Version 1.16.x

This page shows the changelog for Nubus for Kubernetes 1.16.x:

• Version 1.16.0 - 2025-12-15

Version 1.16.0 - 2025-12-15

This is the twenty-fourth production release of Nubus for Kubernetes.

Upgrade path

For the upgrade to version 1.16.0, your deployment must run on version 1.15.x. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].

Release highlights

SBOM/VEX attestation for all container images

All images are now accompanied by a verified SBOM (Software Bill of Materials), which provides a comprehensive list of components and dependencies used in the container images. VEX (Vulnerability Exploitation eXchange) information is also provided, enabling users to quickly identify potential vulnerabilities and take informed decisions about the urgency of updating to a new version. Triage of the VEX information is still work in progress. Univention continues to enhance the SBOM and VEX offerings, providing more detailed information and improving the user experience.

Migration steps

This section lists necessary migration steps that may apply to you. You need to run them before the upgrade.

No migration steps are required for this release.

Changes

This section lists the changes in 1.16.0 grouped by component in Nubus for Kubernetes.

Management UI

• The Management UI now uses an internally maintained Memcached deployment instead of the Bitnami Memcached Helm Chart. This transition doesn’t require configuration changes.

Provisioning Service

• Adjust the policy for the incoming stream between the UDM Transformer and the Provisioning Dispatcher, to use Interest mode instead of WorkQueue mode. This change allows the Provisioning to work in Nubus for UCS. The system automatically migrates existing streams during the update by sealing the old stream, draining pending messages, and recreating it with the new policy.

• Improve performance when handling large messages, particularly in scenarios involving group messages with extensive member lists.

• Update the bundled NATS to version 2.12.2.

Keycloak

• Upgrade Keycloak to version 26.4.6. This includes a security fix for CVE-2025-13467.

Portal Service

• Address a critical accessibility issue affecting visually impaired users when navigating modals. Previously, elements under the modal remained focus-able, causing difficulties for users with a screen reader.

Documentation

• The Univention Nubus for Kubernetes - Operation Manual [1] includes SMTP server configuration for email sending. Various components in Nubus for Kubernetes require an SMTP server for sending email notifications, such as password reset emails and account verification.

  • For requirements, see SMTP server.

  • For configuration details, see Email sending through SMTP.

Included errata updates

Update all components in Nubus for Kubernetes to use the UCS 5.2-3 base image and include bug fixes up to UCS 5.2 erratum 298. For UCS errata updates, see Security and bugfix errata for UCS 5.2. Reference date is 28. November 2025.

The errata updates contain fixes for the following CVEs:

lasso

• CVE-2025-47151

• CVE-2025-46404

• CVE-2025-46705

libxml2

• CVE-2025-49794

• CVE-2025-49796

• CVE-2025-6021