Version 1.17.x#

This page shows the changelog for Nubus for Kubernetes 1.17.x:

Version 1.17.0 - 2026-01-23

Version 1.17.0 - 2026-01-23#

This is the twenty-fifth production release of Nubus for Kubernetes.

Upgrade path

For the upgrade to version 1.17.0, your deployment must run on version 1.16.x. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].

Release highlights#

Structured logging for UDM HTTP REST API and UMC Server

The UDM HTTP REST API and UMC Server now support structured logging, making it easier to parse and analyze logs in centralized logging systems. This release has structured logging deactivated by default. The next release has it enabled by default.

For information about how to enable structured logging and how to parse the log format, see Structured logging in Univention Nubus for Kubernetes - Operation Manual [1].

Migration steps#

This release doesn’t require any migration steps.

Changes#

This section lists the changes in 1.17.0 grouped by component in Nubus for Kubernetes.

Portal Service#

Add the guardianPermissionView attribute to the portal entry schema to prepare the upcoming integration of Guardian and Portal.

Keycloak#

Remove nginx specific CORS annotations from the UMC Gateway Ingress to improve compatibility with other Ingress controllers. The Keycloak Ingress now proxies /univention/ paths to the UMC Gateway service making the fetch of meta.json a same-origin request.
Add Helm Chart values:
- keycloak.ingress.umcGateway.serviceName
- keycloak.ingress.umcGateway.servicePort

Logging#

Deactivate structured logging by default for UDM HTTP REST API and UMC Server. The next release enables structured logging by default.

For information about how to enable structured logging and how to parse the log format, see Structured logging in Univention Nubus for Kubernetes - Operation Manual [1].

Provisioning Service#

The Provisioning UDM Transformer transforms LDAP representations of messages into their UDM representations. The transformation no longer uses an embedded UDM library, but instead uses an added UDM HTTP REST API endpoint. This simplifies the UDM Transformer and centralizes the UDM business logic into fewer components.
Add Helm Chart values for authentication with the UDM HTTP REST API:
Remove Helm Chart values because the UDM Transformer no longer requires an LDAP connection:
- nubusProvisioning.udmTransformer.ldap.auth.bindDn
- nubusProvisioning.udmTransformer.ldap.auth.password
- nubusProvisioning.udmTransformer.ldap.auth.existingSecret.name
- nubusProvisioning.udmTransformer.ldap.auth.existingSecret.keyMapping.password
- nubusProvisioning.udmTransformer.ldap.connection.host
- nubusProvisioning.udmTransformer.ldap.connection.port
- nubusProvisioning.udmTransformer.config.LDAP_TLS_MODE
- global.configMapUcr
Remove unused Helm Chart values:
- nubusProvisioning.registerConsumers.config.UDM_HOST
- nubusProvisioning.registerConsumers.config.UDM_PORT

Included errata updates#

Update all components in Nubus for Kubernetes to use the UCS 5.2-4 base image and include bug fixes up to UCS 5.2 erratum 311. For UCS errata updates, see Security and bugfix errata for UCS 5.2. Reference date is 07. January 2026.

The errata updates contain fixes for the following CVEs:

Authlib

CVE-2025-59420 (high), CVE-2025-61920 (high), CVE-2025-68158 (high)
CVE-2025-62706 (medium)

aiohttp

CVE-2024-23334 (high), CVE-2024-30251 (high), CVE-2024-23829 (medium)
CVE-2024-27306 (medium), CVE-2024-42367 (medium)

css-tools

CVE-2023-48631 (high)
CVE-2023-26364 (medium)

dojo

CVE-2021-23450 (critical)

dompurify

CVE-2024-48910 (critical), CVE-2019-16728 (medium), CVE-2019-25155 (medium)
CVE-2020-26870 (medium), CVE-2024-45801 (medium), CVE-2024-47875 (medium)
CVE-2025-26791 (medium)

gcc-12-base

CVE-2023-4039 (medium)

github.com/containerd/containerd

CVE-2024-25621 (high), CVE-2024-40635 (high), CVE-2025-47291 (high)
CVE-2025-47290 (medium), CVE-2025-64329 (medium)

github.com/sirupsen/logrus

CVE-2025-65637 (high)

go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp

CVE-2023-45142 (high)

golang.org/x/net

CVE-2023-39325 (high), CVE-2023-45288 (high), CVE-2023-3978 (medium)
CVE-2024-45338 (medium), CVE-2025-22870 (medium), CVE-2025-22872 (medium)

google.golang.org/protobuf

CVE-2024-24786 (high)

gunicorn

CVE-2024-1135 (high)
CVE-2024-6827 (high)

h11

CVE-2025-43859 (critical)

jq

CVE-2025-48060 (high)

libc-bin

CVE-2025-0395 (high)

libc6

CVE-2025-0395 (high)

libcap2

CVE-2025-1390 (medium)

libcap2-bin

CVE-2025-1390 (medium)

libexpat1

libgcc-s1

CVE-2023-4039 (medium)

libgnutls30

CVE-2025-32988 (high), CVE-2025-32990 (high), CVE-2024-12243 (medium)
CVE-2025-32989 (medium), CVE-2025-6395 (medium)

libgssapi-krb5-2

CVE-2025-24528 (high)
CVE-2024-26462 (medium)

libjq1

CVE-2025-48060 (high)

libk5crypto3

CVE-2025-24528 (high)
CVE-2024-26462 (medium)

libkrb5-3

CVE-2025-24528 (high)
CVE-2024-26462 (medium)

libkrb5support0

CVE-2025-24528 (high)
CVE-2024-26462 (medium)

liblzma5

CVE-2025-31115 (unknown)

libpython3.11-minimal

CVE-2024-7592 (high), CVE-2024-9287 (high), CVE-2023-27043 (medium)
CVE-2024-6923 (medium), CVE-2024-11168 (low), CVE-2025-0938 (unknown)
CVE-2025-1795 (unknown)

libpython3.11-stdlib

CVE-2024-7592 (high), CVE-2024-9287 (high), CVE-2023-27043 (medium)
CVE-2024-6923 (medium), CVE-2024-11168 (low), CVE-2025-0938 (unknown)
CVE-2025-1795 (unknown)

libssl3

CVE-2024-13176 (medium)

libstdc++6

CVE-2023-4039 (medium)

libsystemd0

CVE-2025-4598 (medium)

libtasn1-6

CVE-2024-12133 (medium)

libudev1

CVE-2025-4598 (medium)

linux-libc-dev

CVE-2024-26842 (high), CVE-2024-26930 (high), CVE-2024-35869 (high)
CVE-2024-35929 (high), CVE-2024-35949 (high), CVE-2024-39479 (high)
CVE-2024-49928 (high), CVE-2024-50112 (high), CVE-2024-53177 (high)
CVE-2024-57899 (high), CVE-2025-37882 (high), CVE-2025-39905 (high)
CVE-2021-47658 (medium), CVE-2023-52596 (medium), CVE-2024-26719 (medium)
CVE-2024-27005 (medium), CVE-2024-35878 (medium), CVE-2024-35974 (medium)
CVE-2024-41067 (medium), CVE-2024-42067 (medium), CVE-2024-42135 (medium)
CVE-2024-44957 (medium), CVE-2024-46762 (medium), CVE-2024-46825 (medium)
CVE-2024-46842 (medium), CVE-2024-48875 (medium), CVE-2024-49932 (medium)
CVE-2024-50277 (medium), CVE-2024-53050 (medium), CVE-2024-56782 (medium)
CVE-2024-57843 (medium), CVE-2024-57875 (medium), CVE-2024-57952 (medium)
CVE-2025-37745 (medium), CVE-2025-37799 (medium), CVE-2025-37877 (medium)
CVE-2025-37878 (medium), CVE-2025-37954 (medium), CVE-2025-38099 (medium)
CVE-2025-38208 (medium), CVE-2025-38269 (medium), CVE-2025-38321 (medium)
CVE-2025-39745 (medium), CVE-2025-39753 (medium), CVE-2025-39781 (medium)
CVE-2024-57898 (low), CVE-2023-53469 (unknown), CVE-2023-53764 (unknown)
CVE-2023-53767 (unknown), CVE-2023-54016 (unknown), CVE-2023-54061 (unknown)
CVE-2023-54082 (unknown), CVE-2023-54161 (unknown), CVE-2023-54261 (unknown)
CVE-2023-54320 (unknown), CVE-2024-44972 (unknown), CVE-2025-37942 (unknown)
CVE-2025-38073 (unknown), CVE-2025-39958 (unknown), CVE-2025-40195 (unknown)
CVE-2025-40210 (unknown), CVE-2025-40217 (unknown), CVE-2025-40305 (unknown)
CVE-2025-40336 (unknown), CVE-2025-40340 (unknown), CVE-2025-40353 (unknown)
CVE-2025-40361 (unknown), CVE-2025-40362 (unknown), CVE-2025-68174 (unknown)
CVE-2025-68175 (unknown), CVE-2025-68178 (unknown), CVE-2025-68193 (unknown)
CVE-2025-68203 (unknown), CVE-2025-68224 (unknown), CVE-2025-68230 (unknown)
CVE-2025-68281 (unknown), CVE-2025-68297 (unknown), CVE-2025-68309 (unknown)
CVE-2025-68311 (unknown), CVE-2025-68313 (unknown), CVE-2025-68317 (unknown)
CVE-2025-68318 (unknown), CVE-2025-68333 (unknown), CVE-2025-68357 (unknown)
CVE-2025-71115 (unknown)

login

CVE-2023-4641 (medium)
CVE-2023-29383 (low)

nginx

CVE-2024-7347 (medium)
CVE-2025-23419 (medium)

nginx-common

CVE-2024-7347 (medium)
CVE-2025-23419 (medium)

openssl

CVE-2024-13176 (medium)

passwd

CVE-2023-4641 (medium)
CVE-2023-29383 (low)

perl-base

CVE-2024-56406 (high)

python3.11

CVE-2024-7592 (high), CVE-2024-9287 (high), CVE-2023-27043 (medium)
CVE-2024-6923 (medium), CVE-2024-11168 (low), CVE-2025-0938 (unknown)
CVE-2025-1795 (unknown)

python3.11-minimal

CVE-2024-7592 (high), CVE-2024-9287 (high), CVE-2023-27043 (medium)
CVE-2024-6923 (medium), CVE-2024-11168 (low), CVE-2025-0938 (unknown)
CVE-2025-1795 (unknown)

stdlib

CVE-2024-24790 (critical), CVE-2025-22871 (critical), CVE-2023-29403 (high)
CVE-2023-39325 (high), CVE-2023-45283 (high), CVE-2023-45288 (high)
CVE-2024-24784 (high), CVE-2024-24791 (high), CVE-2024-34156 (high)
CVE-2024-34158 (high), CVE-2025-47907 (high), CVE-2025-58187 (high)
CVE-2025-58188 (high), CVE-2025-61723 (high), CVE-2025-61725 (high)
CVE-2023-29406 (medium), CVE-2023-29409 (medium), CVE-2023-39318 (medium)
CVE-2023-39319 (medium), CVE-2023-39326 (medium), CVE-2023-45284 (medium)
CVE-2023-45289 (medium), CVE-2023-45290 (medium), CVE-2024-24783 (medium)
CVE-2024-24785 (medium), CVE-2024-24789 (medium), CVE-2024-34155 (medium)
CVE-2024-45336 (medium), CVE-2024-45341 (medium), CVE-2025-0913 (medium)
CVE-2025-22866 (medium), CVE-2025-4673 (medium), CVE-2025-47906 (medium)
CVE-2025-47912 (medium), CVE-2025-58183 (medium), CVE-2025-58185 (medium)
CVE-2025-58186 (medium), CVE-2025-58189 (medium), CVE-2025-61724 (medium)

Nubus for Kubernetes - Release Notes for 1.x

Version 1.17.x

Contents

Version 1.17.x#

Version 1.17.0 - 2026-01-23#

Release highlights#

Migration steps#

Changes#

Portal Service#

Keycloak#

Logging#

Provisioning Service#

Included errata updates#