in future major releases.
After this release, we provide security and stability fixes for PrivX 40.x, 39.x, and 38.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.
Supported upgrade paths to this release are:
- Upgrade with downtime: 37.x, 38.x, 39.x
- Zero-downtime upgrade: 39.x
The latest PrivX LTS version is v36, which can be obtained here.
Important Notes for This Release
PrivX does not work on OSes with freerdp-libs
If the OS includes freerdp-libs
package before installing/upgrading PrivX then certain libraries are linked incorrectly by ldconfig. This results in undefined behaviour and compromises any compliance guidance (for example FIPS) that PrivX provides.
Switch to discoverable passkeys (since v39)
From PrivX v39 and later, any passkeys added to PrivX will be discoverable. When choosing to log in using a passkey, you may select from any credentials you've registered.
Note that any passkeys added in v38 and earlier are undiscoverable, and support for undiscoverable passkeys will be discontinued in a future release: If you have added passkeys in v38 or earlier, re-add those in v39 to ensure continued functioning.
For more information about setting up passkey login, see Passkey Login.
Changes to sshexec and exec router control commands (since v38)
From v38 and later, network-access manager now sends an extra {session parameters}
argument to the control commands of sshexec routers and exec routers.
- For sshexec router, network-access manager now executes the fixed commands:
/opt/privx/privx-router/sshexec/add {network parameters} {router parameters} {session parameters} [{static config}] /opt/privx/privx-router/sshexec/del {network parameters} {router parameters} {session parameters} [{static config}]
- For exec routers, network-access manager now executes the fixed commands:
/opt/privx/privx-router/exec/add {network parameters} {router parameters} {session parameters} [{static config}] /opt/privx/privx-router/exec/del {network parameters} {router parameters} {session parameters} [{static config}]
The {session parameters}
contains session parameters in JSON format, for example:
{
"session_id": "f5d747f6-af79-412b-4471-b6f5043c90ce",
"target_id": "07bee1e7-7061-4a90-4831-f501bcbc778e",
"target_name": "ot-sshexec-target"
}
This change may break existing sshexec/exec routers that can't accommodate the extra argument. Such scripts/binaries will need to be changed to support the additional argument.
For more information about sshexec/exec routers, see PrivX Router Configuration.
Deprecation Warnings
Amazon Linux 2 support Ended
We announced ending installation support for Amazon Linux by June, 2025. As this version added beta-level support for FIPS and we recommend you skipping this version upgrade to your existing PrivX environment, this version does not have binary releases for Amazon Linux 2.
If you are running PrivX on Amazon Linux 2, see Migrate from EOL Operating Systems to migrate to a supported OS.
SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.
By default PrivX will not trust certificates with SHA-1 signatures unless they are self-signed. Re-enabling trust for such certificates requires setting the GODEBUG=x509sha1=1
environment variable for PrivX microservices and tools.
Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.
New Features
- [PX-7327] Beta support for FIPS-approved mode of operations
Improvements
- [PX-7531] Make PrivX CA and access group CA key type and size configurable
- [PX-7686] Improvement in fetching product version info
- [PX-7710] UI: rename default RDP service min/max TLS version labels to "Unspecified"
- [PX-7615] Support HEAD method for SCIM server
- [PX-7660] Expired PrivX component CAs can be renewed in UI
Bug Fixes
[PX-7393] Role mapping rules: an "Any Rule Matches" group with nested groups causes an error
[PX-7624] Pasting copied secret from mini-secrets UI doesn't work in web connection
[PX-7625] Role request for floating membership can be sent without justification when "Requesters must provide justification" is enabled
[PX-7690] API clients should be able to call GET /accessgroups and GET /cert/templates from authorizer without having management permissions
[PX-7712] troubleshoot.sh script incorrectly using hardcoded Postgres log directory
[PX-7722] Administration -> Hosts can show a non-configured account
Known Issues
- [PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
- [PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
- [PX-1875] Web proxy login does not work, if login page does requests to multiple domains
- [PX-2947] No sound when viewing recorded rdp-mitm connection.
- [PX-3086] PrivX role mapping to AD OU not working as expected.
- [PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender
- [PX-3655] remoteApp cannot be restored after it's minimized
- [PX-3887] RDP connection to Remote Desktop Server(RDS) Farm is not supported.
- [PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account
- [PX-4352] UI shows deleted local user after delete
- [PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.
- Workaround: Restart affected Carrier and Web-Proxy services.
- [PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)
- [PX-4689] PrivX Linux Agent leaving folders in /tmp
- [PX-4778] RDP-PROXY: file under scanning can not be overwritten
- [PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.
- [PX-5558] PrivX does not support password change required option for user in auth flow via passkey.
- [PX-5587] Live playback of WEB will be stuck in live after disconnecting by closing the carrier browser
- [PX-5589] User cannot login with PrivX Agent if password includes a SPACE at start/end
- [PX-6490] PrivX RDP session screen corrupts in Windows 2008 via Chrome and Edge browsers
- [PX-6636] Web-target vCenter key strokes is not working properly in Bios/Grub menu
- [PX-7524] Host search sort does not work
- [PX-7688] FIPS mode: a deployment script doesn't work for a default CentOS7 Python
- [PX-7771] CertificatesโManage shows empty page for Authorizer certificates.
- [PX-7792] PrivX does not work on OSes with freerdp-libs
Notable API Changes
- The
data_version
key in microservice tomls has been removed. This property is not exposed to the API and was not intended for integration use. If you have an integration replying on this property, please update accordingly.