.. SPDX-FileCopyrightText: 2026 Univention GmbH .. .. SPDX-License-Identifier: AGPL-3.0-only .. _v1.20.x: ************** Version 1.20.x ************** This page shows the changelog for Nubus for Kubernetes 1.20.x: * :ref:`v1.20.0` .. _v1.20.0: Version 1.20.0 - 2026-05-22 =========================== This is the thirtieth production release of Nubus for Kubernetes. .. admonition:: Upgrade path For the upgrade to version 1.20.0, your deployment must run on version 1.19.x. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see :external+uv-nubus-kubernetes-operation:ref:`nubus-upgrade` in :cite:t:`uv-nubus-kubernetes-operation`. .. _v1.20.0-highlights: Release highlights ------------------ Nubus metrics A new metrics endpoint has been introduced to the UDM REST API. It allows operators to retrieve basic metrics about Nubus including number of users, software version and license status to include them in standard tooling like Prometheus and Grafana to simplify the observability. Technical details of UDM objects in UMC The technical details of objects management in the Univention Directory Manager are now visible in a new section of the Web UI. Administrators can now read or search for technical identifiers or get the creation and modification timestamps for all objects. LDAP Server storage configuration The LDAP server deployments can now be configured to use different storage configurations for the LDAP database and runtime volumes, allowing operators to significantly reduce storage costs by moving the runtime data to smaller and cheaper storage. Structured logging This will be the last release with "old style" plain logging as default. The next Nubus for Kubernetes release 1.21 will change the default to structured logging. If you need to prevent this change in your deployment we recommend to explicitly set all structured-logging configuration options to false as documented in :external+uv-nubus-kubernetes-operation:ref:`conf-logging-structured` in :cite:t:`uv-nubus-kubernetes-operation`. Please be aware that we will mark the the old plain logging as deprecated and will remove it at some point in the future. .. _v1.20.0-migration-steps: Migration steps --------------- This section lists necessary migration steps that may apply to you. You need to run them **before** the upgrade. #. Refactor the *LDAP server* persistence values to support granular PVC configuration. Operators that customize any of the following Helm Chart values, need to migrate their values to the new structure. *LDAP Server* * Move ``nubusLdapServer.persistence.accessModes`` to :envvar:`nubusLdapServer.persistence.volumes.sharedData.accessModes`. * Move ``nubusLdapServer.persistence.size`` to :envvar:`nubusLdapServer.persistence.volumes.sharedData.size`. * Move ``nubusLdapServer.persistence.storageClass`` to :envvar:`nubusLdapServer.persistence.volumes.sharedData.storageClass`. * Remove ``nubusLdapServer.persistence.annotations``, ``nubusLdapServer.persistence.dataSource``, ``nubusLdapServer.persistence.existingClaim``, ``nubusLdapServer.persistence.labels``, and ``nubusLdapServer.persistence.selector``. These values are no longer supported. .. _v1.20.0-changes: Changes ------- This section lists the changes in 1.20.0 grouped by component in Nubus for Kubernetes. .. _v1.20.0-changes-ldap-server: LDAP Server ~~~~~~~~~~~ The *LDAP Server* Helm Chart now allows you to configure storage independently for the LDAP database and for the ``slapd`` runtime state. Previously, both shared the same PVC settings, which forced operators to pay for high-performance storage even for transient runtime files. You can now independently assign different storage classes to the two volumes: :``shared-data``: Holds the LDAP database and requires a storage class that provides the performance and data consistency and reliability guarantees expected of a database backend. Configure it through :envvar:`nubusLdapServer.persistence.volumes.sharedData`. :``shared-run``: Holds transient ``slapd`` runtime state, such as the socket and PID file, which the *LDAP Notifier* requires. This volume can be small and doesn't need a high-performance storage class, so operators can point it at a cheaper storage class to reduce cost. Configure it through :envvar:`nubusLdapServer.persistence.volumes.sharedRun`. The :envvar:`nubusLdapServer.persistence.enabled` flag now controls only the ``shared-data`` volume. The ``shared-run`` volume is always provisioned as a PVC, regardless of this setting, because the ``slapd`` socket must be shared with the *LDAP Notifier*. For the required value migration, see :ref:`v1.20.0-migration-steps`. .. _v1.20.0-changes-umc-server: UMC Server ~~~~~~~~~~ A file descriptor leak caused during PAM authentication through SSS has been fixed. In affected versions, each authentication attempt could leave an open UNIX domain socket to the SSSD PAM service. Over time, this caused the number of open file descriptors in the UMC server process to grow linearly with the total number of logins, not concurrent sessions. After the process reached the system limit, further authentication attempts failed with the message: ``OSError: [Errno 24] Too many open files`` PAM handles across multiple threads caused the issue, preventing proper cleanup of SSSD client sockets. Operators don't need to take action. Affected systems may have required periodic service restarts to recover prior to this fix. Included errata updates ----------------------- The errata updates contain fixes for the following CVEs: :program:`Genshi` * :uv:cve:`2026-0685` (unknown) :program:`apache2-bin` * :uv:cve:`2026-28780` (critical), :uv:cve:`2026-23918` (high), :uv:cve:`2026-24072` (high) * :uv:cve:`2026-29168` (high), :uv:cve:`2026-29169` (high), :uv:cve:`2026-34059` (high) * :uv:cve:`2003-1307` (medium), :uv:cve:`2003-1580` (medium), :uv:cve:`2007-1743` (medium) * :uv:cve:`2007-3303` (medium), :uv:cve:`2026-33006` (medium), :uv:cve:`2026-33007` (medium) * :uv:cve:`2026-33523` (medium), :uv:cve:`2026-33857` (medium), :uv:cve:`2026-34032` (medium) * :uv:cve:`2001-1534` (low), :uv:cve:`2003-1581` (low), :uv:cve:`2008-0456` (low) :program:`axios` * :uv:cve:`2025-62718` (critical), :uv:cve:`2026-42043` (critical), :uv:cve:`2026-42044` (critical) * :uv:cve:`2026-42264` (critical), :uv:cve:`2026-42033` (high), :uv:cve:`2026-42035` (high) * :uv:cve:`2026-42038` (high), :uv:cve:`2026-42039` (high), :uv:cve:`2026-39865` (medium) * :uv:cve:`2026-40175` (medium), :uv:cve:`2026-42034` (medium), :uv:cve:`2026-42036` (medium) * :uv:cve:`2026-42037` (medium), :uv:cve:`2026-42041` (medium), :uv:cve:`2026-42042` (medium) * :uv:cve:`2026-42040` (low) :program:`bcpkix-jdk18on` * :uv:cve:`2026-5588` (unknown) :program:`bcprov-jdk18on` * :uv:cve:`2026-0636` (unknown) * :uv:cve:`2026-5588` (unknown) * :uv:cve:`2026-5598` (unknown) :program:`brace-expansion` * :uv:cve:`2026-25547` (unknown) :program:`dompurify` * :uv:cve:`2025-15599` (medium) :program:`follow-redirects` * :uv:cve:`2026-40895` (high) :program:`future` * :uv:cve:`2025-50817` (medium) :program:`gson` * :uv:cve:`2025-53864` (medium) :program:`iputils-ping` * :uv:cve:`2025-47268` (medium) :program:`js-yaml` * :uv:cve:`2025-64718` (medium) :program:`jwcrypto` * :uv:cve:`2026-39373` (medium) :program:`keycloak-js` * :uv:cve:`2023-6484` (medium) :program:`keycloak-model-storage-services` * :uv:cve:`2025-9162` (medium) :program:`keycloak-quarkus-server` * :uv:cve:`2024-11735` (unknown) :program:`keycloak-services` * :uv:cve:`2026-4366` (medium), :uv:cve:`2026-7500` (medium), :uv:cve:`2026-1190` (low) * :uv:cve:`2026-1518` (low), :uv:cve:`2026-2733` (low) :program:`kotlin-stdlib` * :uv:cve:`2022-24329` (medium) :program:`libasound2` * :uv:cve:`2026-25068` (unknown) :program:`libasound2-data` * :uv:cve:`2026-25068` (unknown) :program:`libavahi-client3` * :uv:cve:`2024-52615` (medium), :uv:cve:`2024-52616` (medium), :uv:cve:`2025-59529` (medium) * :uv:cve:`2025-68276` (medium), :uv:cve:`2025-68468` (medium), :uv:cve:`2025-68471` (medium) * :uv:cve:`2026-24401` (medium), :uv:cve:`2026-34933` (medium) :program:`libavahi-common-data` * :uv:cve:`2024-52615` (medium), :uv:cve:`2024-52616` (medium), :uv:cve:`2025-59529` (medium) * :uv:cve:`2025-68276` (medium), :uv:cve:`2025-68468` (medium), :uv:cve:`2025-68471` (medium) * :uv:cve:`2026-24401` (medium), :uv:cve:`2026-34933` (medium) :program:`libavahi-common3` * :uv:cve:`2024-52615` (medium), :uv:cve:`2024-52616` (medium), :uv:cve:`2025-59529` (medium) * :uv:cve:`2025-68276` (medium), :uv:cve:`2025-68468` (medium), :uv:cve:`2025-68471` (medium) * :uv:cve:`2026-24401` (medium), :uv:cve:`2026-34933` (medium) :program:`libc-ares2` * :uv:cve:`2023-31147` (medium) * :uv:cve:`2024-25629` (medium) * :uv:cve:`2023-31124` (low) :program:`libc-bin` * :uv:cve:`2026-5358` (unknown) :program:`libc-dev-bin` * :uv:cve:`2026-5358` (unknown) :program:`libc-l10n` * :uv:cve:`2026-5358` (unknown) :program:`libc6` * :uv:cve:`2026-5358` (unknown) :program:`libc6-dev` * :uv:cve:`2026-5358` (unknown) :program:`libcups2` * :uv:cve:`2026-34980` (high), :uv:cve:`2026-34990` (high), :uv:cve:`2025-58436` (medium) * :uv:cve:`2025-61915` (medium), :uv:cve:`2026-27447` (medium), :uv:cve:`2026-34978` (medium) * :uv:cve:`2026-34979` (medium), :uv:cve:`2026-39314` (medium), :uv:cve:`2026-39316` (medium) * :uv:cve:`2026-41079` (medium) :program:`libfreetype6` * :uv:cve:`2026-23865` (medium) :program:`libgnutls30` * :uv:cve:`2025-14831` (medium) * :uv:cve:`2025-9820` (medium) :program:`liblcms2-2` * :uv:cve:`2026-41254` (high) * :uv:cve:`2026-42798` (medium) :program:`libnfsidmap1` * :uv:cve:`2025-12801` (medium) :program:`libnss-sss` * :uv:cve:`2026-6245` (medium) :program:`libnss-sudo` * :uv:cve:`2005-1119` (low) :program:`libnss3` * :uv:cve:`2026-6766` (high), :uv:cve:`2026-6772` (high), :uv:cve:`2023-5388` (medium) * :uv:cve:`2023-6135` (medium), :uv:cve:`2024-7531` (medium), :uv:cve:`2026-6767` (medium) :program:`libpam-sss` * :uv:cve:`2026-6245` (medium) :program:`libpng16-16` * :uv:cve:`2026-33416` (high) * :uv:cve:`2026-33636` (high) * :uv:cve:`2026-34757` (medium) :program:`libssl3` * :uv:cve:`2026-28387` (high), :uv:cve:`2026-28389` (high), :uv:cve:`2026-28390` (high) * :uv:cve:`2026-31790` (high) :program:`libsss-certmap0` * :uv:cve:`2026-6245` (medium) :program:`libsss-idmap0` * :uv:cve:`2026-6245` (medium) :program:`libsss-nss-idmap0` * :uv:cve:`2026-6245` (medium) :program:`libsss-sudo` * :uv:cve:`2026-6245` (medium) :program:`libtiff6` * :uv:cve:`2026-4775` (high) :program:`locales` * :uv:cve:`2026-5358` (unknown) :program:`lodash` * :uv:cve:`2025-13465` (medium) * :uv:cve:`2026-2950` (medium) :program:`lodash-es` * :uv:cve:`2025-13465` (medium) * :uv:cve:`2026-2950` (medium) :program:`loguru` * :uv:cve:`2022-0338` (medium) :program:`netty-codec` * :uv:cve:`2026-42583` (high) :program:`netty-codec-dns` * :uv:cve:`2026-42579` (critical) :program:`netty-codec-http` * :uv:cve:`2026-42581` (critical), :uv:cve:`2026-42584` (critical), :uv:cve:`2026-33870` (high) * :uv:cve:`2026-42585` (high), :uv:cve:`2026-42587` (high), :uv:cve:`2026-41417` (medium) * :uv:cve:`2026-42580` (medium) :program:`netty-codec-http2` * :uv:cve:`2026-33871` (high) * :uv:cve:`2026-42587` (high) :program:`netty-handler-proxy` * :uv:cve:`2026-42578` (high) :program:`netty-transport-native-epoll` * :uv:cve:`2026-42577` (high) :program:`nginx` * :uv:cve:`2026-28755` (medium) :program:`nginx-common` * :uv:cve:`2026-28755` (medium) :program:`openjdk-17-jre-headless` * :uv:cve:`2026-22016` (high), :uv:cve:`2026-34282` (high), :uv:cve:`2026-22013` (medium) * :uv:cve:`2026-22021` (medium), :uv:cve:`2026-22007` (low), :uv:cve:`2026-22018` (low) * :uv:cve:`2026-34268` (low) :program:`openssh-client` * :uv:cve:`2025-61984` (low) * :uv:cve:`2025-61985` (low) * :uv:cve:`2026-3497` (unknown) :program:`openssl` * :uv:cve:`2026-28387` (high), :uv:cve:`2026-28389` (high), :uv:cve:`2026-28390` (high) * :uv:cve:`2026-31790` (high) :program:`opentelemetry-api` * :uv:cve:`2026-45292` (medium) :program:`poetry` * :uv:cve:`2026-34591` (medium) * :uv:cve:`2026-41140` (unknown) :program:`postgresql` * :uv:cve:`2026-42198` (high) :program:`prismjs` * :uv:cve:`2024-53382` (medium) :program:`python-ldap` * :uv:cve:`2025-61911` (medium) * :uv:cve:`2025-61912` (medium) :program:`python3-ldap` * :uv:cve:`2025-61911` (medium) * :uv:cve:`2025-61912` (medium) :program:`python3-sss` * :uv:cve:`2026-6245` (medium) :program:`python3-tornado` * :uv:cve:`2025-67724` (medium) :program:`quarkus-vertx-http` * :uv:cve:`2026-39852` (high) :program:`sssd-common` * :uv:cve:`2026-6245` (medium) :program:`sssd-krb5-common` * :uv:cve:`2026-6245` (medium) :program:`sssd-ldap` * :uv:cve:`2026-6245` (medium) :program:`tornado` * :uv:cve:`2025-67724` (medium) :program:`vertx-core` * :uv:cve:`2026-6860` (medium)