--- title: PingAccess 7.3.5 (August 2024) description: Security PA-15776 component: pingaccess version: 7.3 page_id: pingaccess:release_notes:pa_735_rn canonical_url: https://docs.pingidentity.com/pingaccess/7.3/release_notes/pa_735_rn.html revdate: August 7, 2024 section_ids: fixed-a-security-vulnerability-with-url-encoded-characters: Fixed a security vulnerability with URL-encoded characters opt-out-of-automatic-url-encoding: Opt out of automatic URL encoding set-response-headers-for-oauth-errors: Set response headers for OAuth errors fixed-issues-with-query-parameter-behavior-due-to-automatic-url-encoding: Fixed issues with query parameter behavior due to automatic URL encoding fixed-admin-jwks-endpoint-returning-a-401-or-500-response-instead-of-the-oauth-key-set: Fixed admin JWKS endpoint returning a 401 or 500 response instead of the OAuth key set fixed-fips-mode-startup-in-pingaccess-7-3: Fixed FIPS mode startup in PingAccess 7.3 --- # PingAccess 7.3.5 (August 2024) ## Fixed a security vulnerability with URL-encoded characters Security PA-15776 Added the `pa.uri.canonicalize` parameter to the [Configuration file reference](../reference_guides/pa_config_file_ref.html) to fix a security vulnerability. Learn more in an upcoming security advisory. ## Opt out of automatic URL encoding Improved PA-15697 By default, redirect rules and rejection handlers automatically URL encode the admin input redirect URL. This could cause unexpected behavior if an application targeted by a redirect requires the URL to follow a specific format. You can now opt out of automatic URL encoding by deselecting the **Encode URL** check box on a specific application resource logout or redirect response generator, redirect rule, redirect authentication challenge response generator, or redirect rejection handler. Learn more in: * [Adding application resources](../pingaccess_user_interface_reference_guide/pa_adding_application_resources.html) * [Adding redirect rules](../pingaccess_user_interface_reference_guide/pa_adding_redirect_rules.html) * [Authentication challenge response generator descriptions](../pingaccess_user_interface_reference_guide/pa_acr_generator_descriptions.html) * [Creating rejection handlers](../pingaccess_user_interface_reference_guide/pa_creating_rejection_handlers.html) ## Set response headers for OAuth errors Improved PA-15764 Added the `oauth.error.headers` and `oauth.error.header.Content-Security-Policy` parameters to the [Configuration file reference](../reference_guides/pa_config_file_ref.html). ## Fixed issues with query parameter behavior due to automatic URL encoding Fixed PA-15696 Fixed an issue with automatically URL encoding target redirect URLs that sometimes disrupted query parameter sort order or added a trailing `=` to the end of single value query parameters. This issue affected redirect rules, redirect rejection handlers, redirect virtual resources, logout virtual resources, and redirect authentication challenge policy response generators. ## Fixed admin JWKS endpoint returning a `401` or `500` response instead of the OAuth key set Fixed PA-15723 Fixed an issue that caused PingAccess to override existing handling for the `/pa/oauth/JWKS` endpoint for the admin listener with the engine self-registration handler, prompting requests made to the endpoint to result in `401` unauthorized responses or `500` internal server errors. ## Fixed FIPS mode startup in PingAccess 7.3 Fixed PA-15759 Fixed an issue that prevented PingAccess 7.3.3 and 7.3.4 from starting in FIPS mode.