UCS 5.2-2 Changelog

Download PDF

Changelog for Univention Corporate Server (UCS) 5.2-2

Changelog for Univention Corporate Server (UCS) 5.2-2#

General#

  • Univention Corporate Server 5.2-2 includes the following updated packages from Debian 12:

    docker.io fig2dev base-files bash busybox containerd debian-archive-keyring distro-info-data dns-root-data initramfs-tools nvidia-graphics-drivers-tesla qemu rsyslog spamassassin systemd tzdata wireless-regdb xen 389-ds-base atop bup cdebootstrap chkrootkit chromium crowdsec dacite dar dcmtk debian-installer debian-installer-netboot-images debian-ports-archive-keyring debian-security-support dgit djoser dpdk edk2 elpa erlang fossil gensim golang-github-containerd-stargz-snapshotter golang-github-containers-buildah golang-github-openshift-imagebuilder graphicsmagick haproxy igtf-policy-bundle iptables-netflow jetty9 joblib lemonldap-ng libapache-mod-jk libapache2-mod-auth-openidc libbson-xs-perl libdata-entropy-perl libeconf libpod librabbitmq libreoffice libsub-handlesvia-perl libtar linuxcnc logcheck ltt-control lttng-modules mediawiki mercurial monero mongo-c-driver mozc ndcube network-manager nginx node-axios node-fstream-ignore node-js-sdsl node-postcss node-recast node-redis node-rollup node-send node-serialize-javascript nvidia-graphics-drivers-tesla-535 nvidia-open-gpu-kernel-modules nvidia-settings open-vm-tools openh264 openrazer opensaml opensnitch openvpn php-nesbot-carbon php8.2 phpmyadmin policyd-rate-limit prometheus prometheus-postfix-exporter puma python-pycdlib qtbase-opensource-src rails rapiddisk redis renaissance request-tracker4 request-tracker5 ruby-rack runit-services sash seqan3 simgear skeema skopeo subversion sunpy telegram-desktop thunderbird tomcat10 trafficserver tripwire twitter-bootstrap3 twitter-bootstrap4 user-mode-linux vagrant varnish vips webkit2gtk xmedcon zsh

  • The following packages have been moved to the maintained repository of UCS:

    nvidia-graphics-drivers-tesla-535

Basic system services#

Univention Configuration Registry#

Changes to templates and modules#

  • Bash shell command line completion was not available by default for interactive non-login shells, affecting screen and sudo sessions. The UCR template for /etc/bash.bashrc has been adjusted to enable command line completion by default for interactive shells (Bug #54717).

  • The route tool from the package is used on some UCS systems for the configuration of additional routes through Univention Configuration Registry Variables. Due to a change in the package dependencies with UCS 5.2-0, the net-tools package was no longer installed automatically, which meant that these additional routes were no longer set automatically when configuring the network interfaces. The package dependencies have been adjusted accordingly so that this package is now automatically installed again (Bug #58061).

  • This update delivers the new command line tool univention-lmdb-fragmentation that can be used to detect excessive fragmentation in the LMDB databases used in UCS (Bug #58047).

Other system services#

  • The allowed machine password length has been increased from 60 to 256 characters (Bug #52575).

Domain services#

OpenLDAP#

  • When checking for password expiry the OpenLDAP overlay module shdowbind looks at the LDAP attribute shadowMax, which is stored at the user accounts. It treated a value of 0 specially as “no expiry check needed”. Univention improved input value validation, because a value of 0 was consider invalid before. This update changes that and it treats it as a normal value. This change became necessary to make the handling of password expiry more consistent on the day of expiry between pam_unix, OpenLDAP and Kerberos (Bug #58048).

  • The tool slapschema returned an exit status of zero if the last object checked was OK, even if it found problems with previous objects. So it behaved a bit like the -c option was given. Now the tool stops on first error unless -c is given and returns a non-zero exit code in case a problem is detected on any of the objects checked (Bug #58120).

LDAP Directory Manager#

  • First incremental release for new experimental feature delegate administration (Bug #58113).

  • Improved performance when removing computer objects in environments with many DNS host records significantly (Bug #58119).

  • Attributes containing distinguished names as values were normalized and thus may have differed in string representation from the distinguished names of LDAP objects themselves. This could lead to errors in the UMC not recognizing the correct item in combobox widgets. This has been aligned, all data is now written un-normalized (Bug #58261).

  • In the experimental feature “delegative administration”, administrators can now define writable attributes for UDM objects (Bug #58201).

  • The PAM module pam_unix interprets (shadowLastChange + shadowMax) as a date where the password is still valid. For example, with shadowMax=1` this PAM module considers a password valid during the day after the change. That causes inconsistent behavior when compared to :program:`Kerberos`, where ``krb5PasswordEnd defines a definite point in time, where the password is considered invalid and UDM sets krb5PasswordEnd to the beginning of the day of expiry. shadowMax is an LDAP attribute that is added to user accounts during password change and the value is determined by the UDM password history policy applied to the user. UDM now sets shadowMax to (pwhistoryPolicy.expiryInterval -1) to compensate for the behavior of pam_unix and make it more consistent with the behavior of Kerberos (Bug #58048).

  • UDM hook extension modules could overwrite members of the global Python namespace, possibly leading to trivial conflicts between imported modules. The import of these modules has been adjusted to sandbox their global namespace and selectively import only the intended subclass types (Bug #57630).

  • The univentionObjectIdentifier UDM property has been added to all UDM modules. It is set to an auto-generated value if none was specified in the create request (Bug #58252, Bug #58318).

  • An LDAP equality index is now created for the attribute univentionObjectIdentifier (Bug #57393).

  • The OpenAPI schema has been adjusted to allow the specification of multiple policies for UCR policies (Bug #57988).

Univention Management Console#

Univention Management Console web interface#

  • The Tree widget now correctly encodes its content, effectively removing an cross-site scripting (XSS) attack vector (Bug #49001).

  • A syntax check error message didn’t properly escape HTML code in XSS attempts on UCR keys (Bug #58279).

  • Certain widgets, for example, in the Users Module, weren’t considered as empty by the frontend although they were. This led to values being sent to backend that should have been ignored. This has been fixed (Bug #58130).

  • Improved the styling of the MultiInput widget when displaying more than two input fields to enhance UI appearance in the UMC (Bug #58122).

Univention Portal#

  • The Portal now sanitizes HTML content in tooltips and notifications to prevent cross-site scripting (XSS) vulnerabilities (Bug #58311).

  • The server’s address is no longer included in the meta.json file by default and is now only visible during system setup to prevent information disclosure (Bug #58280).

Univention Management Console server#

  • Unused information for un-authenticate user has been removed from the meta.json to prevent information disclosures (Bug #54257).

  • The server’s address is no longer included in the meta.json file by default and is now only visible during system setup to prevent information disclosure (Bug #58280).

  • Logging of failure reasons when retrieving the OIDC access token has been improved (Bug #58114).

  • Logging of stack traces is now done with ERROR facility and they are additionally logged to the log files of the modules (Bug #46057).

  • A configuration option to deactivate checks for TLS encrypted connections has been added the UMC Server to support using the SASL mechanism OAUTHBEARER in Kubernetes environments (Bug #58210).

Univention App Center#

  • Applied stricter content sanitization in the App Center to prevent exploitation via Cross-Site Scripting (XSS) and related attack vectors (Bug #58327).

Modules for system settings / setup wizard#

  • Relax hostname length limit from 13 to 15 characters (Bug #56128).

Domain join module#

  • The scripts univention-join and univention-run-join-scripts now set the umask to 0022 so that customized more restricted settings don’t cause problems in join scripts and listener modules (Bug #56634).

  • The usage of chown has been made future proof to prevent a misleading error message in the join log file (Bug #58033).

User management#

  • Administrators can specify trusted hosts to bypass the UMC self-service rate limit. This can be done by adding the hosts to the Univention Configuration Registry Variable umc/self- service/rate-limit/trusted-hosts (Bug #58214).

  • Users can now edit their country in the self service profile view again. The LDAP attribute c has been added to the default list of allowed attributes to be changed in the profile view. Since UCS 5.2 the Country property corresponds to the LDAP attribute c instead of st (Bug #57397).

  • The Self-Service UMC module now attempts to reconnect if its connection to the PostgreSQL database is interrupted during fetching of password reset tokens. If the reconnection attempt fails, the connection is re-established on the next request (Bug #58159).

System diagnostic module#

  • This update delivers a new diagnostic module 70_lmdb_fragmentation that can be used to detect excessive fragmentation in the LMDB databases used in UCS (Bug #58047).

  • A new script was added: univention-export-anonymized-ldap creates an offline copy of the LDAP server. It anonymizes the data with regards to user data such as names, mail addresses, and passwords. Use case is a file that could be used in testing environments, for example, to analyze performance (Bug #58247).

Policies#

  • The allowed machine password length has been increased from 27 to 256 characters (Bug #52575).

Univention Configuration Registry module#

  • The UMC module didn’t properly escape HTML code forcefully injected from the server side in cross-site scripting (XSS) attempts on UCR keys (Bug #58279).

LDAP directory browser#

  • The UDM Grid widget now correctly encodes its content, effectively removing an cross-site scripting (XSS) attack vector (Bug #49001).

  • First incremental release for new experimental feature delegate administration (Bug #58113).

  • In the experimental feature “delegative administration” one can now define writable attributes for UDM objects (Bug #58201).

  • The performance of receiving object representations in UDM HTTP REST API and the UMC module has been improved (Bug #58278).

Univention base libraries#

  • The initial objects during the LDAP bootstrapping of new installations now automatically set generated values for univenitonObjectIdentifier (Bug #58310).

System services#

SAML#

  • The options startTls and connectionPooling are incompatible in Keycloak 26. As of this version, connectionPooling will only be activated if startTls is deactivated. This is due to underlying limitations with pooling secure (TLS) connections (Bug #58183).

  • Add basic scope as default scope when creating OIDC relying party clients (Bug #58254).

Mail services#

IMAP services#

  • In certain scenarios the pwdChangeNextLogin enabled state of users were reset during IMAP authentication in the PAM stack of dovecot. This is now prevented (Bug #58127).

Services for Windows#

Univention S4 Connector#

  • The PAM module pam_unix interprets (shadowLastChange + shadowMax) as a date where the password is still valid. For example, with shadowMax=1` this PAM module considers a password valid during the day after the change. That causes inconsistent behavior when compared to :program:`Kerberos`, where ``krb5PasswordEnd defines a definite point in time, where the password is considered invalid and UDM sets krb5PasswordEnd to the beginning of the day of expiry. shadowMax is an LDAP attribute that is added to user accounts during password change and the value is determined by the UDM password history policy applied to the user. UDM now sets shadowMax to (pwhistoryPolicy.expiryInterval -1) to compensate for the behavior of pam_unix and make it more consistent with the behavior of Kerberos (Bug #58048).

Univention Active Directory Connection#

  • The PAM module pam_unix interprets (shadowLastChange + shadowMax) as a date where the password is still valid. For example, with shadowMax=1` this PAM module considers a password valid during the day after the change. That causes inconsistent behavior when compared to :program:`Kerberos`, where ``krb5PasswordEnd defines a definite point in time, where the password is considered invalid and UDM sets krb5PasswordEnd to the beginning of the day of expiry. shadowMax is an LDAP attribute that is added to user accounts during password change and the value is determined by the UDM password history policy applied to the user. UDM now sets shadowMax to (pwhistoryPolicy.expiryInterval -1) to compensate for the behavior of pam_unix and make it more consistent with the behavior of Kerberos. The AD-Connector has been adjusted accordingly (Bug #58048).

Other changes#

  • A configuration option to deactivate checks for TLS encrypted connections has been added to support using the SASL mechanism OAUTHBEARER in Kubernetes environments (Bug #58210).

  • A segmentation fault is prevented if the JWKS file for the OpenID Connect provider is larger than 8192 bytes (Bug #57508).

On this page