Changelog for Univention Corporate Server (UCS) 5.0-3#
General#
All Python source code is now indented with 4 spaces instead of tabulators (Bug #55642).
The server password change script has been improved to track and log the execution, allowing a better understanding of failed operations (Bug #54273).
The package univention-keycloak has been added as a dependency to the univention-server-common package. It contains a CLI tool used by the Univention Keycloak app (Bug #55383).
The package univention-support-info is now by default installed on every system role (Bug #55485).
The scripts
server_password_change/univention-admin-diaryhas been updated to generate more useful debug information (Bug #54273).Instead of an exception now a clear error message is displayed in case the admin diary front end is installed on a different system than the admin diary server and the database connection is not correctly configured (Bug #49016).
Reading records from database is optimized to use less RAM and CPU (Bug #51902).
Some source code has been refactored regarding binding of loop variables to function calls (Bug #55598).
A UMC operation set was added, which allows users without admin privileges, to use the user templates (Bug #37927).
Join scripts now handle errors when the registration of a service fails (Bug #53092).
All security updates issued for UCS 5.0-2 are included:
zlib (CVE-2022-37434) (Bug #55198)
xorg-server (CVE-2022-2319, CVE-2022-2320, CVE-2022-3550, CVE-2022-3551, CVE-2022-4283, CVE-2022-46340, CVE-2022-46341, CVE-2022-46342, CVE-2022-46343, CVE-2022-46344) (Bug #55072, Bug #55416, Bug #55537)
vim (CVE-2021-3927, CVE-2021-3928, CVE-2021-3974, CVE-2021-3984, CVE-2021-4019, CVE-2021-4069, CVE-2021-4192, CVE-2021-4193, CVE-2022-0213, CVE-2022-0261, CVE-2022-0318, CVE-2022-0319, CVE-2022-0351, CVE-2022-0359, CVE-2022-0361, CVE-2022-0368, CVE-2022-0392, CVE-2022-0408, CVE-2022-0413, CVE-2022-0417, CVE-2022-0443, CVE-2022-0554, CVE-2022-0572, CVE-2022-0629, CVE-2022-0685, CVE-2022-0696, CVE-2022-0714, CVE-2022-0729, CVE-2022-0943, CVE-2022-1154, CVE-2022-1616, CVE-2022-1619, CVE-2022-1621, CVE-2022-1720, CVE-2022-1785, CVE-2022-1851, CVE-2022-1897, CVE-2022-1898, CVE-2022-1942, CVE-2022-1968, CVE-2022-2000, CVE-2022-2129, CVE-2022-2285, CVE-2022-2304, CVE-2022-2598, CVE-2022-2946, CVE-2022-3099, CVE-2022-3134, CVE-2022-3234, CVE-2022-3235, CVE-2022-3256, CVE-2022-3324, CVE-2022-3352, CVE-2022-3705) (Bug #55417, Bug #55465)
unzip (CVE-2022-0529, CVE-2022-0530) (Bug #55219)
tiff (CVE-2022-1354, CVE-2022-1355, CVE-2022-2056, CVE-2022-2057, CVE-2022-2058, CVE-2022-2867, CVE-2022-2868, CVE-2022-2869, CVE-2022-34526, CVE-2022-3570, CVE-2022-3597, CVE-2022-3598, CVE-2022-3599, CVE-2022-3626, CVE-2022-3627, CVE-2022-3970, CVE-2022-48281) (Bug #55589, Bug #55624)
sudo (CVE-2021-23239, CVE-2023-22809) (Bug #55397, Bug #55586)
squid (CVE-2022-41317, CVE-2022-41318) (Bug #55271)
sqlite3 (CVE-2020-35525, CVE-2020-35527, CVE-2021-20223) (Bug #55207)
samba (CVE-2022-2031, CVE-2022-32742, CVE-2022-32744, CVE-2022-32745, CVE-2022-32746, CVE-2022-3437, CVE-2022-37966, CVE-2022-37967, CVE-2022-38023, CVE-2022-42898) (Bug #54994, Bug #55275, Bug #55406, Bug #55486, Bug #55511)
qemu () (Bug #55167)
python3.7 (CVE-2022-37454) (Bug #55370)
postgresql-11 (CVE-2022-2625) (Bug #55093)
poppler (CVE-2018-18897, CVE-2018-19058, CVE-2018-20650, CVE-2019-14494, CVE-2019-9903, CVE-2019-9959, CVE-2020-27778, CVE-2022-27337, CVE-2022-38784) (Bug #55220)
pixman (CVE-2022-44638) (Bug #55396)
php7.3 (CVE-2021-21707, CVE-2022-31625, CVE-2022-31626, CVE-2022-31628, CVE-2022-31629, CVE-2022-37454) (Bug #55503)
paramiko (CVE-2022-24302) (Bug #55199)
ntfs-3g (CVE-2022-40284) (Bug #55443)
net-snmp (CVE-2022-24805, CVE-2022-24806, CVE-2022-24807, CVE-2022-24808, CVE-2022-24809, CVE-2022-24810, CVE-2022-44792, CVE-2022-44793) (Bug #55152, Bug #55572)
ncurses (CVE-2022-29458) (Bug #55369)
multipath-tools (CVE-2022-41973, CVE-2022-41974) (Bug #55539)
mokutil (CVE-2021-3695, CVE-2021-3696, CVE-2021-3697, CVE-2022-28733, CVE-2022-28734, CVE-2022-28735, CVE-2022-28736) (Bug #55191)
mod-wsgi (CVE-2022-2255) (Bug #55206)
mariadb-10.3 (CVE-2021-46669, CVE-2022-21427, CVE-2022-27376, CVE-2022-27377, CVE-2022-27378, CVE-2022-27379, CVE-2022-27380, CVE-2022-27381, CVE-2022-27383, CVE-2022-27384, CVE-2022-27386, CVE-2022-27387, CVE-2022-27445, CVE-2022-27447, CVE-2022-27448, CVE-2022-27449, CVE-2022-27452, CVE-2022-27456, CVE-2022-27458, CVE-2022-32083, CVE-2022-32084, CVE-2022-32085, CVE-2022-32087, CVE-2022-32088, CVE-2022-32091) (Bug #55210)
mako (CVE-2022-40023) (Bug #55223)
linux-signed-amd64 (CVE-2021-33655, CVE-2021-33656, CVE-2021-4159, CVE-2021-4197, CVE-2022-0494, CVE-2022-0812, CVE-2022-0854, CVE-2022-1011, CVE-2022-1012, CVE-2022-1016, CVE-2022-1048, CVE-2022-1184, CVE-2022-1195, CVE-2022-1198, CVE-2022-1199, CVE-2022-1204, CVE-2022-1205, CVE-2022-1353, CVE-2022-1419, CVE-2022-1462, CVE-2022-1516, CVE-2022-1652, CVE-2022-1679, CVE-2022-1729, CVE-2022-1734, CVE-2022-1974, CVE-2022-1975, CVE-2022-20369, CVE-2022-21123, CVE-2022-21125, CVE-2022-21166, CVE-2022-2153, CVE-2022-2318, CVE-2022-23960, CVE-2022-2586, CVE-2022-2588, CVE-2022-26365, CVE-2022-26373, CVE-2022-26490, CVE-2022-2663, CVE-2022-27666, CVE-2022-28356, CVE-2022-28388, CVE-2022-28389, CVE-2022-28390, CVE-2022-29581, CVE-2022-2978, CVE-2022-29901, CVE-2022-3028, CVE-2022-30594, CVE-2022-32250, CVE-2022-32296, CVE-2022-32981, CVE-2022-33740, CVE-2022-33741, CVE-2022-33742, CVE-2022-33744, CVE-2022-33981, CVE-2022-3521, CVE-2022-3524, CVE-2022-3564, CVE-2022-3565, CVE-2022-3594, CVE-2022-3621, CVE-2022-3628, CVE-2022-3640, CVE-2022-3643, CVE-2022-3646, CVE-2022-3649, CVE-2022-36879, CVE-2022-36946, CVE-2022-39188, CVE-2022-40307, CVE-2022-40768, CVE-2022-41849, CVE-2022-41850, CVE-2022-42328, CVE-2022-42329, CVE-2022-42895, CVE-2022-42896, CVE-2022-43750, CVE-2022-4378) (Bug #54958, Bug #55238, Bug #55540)
linux-latest (CVE-2021-33655, CVE-2021-33656, CVE-2021-4159, CVE-2021-4197, CVE-2022-0494, CVE-2022-0812, CVE-2022-0854, CVE-2022-1011, CVE-2022-1012, CVE-2022-1016, CVE-2022-1048, CVE-2022-1184, CVE-2022-1195, CVE-2022-1198, CVE-2022-1199, CVE-2022-1204, CVE-2022-1205, CVE-2022-1353, CVE-2022-1419, CVE-2022-1462, CVE-2022-1516, CVE-2022-1652, CVE-2022-1679, CVE-2022-1729, CVE-2022-1734, CVE-2022-1974, CVE-2022-1975, CVE-2022-20369, CVE-2022-21123, CVE-2022-21125, CVE-2022-21166, CVE-2022-2153, CVE-2022-2318, CVE-2022-23960, CVE-2022-2586, CVE-2022-2588, CVE-2022-26365, CVE-2022-26373, CVE-2022-26490, CVE-2022-2663, CVE-2022-27666, CVE-2022-28356, CVE-2022-28388, CVE-2022-28389, CVE-2022-28390, CVE-2022-29581, CVE-2022-2978, CVE-2022-29901, CVE-2022-3028, CVE-2022-30594, CVE-2022-32250, CVE-2022-32296, CVE-2022-32981, CVE-2022-33740, CVE-2022-33741, CVE-2022-33742, CVE-2022-33744, CVE-2022-33981, CVE-2022-3521, CVE-2022-3524, CVE-2022-3564, CVE-2022-3565, CVE-2022-3594, CVE-2022-3621, CVE-2022-3628, CVE-2022-3640, CVE-2022-3643, CVE-2022-3646, CVE-2022-3649, CVE-2022-36879, CVE-2022-36946, CVE-2022-39188, CVE-2022-40307, CVE-2022-40768, CVE-2022-41849, CVE-2022-41850, CVE-2022-42328, CVE-2022-42329, CVE-2022-42895, CVE-2022-42896, CVE-2022-43750, CVE-2022-4378) (Bug #54958, Bug #55238, Bug #55540)
linux (CVE-2021-33655, CVE-2021-33656, CVE-2021-4159, CVE-2021-4197, CVE-2022-0494, CVE-2022-0812, CVE-2022-0854, CVE-2022-1011, CVE-2022-1012, CVE-2022-1016, CVE-2022-1048, CVE-2022-1184, CVE-2022-1195, CVE-2022-1198, CVE-2022-1199, CVE-2022-1204, CVE-2022-1205, CVE-2022-1353, CVE-2022-1419, CVE-2022-1462, CVE-2022-1516, CVE-2022-1652, CVE-2022-1679, CVE-2022-1729, CVE-2022-1734, CVE-2022-1974, CVE-2022-1975, CVE-2022-20369, CVE-2022-21123, CVE-2022-21125, CVE-2022-21166, CVE-2022-2153, CVE-2022-2318, CVE-2022-23960, CVE-2022-2586, CVE-2022-2588, CVE-2022-26365, CVE-2022-26373, CVE-2022-26490, CVE-2022-2663, CVE-2022-27666, CVE-2022-28356, CVE-2022-28388, CVE-2022-28389, CVE-2022-28390, CVE-2022-29581, CVE-2022-2978, CVE-2022-29901, CVE-2022-3028, CVE-2022-30594, CVE-2022-32250, CVE-2022-32296, CVE-2022-32981, CVE-2022-33740, CVE-2022-33741, CVE-2022-33742, CVE-2022-33744, CVE-2022-33981, CVE-2022-3521, CVE-2022-3524, CVE-2022-3564, CVE-2022-3565, CVE-2022-3594, CVE-2022-3621, CVE-2022-3628, CVE-2022-3640, CVE-2022-3643, CVE-2022-3646, CVE-2022-3649, CVE-2022-36879, CVE-2022-36946, CVE-2022-39188, CVE-2022-40307, CVE-2022-40768, CVE-2022-41849, CVE-2022-41850, CVE-2022-42328, CVE-2022-42329, CVE-2022-42895, CVE-2022-42896, CVE-2022-43750, CVE-2022-4378) (Bug #54958, Bug #55238, Bug #55540)
libxslt (CVE-2019-5815, CVE-2021-30560) (Bug #55194)
libxml2 (CVE-2022-40303, CVE-2022-40304) (Bug #55371)
libtirpc (CVE-2021-46828) (Bug #55094)
libtasn1-6 (CVE-2021-46848) (Bug #55566)
libsndfile (CVE-2021-4156) (Bug #55237)
librsvg (CVE-2019-20446) (Bug #55193)
libksba (CVE-2022-3515, CVE-2022-47629) (Bug #55327, Bug #55542)
libde265 (CVE-2020-21596, CVE-2020-21597, CVE-2020-21598, CVE-2020-21599, CVE-2021-35452, CVE-2021-36408, CVE-2021-36409, CVE-2021-36410, CVE-2021-36411, CVE-2022-43235, CVE-2022-43236, CVE-2022-43237, CVE-2022-43238, CVE-2022-43239, CVE-2022-43240, CVE-2022-43241, CVE-2022-43242, CVE-2022-43243, CVE-2022-43244, CVE-2022-43245, CVE-2022-43248, CVE-2022-43249, CVE-2022-43250, CVE-2022-43252, CVE-2022-43253, CVE-2022-47655) (Bug #55504, Bug #55594)
libarchive (CVE-2019-19221, CVE-2021-23177, CVE-2021-31566, CVE-2022-36227) (Bug #55464, Bug #55625)
ldb (CVE-2022-32745, CVE-2022-32746) (Bug #54994)
krb5 (CVE-2022-42898) (Bug #55474)
isc-dhcp () (Bug #55270)
intel-microcode (CVE-2022-21123, CVE-2022-21125, CVE-2022-21127, CVE-2022-21151, CVE-2022-21166) (Bug #54960)
heimdal (CVE-2019-14870, CVE-2021-3671, CVE-2021-44758, CVE-2022-3437, CVE-2022-41916, CVE-2022-42898, CVE-2022-44640) (Bug #55461)
gsasl (CVE-2022-2469) (Bug #55023)
grub2 (CVE-2021-3695, CVE-2021-3696, CVE-2021-3697, CVE-2022-2601, CVE-2022-28733, CVE-2022-28734, CVE-2022-28735, CVE-2022-28736, CVE-2022-3775) (Bug #55191, Bug #55434, Bug #55482)
grub-efi-amd64-signed (CVE-2021-3695, CVE-2021-3696, CVE-2021-3697, CVE-2022-2601, CVE-2022-28733, CVE-2022-28734, CVE-2022-28735, CVE-2022-28736, CVE-2022-3775) (Bug #55191, Bug #55434, Bug #55482)
gnutls28 (CVE-2021-4209, CVE-2022-2509) (Bug #55095)
gnupg2 (CVE-2022-34903) (Bug #54957)
glibc (CVE-2016-10228, CVE-2019-19126, CVE-2019-25013, CVE-2020-10029, CVE-2020-1752, CVE-2020-27618, CVE-2020-6096, CVE-2021-27645, CVE-2021-3326, CVE-2021-33574, CVE-2021-35942, CVE-2021-3999, CVE-2022-23218, CVE-2022-23219) (Bug #55326)
glib2.0 (CVE-2021-3800) (Bug #55208)
giflib (CVE-2018-11490, CVE-2019-15133) (Bug #55473)
ghostscript () (Bug #55168)
fribidi (CVE-2022-25308, CVE-2022-25309, CVE-2022-25310) (Bug #55190)
freetype (CVE-2022-27404, CVE-2022-27405, CVE-2022-27406) (Bug #55192)
freeradius (CVE-2019-13456, CVE-2019-17185) (Bug #55195)
flac (CVE-2021-0561) (Bug #55169)
firefox-esr (CVE-2021-32810, CVE-2021-38491, CVE-2021-38493, CVE-2021-38494, CVE-2021-38496, CVE-2021-38497, CVE-2021-38498, CVE-2021-38499, CVE-2021-38500, CVE-2021-38501, CVE-2021-38503, CVE-2021-38504, CVE-2021-38506, CVE-2021-38507, CVE-2021-38508, CVE-2021-38509, CVE-2021-4140, CVE-2021-43536, CVE-2021-43537, CVE-2021-43538, CVE-2021-43539, CVE-2021-43540, CVE-2021-43541, CVE-2021-43542, CVE-2021-43543, CVE-2021-43544, CVE-2021-43545, CVE-2021-43546, CVE-2022-0511, CVE-2022-0843, CVE-2022-1097, CVE-2022-1919, CVE-2022-2200, CVE-2022-22737, CVE-2022-22738, CVE-2022-22739, CVE-2022-22740, CVE-2022-22741, CVE-2022-22742, CVE-2022-22743, CVE-2022-22745, CVE-2022-22747, CVE-2022-22748, CVE-2022-22751, CVE-2022-22752, CVE-2022-22754, CVE-2022-22755, CVE-2022-22756, CVE-2022-22759, CVE-2022-22760, CVE-2022-22761, CVE-2022-22764, CVE-2022-24713, CVE-2022-2505, CVE-2022-26381, CVE-2022-26382, CVE-2022-26383, CVE-2022-26384, CVE-2022-26385, CVE-2022-26387, CVE-2022-26485, CVE-2022-26486, CVE-2022-28281, CVE-2022-28282, CVE-2022-28283, CVE-2022-28284, CVE-2022-28285, CVE-2022-28286, CVE-2022-28287, CVE-2022-28288, CVE-2022-28289, CVE-2022-29909, CVE-2022-29911, CVE-2022-29912, CVE-2022-29914, CVE-2022-29915, CVE-2022-29916, CVE-2022-29917, CVE-2022-29918, CVE-2022-31736, CVE-2022-31737, CVE-2022-31738, CVE-2022-31740, CVE-2022-31741, CVE-2022-31742, CVE-2022-31743, CVE-2022-31744, CVE-2022-31745, CVE-2022-31747, CVE-2022-31748, CVE-2022-34468, CVE-2022-34470, CVE-2022-34471, CVE-2022-34472, CVE-2022-34473, CVE-2022-34474, CVE-2022-34475, CVE-2022-34476, CVE-2022-34477, CVE-2022-34479, CVE-2022-34480, CVE-2022-34481, CVE-2022-34482, CVE-2022-34483, CVE-2022-34484, CVE-2022-34485, CVE-2022-36315, CVE-2022-36316, CVE-2022-36318, CVE-2022-36319, CVE-2022-36320, CVE-2022-38472, CVE-2022-38473, CVE-2022-38477, CVE-2022-38478, CVE-2022-42927, CVE-2022-42928, CVE-2022-42929, CVE-2022-42932, CVE-2022-45403, CVE-2022-45404, CVE-2022-45405, CVE-2022-45406, CVE-2022-45408, CVE-2022-45409, CVE-2022-45410, CVE-2022-45411, CVE-2022-45412, CVE-2022-45416, CVE-2022-45418, CVE-2022-45420, CVE-2022-45421, CVE-2022-46871, CVE-2022-46872, CVE-2022-46874, CVE-2022-46877, CVE-2022-46878, CVE-2022-46880, CVE-2022-46881, CVE-2022-46882, CVE-2023-23598, CVE-2023-23601, CVE-2023-23602, CVE-2023-23603, CVE-2023-23605) (Bug #54955, Bug #55049, Bug #55143, Bug #55221, Bug #55349, Bug #55441, Bug #55502, Bug #55585)
expat (CVE-2022-40674, CVE-2022-43680) (Bug #55222, Bug #55358)
exim4 (CVE-2022-37452) (Bug #55139)
emacs (CVE-2022-45939) (Bug #55541)
dovecot (CVE-2021-33515, CVE-2022-30550) (Bug #55228)
dbus () (Bug #55272)
curl (CVE-2021-22898, CVE-2021-22924, CVE-2021-22946, CVE-2021-22947, CVE-2022-22576, CVE-2022-27774, CVE-2022-27776, CVE-2022-27781, CVE-2022-27782, CVE-2022-32206, CVE-2022-32208, CVE-2022-32221, CVE-2022-35252, CVE-2022-43552) (Bug #55140, Bug #55626)
clamav (CVE-2022-20770, CVE-2022-20771, CVE-2022-20785, CVE-2022-20792, CVE-2022-20796) (Bug #55188)
bluez (CVE-2019-8921, CVE-2019-8922, CVE-2021-41229, CVE-2021-43400, CVE-2022-0204, CVE-2022-39176, CVE-2022-39177) (Bug #55340)
bind9 (CVE-2022-2795, CVE-2022-38177, CVE-2022-38178) (Bug #55163, Bug #55253)
apache2 (CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943, CVE-2022-26377, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404, CVE-2022-30522, CVE-2022-30556, CVE-2022-31813) (Bug #55187)
The following updated packages from Debian 10.13 are included: base-files, bzip2, clamav, debootstrap, distro-info-data, libnet-ssleay-perl, postfix, postgresql-11, postgresql-common, shim, shim-helpers-amd64-signed, tzdata, adminer, asterisk, awstats, barbican, batik, bcel, blender, booth, cacti, cargo-mozilla, cgal, cinder, clickhouse, commons-daemon, composer, connman, debian-installer, debian-installer-netboot-images, debian-security-support, djangorestframework, dlt-daemon, dojo, dpdk, dropbear, e17, epiphany-browser, esorex, evemu, exiv2, exuberant-ctags, feature-check, ffmpeg, fig2dev, foxtrotgps, freecad, frr, ftgl, g810-led, gdal, gerbv, gif2apng, git, glance, gnucash, golang-github-docker-go-connections, golang-github-pkg-term, golang-github-russellhaering-goxmldsig, graphicsmagick, gst-plugins-good1.0, hsqldb, htmldoc, http-parser, inetutils, ini4j, iptables-netflow, isync, jackson-databind, jersey1, jetty9, jhead, joblib, jqueryui, jtreg6, jupyter-core, kannel, kicad, knot-resolver, lava, lemonldap-ng, leptonlib, libapache-session-browseable-perl, libapache-session-ldap-perl, libapache2-mod-auth-openidc, libapreq2, libbluray, libcommons-net-java, libdatetime-timezone-perl, libetpan, libgoogle-gson-java, libhtml-stripscripts-perl, libhttp-cookiejar-perl, libhttp-daemon-perl, libitext5-java, libjettison-java, libmodbus, libnet-freedb-perl, libpgjava, libraw, librose-db-object-perl, libstb, libvirt-php, libvncserver, libxstream-java, libzen, lighttpd, linux-5.10, linux-signed-5.10-amd64, llvm-toolchain-13, mat2, maven-shared-utils, mbedtls, mediawiki, minidlna, modsecurity-apache, modsecurity-crs, mplayer, mutt, ndpi, netty, nginx, node-cached-path-relative, node-ejs, node-end-of-stream, node-eventsource, node-fetch, node-hawk, node-json-schema, node-loader-utils, node-log4js, node-minimatch, node-minimist, node-moment, node-node-forge, node-object-path, node-qs, node-require-from-string, node-tar, node-thenify, node-trim-newlines, node-xmldom, nodejs, nova, nvidia-graphics-drivers, nvidia-graphics-drivers-legacy-390xx, octavia, open-vm-tools, openexr, openjdk-11, openvswitch, orca, pacemaker, pcs, pglogical, php-guzzlehttp-psr7, php-horde-mime-viewer, php-horde-turba, php-phpseclib, phpseclib, pngcheck, postsrsd, powerline-gitstatus, procmail, publicsuffix, puma, pysha3, python-django, python-keystoneauth1, python-oslo.utils, python-scciclient, python-scrapy, python-udatetime, qtbase-opensource-src, rails, request-tracker4, rexical, ruby-activeldap, ruby-git, ruby-hiredis, ruby-http-parser.rb, ruby-nokogiri, ruby-rack, ruby-rails-html-sanitizer, ruby-riddle, ruby-sinatra, ruby-tzinfo, rust-cbindgen, rustc-mozilla, schroot, sctk, smarty3, snakeyaml, snapd, sofia-sip, spip, strongswan, swift, sysstat, thunderbird, tinyxml, tmux, tomcat9, tor, trafficserver, twig, twisted, ublock-origin, unrar-nonfree, varnish, viewvc, virglrenderer, vlc, webkit2gtk, wireshark, wkhtmltopdf, wordpress
The following packages have been moved to the maintained repository of UCS:
Univention Configuration Registry#
Add validation for values of UCR variables. By default only a warning is printed if an invalid value is set. By setting the UCR variable
ucr/check/typetoyestype checking can be enforced, which will prevent invalid values to be set (Bug #54495).A new variable type
url_httpwas added in order to support validation of HTTP/HTTPS URL strings (Bug #55044).Fixed printing wrong UCR layer name (Bug #55174).
The UCR type checking is now displaying more specific information regarding the type constraints (Bug #55573).
Changes to templates and modules#
Several UCR variable type annotations have been fixed. Most importantly UCRV
proxy/httpandproxy/httpsare now checked for validity as specifying a URL with a path, query or fragment will break several programs (Bug #54495).
Listener/Notifier domain replication#
Calls to several OpenLDAP tools (slaptest etc.) fail when the
cn=configLDIF exists in the file-system. The package has been adjusted to explicitly use the configuration file instead to avoid this problem (Bug #54986).The API for writing Listener modules has been simplified and the module name is now automatically derived from the file name of the module, which removes the requirement to explicitly specify the module name via the module variable
name.
DNS server#
The script
server_password_change.d/univention-bindhas been updated to generate more useful debug information (Bug #54273).
Univention Management Console web interface#
The UDM command line client now writes error messages and warnings to standard error (Bug #4498).
The OpenAPI schema of the UDM REST API has been improved: Nested properties are now described more detailed while they previously were only described as free form objects. Data de-duplication has been made by referencing global data instead of including them. All possible HTTP errors are listed in the responses. Experimental features like pagination during search have been added as deprecated so that they can be used more easily in the future when UCS supports them. Various parameters are now created via code introspection (Bug #55096).
The URI template for nested search queries was invalid and has been adjusted (Bug #55115).
The script
server_password_change.d/univention-directory-manager-resthas been updated to generate more useful debug information (Bug #54273).The performance of the UDM REST API has been improved: A duplicated LDAP search has been eliminated for
GET,PATCHandDELETEoperations on an object (Bug #55430).The LDAP connections for read and write operations have been separated and are now individually configurable via the UCR variables
directory/manager/rest/ldap-connection/.*/.*(Bug #54623).The UDM REST API responses now respect the requested language so that e.g. error messages are correctly translated (Bug #55224).
For request tracing a unique ID has been added to each request via the HTTP header
X-Request-Idwhich is accepted as request header (or if not given uniquely created) and returned in the response headers (Bug #55186).The translation of error messages in the UDM REST API has been corrected (Bug #55446).
The error response format has been improved (while being backwards compatible). It is now described in the OpenAPI schema (Bug #50249).
A client can now request all CSS themes. This makes it possible to base themes on another theme. This is required for univention-app-appliance (Bug #55107).
The checkboxes in grids are now rendered in the correct state while scrolling (Bug #54451).
Cookie banners have been improved for mobile devices. The accept button is now permanently visible for easier use (Bug #55378).
The services univention-management-console-server and univention-management-console-web-server have been migrated to systemd (Bug #53885).
Univention Portal#
Some convenient code for Python 2 compatibility has been removed (Bug #55063).
Cookie banners have been improved for mobile devices. The accept button is now permanently visible for easier use (Bug #55378).
Tiles in portal were not displayed correctly due to a bug while loading user’s group membership (Bug #54497).
The script
portal-server-password-rotatehas been updated to generate more useful debug information (Bug #54273).The password hash comparison in
UMCAndSecretAuthenticatorhas been fixed (Bug #55010).
Univention Management Console server#
SAML Logouts using the SAML binding
HTTP-POSTis now supported. This is required for the use of UMC with e.g. Keycloak as an identity provider (Bug #55229).The SAML identity cache has been changed to an in-memory cache. This can be changed to the file system database by setting the UCR variable
umc/saml/in-memory-identity-cachetofalse. This is done automatically for servers with enabled multiprocessing (Bug #55424).The error handling of the pysaml2 usage has been improved (Bug #55248).
Exception stack traces are logged again when
umc/http/show_tracebacksis set toFalse(Bug #55423).A Keycloak SAML client for the local UMC is created during the join of a new server if the Keycloak App is installed in the domain (Bug #55395).
Calls to several OpenLDAP tools (slaptest etc.) fail when the
cn=configLDIF exists in the file-system. The package has been adjusted to explicitly use the configuration file instead to avoid this problem (Bug #55570).The library functions to get cached LDAP connections has been enhanced (Bug #54623).
Univention App Center#
Fixed an internal function for parsing the app argument in the CLI univention-app (Bug #55020).
Apps can now be pinned. A pinned app will no longer be upgraded or removed. They need to be unpinned first. univention-app pin $appid [--revert] (Bug #55467).
The listener converter script is now a long running process, reducing the CPU load that was caused by its constant restart (Bug #52000).
In case of a signature verification error, the App Center now shows the GPG error message (Bug #54123).
The listener converter script is now by default writing the UDM REST API representation into the JSON files (Bug #54773).
Debian packages that contain non UTF-8 byte sequences do not crash the Provider Portal anymore when creating new versions of apps (Bug #55634).
Univention Directory Manager and command line interface#
The syntax classes
UDM_Objects,ldapDn,ldapDnOrNonenow accept all valid LDAP DN characters as input (Bug #55563).It is now possible to create extended attributes for LDAP operational attributes (Bug #20235).
The
primaryGroupofusers/userwas unexpectedly reset to the default primary group when the primary group could not be read in LDAP. This was the case when the LDAP replication was not yet done or when the user had no permission to read it. The behavior is now postponed to actual modifications of the object (Bug #42080).The Python backend code to evaluate and apply template defaults has been optimized (Bug #55279).
The OpenAPI schema of the UDM REST API has been improved (Bug #55096).
The error format of the UDM REST API now contains property information about email address validation failures (Bug #55394).
A missing call to the super method
open()has been added in thenagios/serviceUDM module so that it is available in the UDM REST API again (Bug #54064).The syntax
emailAddress(and its children) are now checked against the external librarypython-email-validatorby default. This can be disabled with the new UCRVdirectory/manager/mail-address/extra-validation(Bug #55413).The
policies/umcmodule now also applied tocomputerobjects as the UMC- Server evaluated them also for those (Bug #54568).The
employeeNumberattribute has been removed from the default filter for user objects. As the attribute is not part of the equality and presence index it caused performance problems in larger environments when searching for users in the Univention Management Console (Bug #55412).The Simple UDM API provides policies references as mapping in version 3 to conform with the UDM REST API responses (Bug #50167).
The translation of error messages in the UDM REST API has been corrected (Bug #55446).
Changes for the UDM REST API required adjustments for the
users/selfUDM module (Bug #55430).univention.admin.uldap.access()now supports LDAP URIs to connect to (Bug #54623).The global uniqueness of
mailAlternativeAdresswithmailPrimaryAddressis now configurable via the UCR variabledirectory/manager/mail-address/uniqueness(Bug #54596).The performance and ability to debug the UDM command line client has been improved (Bug #33224).
The UDM command line client now writes error messages and warnings to standard error (Bug #4498).
A regression in UCS 5.0 for LDAP presence filters (
attribute=*) has been fixed. UDM modules which rewrite filters can now reliably test for LDAP presence filters (Bug #55037).UDM now can store NT hashes in the attribute
pwhistory. Until now it used the attributesambaPasswordHistory, which only stores salted hashes of hashes, which doesn’t allow synchronization to Samba/AD. UDM now doesn’t care about the attributesambaPasswordHistoryany longer (Bug #52230).The UDM modules
users/userandgroups/groupnow offer two additional UDM propertiesuniventionObjectIdentifieranduniventionSourceIAM.univentionObjectIdentifierwill be used by some apps to track the object identity regardless of the source of the object (e.g. eitherentryUUIDorobjectGUID) and in a way that is independent of implementation of the IAM backend (e.g. OpenLDAP or Active Directory, Bug #55154).A regression introduced by Bug #54883 has been fixed which caused that objects
user/ldapcould not be fetched via the UDM REST API (Bug #55189).The property
pwdChangeNextLoginof objectsusers/userwas not correctly unmapped in case it was not set. This caused the UDM REST API to wrongly represent it asNoneinstead ofFalse(Bug #55226).The property
groupsof UDM objectsusers/userare now resolved via thememberOfattribute instead of a manual search for group memberships to increase performance. Using the group memberships viamemberOfadds all groups to the user which he is assigned to, even if the reading user cannot read the specific groups of if the memberships are no objectsgroups/group. As there might be code which relies on this behavior and don’t do proper error handling when iterating over group memberships the new UCR variabledirectory/manager/user/group-memberships-via-memberofcan be used to restore the old behavior. The variable is going to be removed in UCS 5.1 (Bug #55269).The UDM object
users/ldapand various computer UDM object types have been extended to provide PKI user certificate properties (Bug #54987).The UDM property
countrycan now be mapped to the LDAP attributecinstead ofst. This new behavior can be enabled using the diagnostic module or/usr/share/univention-directory-manager-tools/udm-remap-country-from-st-to-c(Bug #50073).
Modules for system settings / setup wizard#
The selection and search for countries and cities during the initial system setup has been repaired. It was broken since the Python 3 migration (Bug #55156).
Calls to several OpenLDAP tools (slaptest etc.) fail when the
cn=configLDIF exists in the file-system. The package has been adjusted to explicitly use the configuration file instead to avoid this problem (Bug #54986).Joining into the domain is now also possible for users containing a zero in their usernames (Bug #45058).
Domain join module#
Rebuilt for libldb2 version 2.5.2 (Bug #54994).
A server with multiple MAC addresses is now able to join correctly again (Bug #54967).
License module#
The front-end univention-system-activation is now compatible with the new Portal framework introduced with UCS 5.0 (Bug #55107).
System diagnostic module#
Calls to several OpenLDAP tools (slaptest etc.) fail when the
cn=configLDIF exists in the file-system. The package has been adjusted to explicitly use the configuration file instead to avoid this problem (Bug #54986).A new diagnostic routine was added to check and optionally to reestablish the correctness of the repository configuration. The following checks are performed:
It is checked, if there are deprecated variables still defined. In this case by pressing the ADJUST ALL COMPONENTS button the merge process which is also done in the repository setting module is executed by the diagnostic routine including the deletion of the deprecated variables.
It is checked if there are UCR variables
repository/online/serverorrepository/online/component/*/serverhaving a scheme other thanhttporhttps. This can only be corrected manually using either the repository settings module or the UCR module to directly modify the variables. This second check can be disabled by defining an UCR variablediagnostic/check/65_check_repository_config/ignoreto any non-empty value (Bug #55044).
It is now possible to disable any diagnostic check by setting the UCR variable
diagnostic/check/disable/TEST_NAMEtotrue(Bug #55468).An error regarding compatibility with Python 3 has been repaired in the action migrate objects of 56_univention_types (Bug #55548).
A new UMC diagnostics module has been added to check UCR variable values for validity. As the type annotation of several UCR variables is currently wrong, types
intandboolare ignored for now and will be fixed by future updates (Bug #54495).The checks 40_samba_tool_dbcheck and 63_proof_uniqueMembers no longer crash due to duplicate decoding of strings during problem resolving (Bug #54988).
The diagnostics checks for SAML Identifier and Service Providers has been fixed to work again. It now provides more information in case of errors and provides automatic fixers to correct issues (Bug #49417).
The diagnostics check for the Univention Directory Notifier Protocol version has been extended to provide more information in case of errors and provides an automatic fixer to update the protocol version (Bug #49417).
Univention Configuration Registry module#
In the UCR module of the management console the following deprecated variables are hidden and therefore no longer displayed (Bug #55044):
repository/online/prefixrepository/online/portrepository/online/component/*/prefixrepository/online/component/*/portrepository/online/component/*/usernamerepository/online/component/*/passwordrepository/online/component/*/unmaintained
The UCR module now displays errors regarding the type constraints (Bug #55573).
Other modules#
The translation of error messages in the UDM REST API has been corrected (Bug #55446).
A typo in the name of the UMC Operation Set
udm-policieshas been adjusted (Bug #55460).LDAP syntax classes with
addEmptyValueorappendEmptyValuecaused an error when opening e.g. theusers/usermodule (Bug #54981).
Univention base libraries#
univention.lib.i18nnow provides a method to set the language of all already instantiatedTranslationinstances (Bug #55224).Calls to several OpenLDAP tools (slaptest etc.) fail when the
cn=configLDIF exists in the file-system. The package has been adjusted to explicitly use the configuration file instead to avoid this problem (Bug #54986).LDAP search requests now evaluate the response of server controls (Bug #49666).
Software deployment#
Calls to several OpenLDAP tools (slaptest etc.) fail when the
cn=configLDIF exists in the file-system. The package has been adjusted to explicitly use the configuration file instead to avoid this problem (Bug #54986).The description of the UCR variables
repository/online/*which is displayed by using the command ucr info was updated to document which variables are defined as deprecated and should no longer be used (Bug #55044).The types of the UCR variables
repository/online/*andrepository/online/component/*ending withserverorporthave been updated to UCR typeurl_httpand respectivelyportnumerin order to allow a better type checking (Bug #55044).Updating a local repository server failed when additional components hosted on a separate server like
service.software-univention.dewere enabled: Calling univention-repository-update net failed with aConfigurationErrorpointing to a wrong URL onupdates.software-univention.deinstead (Bug #55069).
PostgreSQL#
The script univention-postgresql-password has been updated to generate more useful debug information (Bug #54273).
Docker#
The docker daemon will now be restarted after changing proxy settings (Bug #51033).
SAML#
Creation of certificate for Keycloak App on UCS Primary Directory Node (Bug #55331).
The unmapping of the LDAP attribute
simplesamlLDAPattributesin the UDM modulesaml/serviceprovidernow always unmaps the value in the new mappable format to support a representation in the UDM REST API (Bug #55348).Add debug trace to the joinscript
91univention-saml.instto improve error reporting (Bug #44669).
Univention self service#
The subject of all self-service emails is now configurable via the UCR variables
umc/self-service/account-deregistration/email/subject,umc/self-service/account-verification/email/subject, andumc/self-service/email-change-notification/email/subject(Bug #55028).The email subject of the self-service password reset email is now configurable via the UCR variable
umc/self-service/passwordreset/email/subject(Bug #53227).It is no longer possible to enumerate Usernames using the password reset response (Bug #55346).
Mail services#
Several UCR variable type annotations have been fixed. Most importantly UCRV
clamav/proxy/httpis now checked for validity as specifying a URL with a path, query or fragment will break ClamAV (Bug #54495).An unnecessary LDAP ACL for the LDAP root DN has been removed, which caused a warning by slapschema (Bug #55159).
Dovecot#
The template file
/etc/pam.d/dovecothas been converted to multifile to support extending the configuration. For example, OX requires the PAM configuration to be extensible to add functional account support (Bug #55510).
Postfix#
The script
server_password_change.d/50univention-mail-serverhas been updated to generate more useful debug information (Bug #54273).The filter checking access to restricted mailing lists now accepts emails sent by users authenticating with their email address, when the system is configured to not use Dovecot SASL (Bug #55514).
Printing services#
After adding or removing printers UCS tells Samba to reload the configuration. In Samba 4.16 there is a new service samba-bgqd, which required adjusting the way that the listener
cups-printers.pyinitiates the reload to make Samba recognize the changes immediately (Bug #55264).When removing printer share definitions from Samba also remove the corresponding entries from the Samba registry and the TDB cache file (Bug #55492).
Nagios#
The arguments for calling nmblookup have been fixed. The flag
-Rhas been changed to--recursionin prior Samba releases. This repairs the Nagios checkUNIVENTION_NMBD(Bug #54919).
Proxy services#
The script
squid-pw-rotatehas been updated to generate more useful debug information (Bug #54273).Joining UCS@School replica servers into environments with many objects could fail due to timeouts in the join scripts
97univention-s4-connector,98univention-samba4-dnand98univention-squid-samba4. The synchronization of existing objects delayed the synchronization of new objects which are created during the join and necessary for its completion. The S4-Connector and the join scripts have been modified to sync these vital objects first, which speeds up the join process considerably (Bug #54791, Bug #55218).
SSL#
Browsers check the certificate using the Subject Alternative Names (SAN). They are verified in order, which stops on first match. Order the SANs by length to prioritize the most specific values first (Bug #54697).
Fix cron daily task execution: change shell from sh to bash (Bug #55030).
DHCP server#
The script
server_password_change.d/univention-dhcphas been updated to generate more useful debug information (Bug #54273).
Other services#
A new script univention-report-support-info has been added which has the capability to download the latest USI script as well as uploading the collected archive to Univention and sending an email to the Univention support (Bug #26684).
Samba#
The script univention-samba4-site-tool.py attempted to parse the option
-A(for providing an authentication file), which is now already handled by the samba package in UCS. This has been fixed (Bug #55082).The script command:s4search-decode can now be used to decode the attribute
ntPwdHistory(Bug #52230).Grant permission
SePrintOperatorPrivilegeto userAdministratorand groupPrinter-Adminsby default (Bug #54156).Rotate additional log files
log.dcerpcdandlog.rpcd_*(Bug #55435).Added a dependency on a specific package
samba-dsdb-modulesversion to prevent issues with new package installations (Bug #54994).Joining UCS@School replica servers into environments with many objects could fail due to timeouts in the join scripts
97univention-s4-connector,98univention-samba4-dnand98univention-squid-samba4. The synchronization of existing objects delayed the synchronization of new objects which are created during the join and necessary for its completion. The S4-Connector and the join scripts have been modified to sync these vital objects first, which speeds up the join process considerably (Bug #54791, Bug #55218).Renaming a share works again. This was broken in UCS 5.0-0 due to an error in the listener module writing the share configuration (Bug #55077).
The script
server_password_change.d/univention-sambahas been updated to generate more useful debug information (Bug #54273).The UCR template for the Samba
logrotateconfiguration has been fixed (Bug #55591).Rotate additional log files
log.dcerpcdand file:log.rpcd_* (Bug #55435).A segmentation fault in rpcd_spoolss has been fixed. Adding printer drivers is possible again (Bug #55048).
Univention S4 Connector#
The password history synchronization now works when the policy
pwdhistory_lengthis not defined (Bug #55232).Joining UCS@School replica servers into environments with many objects could fail due to timeouts in the join scripts
97univention-s4-connector,98univention-samba4-dnand98univention-squid-samba4. The synchronization of existing objects delayed the synchronization of new objects which are created during the join and necessary for its completion. The S4-Connector and the join scripts have been modified to sync these vital objects first, which speeds up the join process considerably (Bug #54791).The script
server_password_change.d/univention-s4-connectorhas been updated to generate more useful debug information (Bug #54273).The function
group_members_sync_to_ucs()used a UCS DN to search in Samba, which usually doesn’t cause issues, as long as the group object is located in the same position (Bug #55131).The connector now synchronizes the password history between Samba and UCS (Bug #52230).
Univention Active Directory Connection#
The password history synchronization now works when the policy
pwdhistory_lengthis not defined (Bug #55232).The mapping now evaluates UCR variables with respect to the configbasename. Therefore it is now possible again to create additional AD connector instances via prepare-new-instance, which was broken since UCS 5.0-0 (Bug #54780).
The function
group_members_sync_to_ucs()used the UCS DN to search in AD, this regression introduced in UCS 5.0-0 has been fixed (Bug #55087).The connector now synchronizes the password history between AD and UCS (Bug #52230).
When the password in Microsoft AD was reset for a user account with the flag user must change password at next logon active, the AD-Connector did not synchronize the password hashes to UCS in case the UCR variable
connector/ad/mapping/attributes/irrelevantwas set to the default value. This UCR variable lists a number of attributes that should be ignored for performance reasons, like e.g. changes to the AD attributelastLogon. The AD flag user must change password at next logon is mapped to the Univention Directory Manager propertypwdChangeNextLogin. The behavior of the AD- Connector has been adjusted to always synchronize thepost_attributeslisted inmapping.pyin this case. Please note that environments running an AD-Connector also run Samba/AD should check that UCR variableconnector/ad/mapping/user/password/kerberos/enabledis activated. If that’s not activated, only the NT hash is synchronized from AD to UDM and then the S4-Connector only synchronizes the NT-Hash, leaving the previous Kerberos hashes insupplementalCredentialsuntouched, thus not conforming to the desired password reset when Kerberos is used in the UCS Samba/AD domain: Non- Kerberos logons would use the new NT-hashes, but Kerberos authentication would still use the previous password hashes (Bug #52192).When objects were changed in Microsoft Active Directory, the AD-Connector checked if the object should be ignored. The decision is based on three criteria,
match_filter,ignoresubtreeand theignorelistfrom which theignore_filteris constructed. Since Bug #37351 has been fixed in UCS UCS 4.0 erratum 131 this check is not only applied to the new object, but also to the object existing in UDM, which represents the old state at the time of sync. In scenarios where an object is present in UDM and Microsoft Active Directory but matches theignore_filterthis had the negative side effect, that the AD object would still be ignored even if the administrator changed an attribute in a way that the new object did not match theignore_filterany longer. This affected user objects. This problem has been fixed by restricting the change for Bug #37351 to apply only to objects matching the criteria of awindowscomputer, as these don’t have anignore_filter(Bug #55150).univention-adsearch did not properly work in multi-connector setups (Bug #54781).
Other changes#
The login page and tab name of the Keycloak Single-Sign On page have been modified to match those of the simpleSAMLphp login page (Bug #55478).
Users can now login with their
mailPrimaryAddressas well as their username at Keycloak (Bug #55458).The script univention-keycloak didn’t evaluate the app setting
keycloak/server/sso/fqdn. Due to this, the joinscript of the Keycloak app failed if this setting is set (Bug #55569).Many options of the script univention-keycloak can now be passed on the command line. univention-config-registry is not required anymore, but only gives sane defaults (Bug #55513).
A traceback in univention-keycloak was thrown when trying to enable the two factor authentication. This has been fixed (Bug #55519).
A new flag
--umc-uid-mapperhas been added to the command line tool univention-keycloak. This makes it easier to create SAML service-provider for the UMC (Bug #55431).The univention-keycloak package has been added. This package contains a CLI tool that is used by the Univention Keycloak app (Bug #55383).
StartTLS is now used as default for LDAP federation in Keycloak (Bug #55488).
The flag
--metadata-filehas been added to univention-keycloak. This is necessary to create a UMC SAML client during the join since the metadata information cannot be fetched via https during the join (Bug #55570).The ownership, group and permissions of LDAP backups are now configurable via the UCR variables
slapd/backup/owner,slapd/backup/groupandslapd/backup/permissions(Bug #54782).The UCR variable description for the variable
ldap/database/typehas been updated and now describes deprecated and recommended values (Bug #54821).Create initial fake schema in unjoined Backup/Replica servers too to avoid invalid slapd configurations that may break upgrades (Bug #54465).
Allow Directory Node Backup and Replica servers to do an unlimited LDAP search, which is required for join in large domains with more than 400k entries (Bug #34877).
Change code to emit UCRV
ldap/translog-ignore-temporaryonly when LDAP overlay moduletranslogis enabled (Bug #55558).Calls to several OpenLDAP tools (slaptest etc.) fail when the
cn=configLDIF exists in the file-system. The package has been adjusted to explicitly use the configuration file instead to avoid this problem (Bug #54986).The object class
univentionObjectnow offers two additional optional attributesuniventionObjectIdentifieranduniventionSourceIAM.univentionObjectIdentifierwill be used by some apps to track the object identity regardless of the source of the object (e.g. eitherentryUUIDorobjectGUID) and in a way that is independent of implementation of the IAM backend (e.g. OpenLDAP or Active Directory, Bug #55154).An additional ACL access directive for the machine account provides faster access to DNS zone objects (Bug #54140).
On UCS Replica Directory Nodes the OpenLDAP
ppolicyoverlay was not allowed to lock user accounts. The server ACLs have been adjusted to allow this (Bug #55501).The Debian package python-email-validator has been back ported and updated to be used in univention-directory-manager-modules (Bug #55413).
An open file descriptor leak has been fixed, which was triggered by
gdbm_reorganize(). This affected univention-group-membership-cache taking up a huge amount of disk space until the Directory Listener was restarted (Bug #55286).The script execution is now restricted to valid system roles. A missing metric has been added to the alert
UNIVENTION_ADCONNECTOR_METRIC_MISSING. A leftover Nagios reference has been removed in in check_univention_nfsstatus (Bug #54968).Removing alerts from computer objects has been fixed (Bug #54985).
LDAP ACL’s allowing DCs and member servers to change alerts have been added. The alert descriptions have been improved. The authentication when trying to reload Prometheus alerts has been fixed. Query expressions now use templates and restrict the metrics to the assigned hostnames (Bug #54947).
The alert expressions for checking the SSL validity and the swap usage have been repaired. The join status check has been split into two checks. An error in check_univention_samba_drs_failures has been fixed (Bug #54919).
When prometheus-node-exporter was not installed error mails by cron were sent due to a missing directory (Bug #54927).
The check script check_univention_ntp now handles errors when the NTP service is not reachable. The translation of the UDM module has been fixed. The property
templateValuesis now exposed by the UDM module (Bug #55017).It is now possible to disable the UDM UMC module
monitoring/alertwith specific UMC ACL’s (Bug #55341).Fixed ldapsearch call in check_univention_joinstatus. Wrong parameters created periodically high load on slapd (Bug #55068).
The scripts univention-nscd and univention-libnss-ldap have been updated to generate more useful debug information (Bug #54273).
The error handling of the directory logger has been improved. Especially in regards to corrupted files created by the overlay module
dellog(Bug #51772).The generated Listener module code has been updated to follow the API for Listener modules set with UCS 5.0-2, which deprecated the method
ListenerModuleConfiguration.get_configuration()(Bug #54502).Tiles in portal were not displayed correctly due to a bug while loading user’s group membership (Bug #54497).
Improved performance of the function
users_groups()which is used in univention-portal (Bug #55120).Python 3 compatibility for the SSS (Server Side Search control) has been added (Bug #49666).
Code to handle old package updates has been removed from many packages (Bug #42330).
Add missing features from the OX Fetchmail implementation to univention-fetchmail. Now users can have more than one Fetchmail configuration and use multi-drop configurations. (Bug #55575).