|
After applying the 24H2 update on Windows 11 client computers, the rendering of the RDP screen of One Identity Safeguard for Privileged Sessionsfailed, as it displayed a mostly black screen. The issue was fixed, and now the RDP screen appears correctly. |
468209 |
|
With verbose system logs enabled, the Test button of an item under Policies > LDAP Servers logged the ldap password to /var/log/messages.
After the fix, the password is replaced with the [removed sensitive data] text. |
468478 |
|
The gateway and remote groups mentioned in all rules of a channel policy were checked for user membership on incoming connections. For channel policies containing high number of rules, this placed unnecessary load on the AD/LDAP server configured for the connection. If the AD/LDAP server failed under the load, connections were rejected until a failover or its recovery.
As an optimization, group membership is now evaluated only for groups mentioned in rules that match the source address of the incoming connection. |
413694 |
|
When the user name contained the inband destination separator character (in case of RDP, it is a "%" character, while for all other protocols, it is one of "@" or "%" characters), then the user name was processed like it was carrying both the user identifier and the inband destination. Despite being a documented behavior, this was counterintuitive when the connection policy did not allow inband destination selection.
Following the current release, the destination is only extracted from the user name when inband destination selection is enabled. |
450477 |
|
The secp256r1 elliptic curve is not required when a proxy connection is created to the target server via TLS. |
380752 |
|
Mouse algorithm baselines can grow too large preventing backup to happen. After this patch, mouse baselines are cleaned up much earlier. |
441246 |
|
When a user tries to play an RDP session on the webplayer where only upstream is encrypted and the key is specified in the keystore, the webplayer plays the session with the event subtitle without warning. |
459691 |
|
Auditors who used the SPS web UI with dark theme and were restricted by audit data access rule (ADAR) were unable to read the warning under the Sessions menu conveying the message "Your search results are limited. Learn more about ADARs." as the white text was displayed with a white background.
This has been fixed and now the warning should be visible properly in dark theme mode as well. |
460481 |
|
When the user clicks on a microcontent link, the pop-up dialog style now fits into the SPS general style. |
340522 |
|
Under moderately high load, the communication with external AD/LDAP servers could be interrupted, and this resulted in failed authentication attempts.
This problem was fixed and interrupted requests are now retried within a timeout. |
434120 |
|
The system backup has been updated to include a check of the analytics database size before initiating the backup procedure. This adjustment aims to prevent situations where the backup process might fill up the disk, triggering the disk fill-up prevention. |
441254 |
|
In cluster environments, if a node was elected as search master after it was used as a search local node, active sessions might appear and stuck on the sessions page as ACTIVE sessions.
After the fix old sessions are closed. |
441263 |
|
In certain cases closed sessions stuck in ACTIVE state. After upgrading to a fixed version, they are going to be closed. |
445832 |
|
When the files access permission is wrong on the server side, the user can see an informative error message. |
416926 |
|
The new behavior is that when the network address or prefix is not valid, the following error message comes up:"Invalid entry in the Routing table. The network address and the netmask do not match because you have used a network address that contains host bits. This could cause your machine to disconnect from the network. Make sure you use a network address that has no host bits set.". |
340004 |
|
The graphs for the Pyhisical interface 4-5 are now shown as expected. |
340003 |
|
Removed misleading character recommendations from hint and validation messages. |
431683 |
|
After confirming the deletion of a cleanup policy item, there is a loading overlay while the request finishes. |
432356 |
|
The risky analytics elements keep visible on the Session Details page after switching to the Analytics tabs. |
393640 |
|
The Lucene based query inputs validate the boolean type fields. |
413510 |
|
When SPP is overloaded, the SPP fetcher might time out. The default timeout of the used https library is 1 minute. The default timeout has been increased to 5 minutes. The following configuration values can be used after the fix to increase the timeout values even further: pam.vaultFetcher.requestTimeoutInSeconds, pam.vaultFetcher.connectionTimeoutInSeconds. |
446838 |
|
The Edit report sidesheet keeps the subchapter drop-down state while editing. |
447404 |
|
Changed to break words inside the input, so it works as previously. |
447965 |
|
The SAML2 related guide links on the Login Options page are now pointing to the correct descriptions. |
448522 |
|
The permission denied error message now links to the correct home page. |
449991 |
|
System backup is configured by referencing a backup policy. Even when the referenced backup policy contained multiple start times, system backup was scheduled to run only once a day. This error has been fixed. |
456655 |
|
When opening a vault session on the Details page from the Sessions tab, it will support the dark theme. |
457411 |
|
So far, the Search/Search in all connections ACL alone granted users access to query and see all sessions via the REST API, but the Sessions page was not accessible on SPS UI.
The right behavior of this ACL is to authorize users to see all sessions but not grant access to /api/audit/sessions* endpoints. In order to access the /api/audit/sessions* endpoints and to the Sessions page on the UI the Search/Search ACL must be used.
This issue has been fixed now, so the Search/Search in all connections ACL does not grant access to /api/audit/sessions* endpoints. |
458356 |
|
Fixed Sudo IOlog DNS resolution timeout problem.
Previously, when SPS tried to resolve a domain name when accepting a Sudo IOlog connection and the DNS server was unresponsive, it waited for too long to time out. This has been fixed, and now the timeouts are correctly enforced when resolving domain names. |
446227 |
|
The rendering issues are caused by a new image format used by the ThinWire2 protocol. The Safeguard Desktop Player and the external indexers are now able to use a codec provided by Citrix to decode these images.
For more information, contact Citrix. |
339849 |
|
In previous versions, RDP connections that used an explicit UPN username (user@domain) would result in logon failure. Following the current release, SPS supports using UPN usernames in RDP connections. |
340573 |
|
Use the correct port placeholders and previews on the Connection Setup Wizard page. |
387210 |
|
On the Sessions page on the SPS web UI, when users did not have the proper audit data access rules (ADAR) to view sessions, a missing ADAR alert could be seen twice if the timeline statistics chart was switched on.
This has been fixed so that when users do not have ADAR, only one ADAR alert is shown on the Sessions page. |
460524 |
|
The quick search showed menu results for master and minion machines that should not have been visible. |
441044 |
|
The user might get a configuration lock warning without a user name if the user uses SPS from multiple browsers (unsupported usage).
Since SPS 7.5 only one web session is allowed per user. As a result, the earlier configuration lock of the user is invalidated together with the web session. |
461096 |
|
Fixed the issue where event processing could stop after a configuration change. |
460598 |
|
When the SPS REST API was accessed from PowerShell using the Invoke-WebRequest command, the request was rejected with the following error message: Expected X-Token header to be sent in the request. This error was corrected. |
455087 |
|
Now you cannot create a report from the Sessions page when you have missing chapter names. Previously, this caused an error in the end of the configuration process. |
462886 |
|
Now, you cannot skip the required chapter name field in chapter creation, which caused an error previously. |
462916 |
|
Now the Next button in the report creation is working properly and does not get stuck when using the steps to navigate. |
462978 |
|
Before the fix, the query strings in the chat messages were not highlighted. After the fix, these query strings are highlighted, and the navigation buttons will navigate to the audit page and fill the query field with the suggested query. |
463004 |
|
Fixed that sometimes sessions are not closed properly. |
452996 |
|
Missing sanitization on the HTTP error template preview page.
SPS lets administrators customize templates for error messages used in HTTP protocol traffic. When an administrator accessed the Markdown editor and the side-by-side preview button was pressed, the HTML code was run in the administrator's browser without sanitization. This could allow a malicious administrator to perform a Cross-site Scripting (XSS) attack against other administrators, but only if the victims pressed the side-by-side preview button.
This issue was fixed and now the Markdown editor sanitizes the HTML elements before displaying a preview. |
464543 |
|
When trying to join SPS to Starling on SPS UI under the Basic settings > Starling Integration menu point, SPS checked the One Identity Starling service availability from the Starling status page to determine whether SPS can be joined to Starling.
However, the status of this service is unrelated whether the join can be performed, so the join availability check has been rewritten to check the status of the join-related services.
The Starling services status page has been removed for two reasons:
-
SPS displayed the status of the join-related services, which is irrelevant after SPS has been joined to Starling.
-
SPS displayed the Starling service statuses incorrectly since multiple service instances are available with the introduction of multiple regions. SPS displayed the status for only one service instance which could have been misleading.
When the status of Starling services should be checked, the following page should be visited:https://status.cloud.oneidentity.com/. |
457798 |
|
For more information, see CVE-2024-40595. |
339857 |
|
Previously when a report contained only session-related subchapters and used only the sessions database as datasource, the report generation on nodes with search-minion role would fail without user feedback as the sessions database is not available on these nodes.
To fix this issue, SPS checks whether the report can be generated on the current node before starting the report generation either from the SPS Web UI under Reporting > Create & Manage Reports menupoint or via the REST API. When the report cannot be generated, an error is raised including hints on which nodes the report can be generated successfully. |
418088 |
|
In certain cases closed sessions stuck in ACTIVE state. After upgrading to a fixed version, they are going to be closed. |
441264 |
|
Previously, some texts were incorrectly colored on the Session details pages in dark theme. Now, the issue is resolved. |
427870 |
|
The HTTP settings page UI did not allow timeouts below 10 seconds, but the backend accepted it. |
447477 |
|
SAML2 authentication requests sent to Identity Providers used the RSA-SHA1 algorithm, which is not considered secure.
SPS now uses RSA-SHA256 for signing SAML2 authentication requests. |
467297 |
