DocumentationRelease Notes
Release Notes
Back to All

Endpoint Privilege Management for Linux 25.1.5

2 days ago

August 7, 2025

✨ Enhancements

Added security improvements for REST calls and services
  • HMAC message signing now incorporates the full resource URI in all HTTP requests and the bodies of PUT or POST requests. This enhancement minimizes the risk of HMAC token replay attacks.
  • The REST requests allowed at the EPM-L endpoints are now restricted to a small subset of calls. Furthermore, the REST requests for scheduled tasks can be used only by the endpoint from which the request was issued.
  • Access control lists (ACLs) or ACL profiles are now enforced when creating REST keys. Existing application IDs (appids) without defined ACLs will be granted admin permissions on upgrade.
  • Files accessed through relevant REST calls are now validated, and granular path restrictions have been added to the internal REST appid used by the product.
  • Per-session key exchanges now use Authenticated Encryption with Associated Data (AEAD) algorithms, following patterns established in TLS 1.3.
Added protection to the application-layer cryptographic traffic encryption between EPM-L endpoints and the servers

The initialization vector message sent from pbrun to EPM-L servers now includes random data for added protection.

Added protection to the TLS-Layer traffic encryption between EPM-L endpoints and the servers

When networkencryption is enabled, the mangle schema is now applied to messages at the SSL layer, enhancing data protection.

Secured the permissions on pbksh/pbsh binaries

The pbksh and pbsh binaries on endpoints have been secured by removing read permissions for non-root users.

Reduced the Policy/log server processes and REST services restart after pb.settings changes

EPM-L server processes now restart only when a configuration change explicitly requires it. Also, for processes that support dynamic reloading, this reload is performed without needing to restart.

Checked the validity of the keyword value before updating pb.settings

When a keyword in the EPM-L settings is changed to an unsupported value, the system now validates the value before updating pb.settings.

Adjusted the keyword messagerouterqueuesize if SIEM configuration is used

On SaaS servers, if the messagerouterqueuesize is set to default values (eventlog=1200,8 and siem=200,8) and settings have changed such that SIEM (Splunk or ELK) is being enabled, these values are automatically increased to eventlog=25000,8 and siem=75000,8. Conversely, if the messageroutequeuesize is set to eventlog=25000,8 and siem=75000,8 and SIEM is disabled, then the eventlog and siem elements revert to their default values.

Upgraded all 3rd party libraries to the latest

All integrated third-party libraries have been upgraded to their latest releases:

  • curl: 8.15.0
  • openssl: 3.0.17
  • sqlite: 3.50.3
Added supported platforms: RHEL and OEL 10

RedHat Enterprise Linux v10 and Oracle Linux v10 are now officially supported.

Deprecated support for RHEL7 and OEL7

RedHat Enterprise Linux v7 and Oracle Linux v7.x are no longer supported platforms.

Added pagination to the RBP users side card

The RBP users side card now supports pagination with infinite scroll, improving responsiveness and preventing timeouts when loading large user lists.

Added pagination to the Host Groups side card

Pagination has been added to the Host Groups side card to improve performance and responsiveness, especially when loading large host groups.

Simplified eventlog database name in SaaS

For SaaS users, the eventlog database dropdown now displays only the filename, improving readability and simplifying the user interface.

🛠️ Issues resolved

Issues
DescriptionResolution
The pbreplay utility could crash with a segmentation fault when processing IO logs that have no output records.pbreplay no longer segfaults when replaying IO logs with no output.
When multiple values were provided in restssloptions, only the first value was used.The restssloptions keyword now supports multiple values, and all specified values are correctly processed and applied.
PBshells reported error 3912.88: Failed to change owner and group to root for /opt/pbul/pbcached/iologs.On a Cached client with no network connection, when pbksh/pbsh is issued by a non-root user, the ownership and group permissions of the directory /opt/pbul/pbcached/iologs are now correctly set to root.
When a keyword was deleted from the EPM-L settings, the removal was not reflected in the active pb.settings file.Setting disable records sent from the UI are now correctly applied to both the active cached settings and the persistent pb.settings file.
The PMUL REST endpoint /policies/check did not execute a full syntax check on policy scripts.The PMUL REST endpoint /policies/check now performs a full syntax validation on policy scripts.
An error was triggered when adding a Splunk connection where the password included a single quote (').Passwords containing a single quote can now be used when configuring a Splunk connection without triggering error 4400.12 Set credential DB error - general SQL error, and the password is saved correctly.
Misconfigured Splunk connections could result in an unintended refresh of the EPM-L instance.Incorrect Splunk connection configurations no longer trigger an unintended EPM-L instance refresh.
An error toast appeared twice when using a wildcard (*) in a username.The system now displays only a single error message when a wildcard is used in a username while adding a user to an RBP policy.
Users were unable to add a Splunk Cloud connection if the password contained a single quote (').Passwords are now correctly handled, allowing Splunk connections to be saved even when the password contains a single quote.
Unified Search did not recognize the new SiemTypes for SplunkNoAdmin.Unified Search now correctly searches against Splunk connections using the SplunkNoAdmin and SplunkCloudNoAdmin types.
The filter search was case-sensitive.The filter search is now case-insensitive, providing more comprehensive results regardless of capitalization.
The scrollbar on the Import Secure User Groups page was not working.The scrollbar is now fully functional.
Unified search total count and pagination were not working for custom Splunk indexes.The system now correctly calculates the total results for custom Splunk indexes, restoring full pagination functionality.
Users were unable to save RBP role reauthentication settings due to a JSON handling error.A JSON handling error has been fixed, and RBP role reauthentication settings can now be saved without error.
Users were unable to view the RBP schedule within a schedule group.RBP schedule details are now properly displayed within the schedule group view.
The eventlog time filter was not in sync with UTC.The eventlog time filter is now correctly synced with UTC, ensuring accurate time-based searches.
Auditors could access EPML entitlement information.Access controls have been corrected, and entitlement information is now restricted to the PolicyAdmin group.
The Software Admin role could access EPML settings and endpoint management.The Software Admin role’s access is now restricted to its intended functions, removing its ability to access EPML settings and endpoint management.
Hosts were cut off at 50 when adding to a host group.The system now correctly saves all hosts added to a host group, resolving the issue where only the first 50 were saved.
Subscription info showed NaN for permanent licenses.The subscription info section now correctly indicates a permanent license.

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.