With Univention Corporate Server 4.0-0, the fourth major release of Univention Corporate Server (UCS) is now available. It provides several substantial feature improvements and extensions, new properties as well as various improvements and bugfixes. An overview of the most important changes:

The design and the usability of the graphical administration interface Univention Management Console were completely revamped. By using a responsive design, Univention Management Console provides improved compatibility for tablets and smartphones.
In addition to local virtualization servers, the UCS Virtual Machine Manger (UVMM) can now also manage OpenStack or Amazon EC2 environments. This allows the setup of hybrid cloud scenarios out-of-the-box with UCS.
UCS 4.0 is based on Debian GNU/Linux 7.7 (Wheezy). More than 16,000 source packages were updated. Selected core components, e.g. OpenLDAP (2.4.40), Samba (4.2rc2) or the Linux kernel (3.16) are more recent in UCS compared to Debian GNU/Linux 7.7.
The installation of UCS has been simplified significantly. The base installation is now done using the Debian installer and it is concluded with a web-based configuration of the system. The same, web-based system is also used for the manual configuration of cloud images or other appliances.
The performance of the OpenLDAP directory service has been significantly improved. By default the memory-mapped storage backend (MDB) is now used when installing UCS.
The management of applications in the UCS domain has been simplified through a centralised App Center. This allows the installation of applications in the entire domain from a single system.
UCS now also supports the installation on systems using UEFI SecureBoot.

§Chapter 2. Notes on the update

During the update some services in the domain may not be available, i.e. the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update takes between 30 minutes and several hours.

§2.1. Recommended update order for environments with more than one UCS server

In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:

The authoritative version of the LDAP directory service is maintained on the master domain controller and replicated on all the remaining LDAP servers of the UCS domain. As changes to the LDAP schemes can occur during release updates, the master domain controller must always be the first system to be updated during a release update.

§2.2. Mixed operation with older UCS installations

UCS 4.0 supports mixed operation with UCS 3.2-4 systems, i.e. not all systems must be updated in the same maintenance windows. Mixed operation with older UCS versions such as UCS 3.1 is not supported.

§2.3. Univention App Center

If applications have been installed from the Univention App Center, the update can only be performed once all installed applications are available in a compatible version. Some applications are updated to newer versions during the update. If an application is not yet available for UCS 4.0, the release date can be obtained from the application vendor.

If Univention Corporate Client 1.0 is in use and the update to Univention Corporate Client 2.0 should be performed at a later time, the update to the latest available Univention Corporate Client 1.0 version should be made before updating to UCS 4.0:

eval "$(ucr shell version/version version/patchlevel)"
univention-add-app ucc_20140115
univention-upgrade --updateto $version_version-$version_patchlevel

A detailed overview of the changes can be found in the UCC 1.0 rev3 release notes: http://updates.software-univention.de/doc/release-notes-ucc-1.0-rev3.pdf.

§2.4. Deprecation of Windows NT domain controller functionality

The use of Windows NT domain services - as traditionally provided by Samba 3 - is no longer recommended with UCS 4.0. Windows NT domain services can no longer be selected during the installation of UCS and in the Univention App Center. We recommend the migration to the Active Directory domain services provided by Samba 4. The migration is documented in the Univention Wiki: http://wiki.univention.de/index.php?title=Migration_from_Samba_3_to_Samba_4.

§2.5. UCS installation DVDs only available for 64 bit

Starting with UCS 4.0 UCS, installation DVDs are only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS 3 systems can still be updated to UCS 4.0 through the online repository or by using update DVDs. The 32 bit architecture will be supported over the entire UCS 4 maintenance.

§Chapter 3. Preparation of update

It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 6 GB of disk space. Depending on the scope of the existing installation, the update will require about another 4 GB of disk space for downloading and installing all packages.

For the update, a login should be performed on the system's local console as user root, and the update should be initiated there. Alternatively, the update can be conducted using Univention Management Console.

Remote updating via SSH is not recommended as this may result in the update procedure being cancelled, e.g., if the network connection is interrupted. In consequence, this can affect the system severely. If updating should occur over a network connection nevertheless, it must be verified that the update continues despite disconnection from the network. This can be done, e.g., using the tools screen and at. These tools are installed on all system roles by default.

§3.1. Removed/unsupported Components

Some components have been removed and are not shipped any longer with UCS 4.0:

The Xen hypervisor has been removed and is no longer supported in the UCS Virtual Machine Manager. The migration to KVM is described in [ext-doc-uvmm].
The Scalix LDAP schema has been removed in UCS 4.0. All Scalix specific attributes need to be removed from the LDAP directory before updating.
PostgreSQL 8.3 is no longer provided in UCS 4.0. The migration of the databases to PostgreSQL 8.4 is described in SDB 1249.
Cyrus 2.2 is no longer provided in UCS 4.0. The migration of the mail spool to Cyrus 2.4 is described in SDB 1213.

§Chapter 4. Postprocessing of the update

Following the update, new or updated join scripts need to be executed. This can be done in two ways: Either using the UMC module Domain join or by running the command univention-run-join-scripts as user root.

If the application UCS Virtual Machine Manager was used with KVM virtualization servers, the new virtualization profiles need to be adapted for UCS 4.0. If the bridge interface on the KVM servers wasn't configured as br0, the profile should be adapted as documented in [ucs-uvmm-profile].

Subsequently the UCS system needs to be restarted.

§Chapter 5. Further notes on selected packages

§5.1. Network-based installation of UCS

The profile-based UCS network installation is not yet available in UCS 4.0-0. It will be provided at a later date. Please refer to our issue tracker for further details: Bug 35537.

§5.2. Collection of usage statistics

Anonymous usage statistics on the use of Univention Management Console are collected when using the free for personal use version of UCS (which is generally used for evaluating UCS). The modules opened are logged in an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.

This logging is only performed when the free-for-personal-use license is used. The license status can be verified via the menu entry License -> License information of the user menu in the upper right corner of Univention Management Console. If Free for personal use edition is listed under LDAP base, this version is in use. When a regular UCS license is used, no usage statistics are collected.

Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.

§5.3. Scope of security support for WebKit, Konqueror and QtWebKit

WebKit, Konqueror and QtWebKit are shipped in the maintained branch of the UCS repository, but not covered with security support. WebKit is primarily used for displaying HTML help pages etc. Firefox should be used as web browser.

§5.4. Recommended browsers for the access to Univention Management Console

Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:

Chrome as of version 33
Firefox as of version 24
Internet Explorer as of version 9
Safari and Safari Mobile as of version 7

Users with older browsers may experience display or performance problems.

§5.5. Automatic account lockout

On domain controllers using the MDB LDAP backend (e.g. systems installed with UCS 4.0) automatic account lockout can be activated in cases of repeated LDAP authentication failures. The activation is described in SDB 1291.

§Chapter 6. Changelog

Listed are the changes since UCS 3.2-4:

§6.1. General

The underlying Debian version has been updated to Debian GNU/Linux 7.7 (Wheezy) (Bug 33835, Bug 33836. Bug 35688, Bug 36241, Bug 36481, Bug 36525).
All Univention packages have been adapted to Dephelper 9 and to Python 2.7. UCR templates have been adapted to the new upstream packages (Bug 33836, Bug 35135, Bug 35138, Bug 35143, Bug 35144, Bug 35145, Bug 35146, Bug 35147, Bug 35264, Bug 35265, Bug 35266, Bug 35267, Bug 35320, Bug 35358, Bug 35431, Bug 35425, Bug 35664, Bug 35669, Bug 35828, Bug 35931, Bug 36051, Bug 36114, Bug 36178, Bug 33278, Bug 35890, Bug 36115, Bug 36177, Bug 36286, Bug 36526, Bug 36589, Bug 36637, Bug 36653, Bug 36654).
The codename for UCS 4.0 has been set to Walle (Bug 35312).
The maintained Java version in UCS 4.0 is OpenJDK 7. If OpenJDK 6 is installed, the upgrade process replaces it with OpenJDK 7. The migration can be skipped by setting the Univention Configuration Registry variable update40/skip/openjdk7 to true (Bug 35382).
The packages mingetty and parted have been copied to maintained (Bug 36231).
UEFI SecureBoot support has been added (Bug 28191, Bug 35918).

§6.2. Univention Installer

The UCS installation DVD has been revised. The installation is now performed by an adapted version of the Debian installer (Bug 30547, Bug 34994, Bug 35370, Bug 35371, Bug 35372, Bug 35373, Bug 35374, Bug 35375, Bug 35376, Bug 35377, Bug 35378, Bug 35384, Bug 35385, Bug 35386, Bug 35400, Bug 35417, Bug 35435, Bug 35491, Bug 35493, Bug 35494, Bug 35495, Bug 35496, Bug 35497, Bug 35498, Bug 35525, Bug 35635, Bug 35636, Bug 35659, Bug 35670, Bug 35696. Bug 35699, Bug 35932, Bug 35933, Bug 36085, Bug 36331).

§6.3. Basic system services

§6.3.1. Linux kernel and firmware packages

The Linux kernel has been updated to 3.16.5 (Bug 33844, Bug 36279).
The packages amd64-microcode and intel-microcode were added and are installed by default to provide micro-code updates for AMD and Intel CPUs (Bug 34437).
The packages virtualbox, open-vm-tools, iscsitarget, openafs, xtables-addons, ndiswrapper, blktap have been updated to newer versions from Debian to support the Linux kernel 3.16. The package openswan has been removed as it's incompatible with said kernel and is unmaintained (Bug #35875).
The kernel modules are signed to support boot on SecureBoot UEFI systems (Bug 36335).

§6.3.2. Boot Loader

The boot loader design has been adapted for UCS 4.0 (Bug 35934).
The design of the bootsplash has been adapted for UCS 4.0 (Bug 35935).
The kernel boot option vga is deprecated and has been replaced with grub's gfxpayload to control the video mode in which the Linux kernel starts up (Bug 28604).
If UCS 4.0 is installed as Xen HVM system, the grub gfxmode (Univention Configuration Registry variable grub/gfxmode) is now set to "text", otherwise the grub menu is invisible (Bug 30978).
If UCS 4.0 is installed on an UEFI system, the boot process includes a shim which is signed by Microsoft to support boot on SecureBoot UEFI systems (Bug 35914 Bug 35915).
Patches for the security issues CVE-2014-3675, CVE-2014-3676, and CVE-2014-3677 have been added to the shim (Bug 36167).
If UCS 4.0 is installed on an UEFI system, the boot process includes a signed GRUB bootloader to support boot on SecureBoot UEFI systems (Bug 35917).
The boot process includes a signed Linux kernel to support boot on SecureBoot UEFI systems (Bug 35916).

§6.4. Domain services

§6.4.1. OpenLDAP

OpenLDAP has been updated to version 2.4.40 (Bug 35697).
MDB is the new default backend database for OpenLDAP. The backend database can be configured via Univention Configuration Registry variable ldap/database/type. The backend is not changed during the update. More information about MDB can be found in the performance guide: [ucs-performance-guide] (Bug 34994, Bug 36725).
The default search rule for the LDAP attribute univentionInventoryNumber has been adjusted to make searches case insensitive (Bug 34262).
On domain controllers using the MDB LDAP backend (e.g. systems installed with UCS 4.0) automatic account lockout in cases of repeated LDAP authentication failures can be activated. All domaincontrollers need to be updated to UCS 4.0 before activating this. A default configuration for this is stored in OpenLDAP. The overlay and this default configuration can be activated on a per-DC basis by setting both Univention Configuration Registry variables ldap/ppolicy and ldap/ppolicy/enabled to yes and restarting the slapd daemon. The default policy is such that 5 repeated LDAP authentication failures within a monitoring interval of 5 minutes causes the authenticating account to be locked in UDM. A locked account can only be unlocked via UDM by a Domain Admin. The number of repeated LDAP authentication failures can be adjusted in the configuration object which has the objectClass pwdPolicy. The attribute pwdMaxFailure determines the number of LDAP authentication errors before lockout. The attribute pwdMaxFailure determines the time interval in seconds which is considered: LDAP authentication failures outside of that interval are neglected in the counting. Other attributes of this objectclass should not be adjusted (Bug 31907).
The python library univention.uldap removes the base object from the search result if the search scope one was used. Thus the behavior is identical between BDB and MDB (Bug 36169).
The Scalix schema has been removed. The update will be blocked until all Scalix related attributes have been removed from the LDAP server of the UCS domain (Bug 28693).
LDAP indices for the attributes shadowMax, shadowExpire and univentionUDMOptionModule have been added (Bug 36215, Bug 36671,).

§6.4.1.1. LDAP ACL changes

Domain controllers and member servers have now the permission to create LDAP objects for cloud connections (Bug 36323).

§6.4.2. DNS server

The DNS server bind has been updated to Version 9.8.4P1 (Bug 35668)
During the configuration of univention-bind the currently configured nameservers are set as DNS forwarders (Bug 36039).

§6.5. Univention Management Console

§6.5.1. Univention Management Console web interface

The web interface design has been completely revised also with respect to its rendering on mobile devices (responsive design). Along with this change many details of UMC have been adapted accordingly (Bug 35654, Bug 35499, Bug 36095).
The browser compatibility list has been updated to Chrome as of version 33, Firefox as of version 24, Internet Explorer as of version 9 and Safari and Safari Mobile as of version 7 (Bug 33970).

§6.5.2. Univention Management Console server

The change of an expired password via UMC has been corrected (Bug 35985).
The redirection when doing single sign on in Univention Management Console has been adapted to keep a secure https connection (Bug 36617).

§6.5.3. Univention App Center

The module now ships an initial archive of the ini files which is used in case no network connection is available when the App Center is queried for the first time (Bug 35683).
The Univention App Center now allows to install, uninstall, update applications domain wide. Each App Center module can manage any application (Bug 35781, Bug 36370).
Several text refinements (Bug 36433).

§6.5.4. Basic settings / Appliance mode

An option to configure the system as a member of an existing AD domain has been added (Bug 35653, Bug 36110, Bug 36049).
An option to configure the system as a basesystem without any domain integration has been added (Bug 35805).
During the UCS installation some fields which are already configured will be hidden in the system setup wizard (Bug 35685).
Certain setup scripts are weighted differently in the progress bar (Bug 35715).
The dpkg messages presented in the progress bar when installing software packages have been reduced (Bug 35716).
Various text changes have been made and typos have been corrected (Bug 35703, Bug 36666, Bug 36667).
An option to upgrade the system right after the configuration has been added (Bug 33839).
The SSH host key and the DH parameter files for postfix are re-created during the appliance setup (Bug 36033).
The package univention-system-setup-boot is automatically removed after a successful installation (Bug 35727).
The keyboard settings have been improved (Bug 35709).
System setup cleanup scripts are now called via an at job in order to avoid problems while UMC server components are restarted (Bug 36543).
When the Univention Configuration Registry variable windows/domain is derived from the domain name it is automatically truncated to up to 15 characters to conform to netbios restrictions (Bug 36459).
The German firefox package is installed if a desktop environment should be installed and German has been chosen as system language (Bug 36528).

§6.5.5. Users module

The user picture is now shown on the left side of the detail page (Bug 23665)

§6.5.6. Computers module

Due to the new UCS installer the property interactive installation is no longer required at the computer objects for UCS domaincontrollers and memberservers and has been removed (Bug 35537)

The UMC description for the samba share name has been changed to Windows name (Bug 36311).

§6.5.8. Policies

Help text as well as a documentation link have been added to the policies module (Bug 36435).

§6.5.9. Printers module

A hint is shown when using this module while no printer server (CUPS) is installed in the domain (Bug 36260).
The UMC description for the samba share name has been changed to Windows name (Bug 36311).
A documentation link has been added to the printers module (Bug 32026).

§6.5.10. Mail

The text fields got more precise names (Bug 36301).

§6.5.11. Filesystem quota module

The handling of activation, deactivation and detection of filesystem quota has been improved (Bug 36207).
The usability of the Filesystem quota module has been enhanced (Bug 36434).

§6.5.12. Other modules

The terminal server sessions have been removed from the statistic module (Bug 34029).
The reboot module has been removed from the UMC overview. The UMC menu now contains buttons for rebooting and shutting down the server. (Bug 36281).
Graphics containing the Windows logo have been replaced with alternate icons in the modules Active Directory Connection and Active Directory Takeover (Bug 35837).
Several text refinements (Bug 36435).
The users/self module is no longer used for password changes. The module has been renamed into "User settings" and is deactivated by default. Instead a new module "Change Password" has been added which uses the PAM stack to change user password. Every UMC user is able to use this new module (Bug 35847).
A module System diagnostic has been added to UMC which is able to analyse the system for known problems and helps to resolve them (Bug 34765), (Bug 35866), (Bug 35864).
The functionality to reboot or shutdown the server has been added to the UMC menu (Bug 36281).

§6.5.13. Univention Directory Manager command line interface and related tools

Two helper scripts have been added lock_expired_accounts and lock_expired_passwords (Bug 36215).

§6.5.14. Development of modules for Univention Management Console

UMC modules now may contain a help button which links to related article in the online documentation of UCS (Bug 32026, Bug 36435).

§6.6. Software deployment

Signature verification for package files is now already enabled during UCS installation (Bug 35708).
The updater scripts preup.sh and postup.sh have been adapted to the needs of UCS 4.0 ( Bug 36205, Bug 36218, Bug 36228, Bug 36229, Bug 36441, Bug 36455, Bug 36554, Bug 36558, Bug 36618, Bug 36619, Bug 36620, Bug 36769 ).
Before and after the update, the updater now runs apt-get autoremove to deinstall obsolete packages (e.g. packages that were automatically installed but are now no longer referenced by other packages). This can be disabled by setting the Univention Configuration Registry variable update40/skip/autoremove to true. (Bug 36265).
With UCS 4.0 the data structure of UCS installation DVDs has changed. The command univention-repository-create is still able to create a local repository from any type of UCS DVD (old or new data structure). But as of UCS 4.0 the PXE installation of UCS system prior to UCS 4 is no longer supported. Therefore univention-repository-create will not copy PXE installation data from UCS DVDs with old data structure (Bug 36269).

§6.7. Univention Library

The new version of the package python-ldap caused the univention.uldap implementation to retry failed connects too many times. This has been fixed (Bug 35841, Bug 35852).
The reconnect feature of univention.uldap resulted in invalid access errors in the S4 Connector after a samba restart. To avoid this, the S4 Connector turns off the reconnect feature for the access to the samba directory service (Bug 36227).
The package python-univention-lib now depends on the package python-imaging (Bug 36037).

§6.8. System services

§6.8.1. Mail services

The Univention Configuration Registry variables mail/postfix/smtpd/tls/eecdh/grade and mail/postfix/tls/preempt/cipherlist have been added to allow better configuration of postfix's perfect forward secrecy (Bug 35923).
If the package univention-spamassassin is installed, the email spam check is enabled during the update. The spam check can be disabled by setting the Univention Configuration Registry variable mail/antivir/spam to false after the update (Bug 36524).
A new Univention Configuration Registry script has been added to update /etc/aliases.db if mail/alias/* variables are set (Bug 31837).
The spamassassin rules are now updated during the installation of the package univention-spamassassin (Bug 36607).

§6.8.2. Spam/virus detection and countermeasures

The freshclam postinst does not abort if the freshclam daemon start failed (Bug 36230).

§6.8.3. Printing services

The printer models in the join script of univention-printserver have been updated (Bug 35147).
Reloading of Samba for configuration changes has been improved in the cups-printers listener (Bug 36578).

§6.8.4. Proxy services

The configuration file of Squid has been adapted for UCS 4.0 and UCS@school. E.g. the path to the squidguard configuration file has been changed to its new location /etc/squidguard/squidGuard.conf. (Bug 36780).

§6.9. Virtualization

§6.9.1. Univention Virtual Machine Manager (UVMM)

Univention Virtual Machine Manager now supports connections to Cloud Computing Environments e.g. to OpenStack (Bug 32842). The following additional changes and bug fixes were made during UCS 4 UCS Virtual Machine Manager development: ( Bug 36139, Bug 36145, Bug 35824, Bug 35946, Bug 35982, Bug 36053, Bug 36133, Bug 36136, Bug 36138, Bug 36140, Bug 36093, Bug 36142, Bug 36143, Bug 36147, Bug 36148, Bug 36151, Bug 36152, Bug 36155, Bug 36305, Bug 36306, Bug 36135, Bug 36146)
Several packages related to virtualization have been updated to newer versions: libiscsi (1.12.0.2), libusb-1.0 (1.0.19), usbredir (0.6.2), spice-protocol (0.12.6), spice (0.12.4), libvirt (1.2.7), libvirt-python (1.2.6) (Bug 35768, Bug 36388).
The VirtIO drivers for Windows have been updated to version 0.1.81 (Bug 36122).
Support for Xen has been removed from UCS Virtual Machine Manager (Bug 35656).
The notification message about the changeability of instance settings has been removed (Bug 36307).
The default UCS Virtual Machine Manager loglevel has been increased to INFO (Bug 36136).
The CPU field is no longer flagged as invalid when creating a virtual machine (Bug 34515).

§6.9.2. Operate UCS as virtual machine

The new package univention-cloud-init provides support when setting up UCS as a virtual machine guest in an environment which offers cloud-init compatible services (Bug 36092).

§6.10. Services for Windows

§6.10.1. Samba

Samba has been updated to version 4.2rc2 (Bug 35319, Bug 35766, Bug 36090, Bug 36101).
net idmap secret has been renamed to net idmap set secret (Bug 35765).
Installation of univention-samba now doesn't any longer automatically run the joinscript. This is because the join process requires administrative credentials (Bug 36284).
When installing the App Active Directory-compatible Domain Controller on a DC Slave the joinscript aborts now if an S4 Connector has already been installed on the DC Master or on a DC Backup. Additionally the S4 Connector package is installed in this case for purely technical reasons but it is not activated (Bug 35983).
The environment variable SMB_CONF_PATH is set during the univention-samba join to ensure the right configuration is used (Bug 36734).
The environment variable SMB_CONF_PATH is set during the univention-samba4 join to ensure the right configuration is used (Bug 36806).
When windows/wins-support was not set samba complained about an empty value in smb.conf This has been fixed (Bug 33261).
Samba3 to Samba4 in-place migration failed with Samba 4.2 because the new smb.conf validation code complained about empty values in smb.conf (Bug 36814).

§6.10.2. Univention AD Takeover

An LDAP search timeout of the AD-Takeover has been fixed which could occur in cases where the transfer of the AD objects takes a long time (Bug 36639).

§6.10.3. Univention S4 Connector

A traceback in the cleanup code of the s4-connector listener has been fixed (Bug 32813)

§6.10.4. Univention Active Directory Connector

The underlying library for AD-Member mode has been updated, fixing a locale issue (Bug 36280, Bug 36278).

§6.11. Other changes

The package univention-showload is no longer needed and maintained by Univention. The package can be manually removed (Bug 35138).
The packages for the deprecated system roles mobile client and managed client have been removed (Bug 31751).
The web browser firefox is now shipped as 64 bit binary on the amd64 platform. Previously it was always shipped as 32 bit application (Bug 35266).
The web browser firefox was updated to version 31.2 ESR. (Bug 35702, Bug 36374).
The legacy Debian package firefox has been replaced by the packages firefox-en and firefox-de since quite some time. During update to UCS 4.0 it will automatically get replaced by firefox-en. If desired the German version can be installed instead either before or after the update (Bug 36453).
An old, unused scalix directory has been removed from the PATH environment variable in the default profile (Bug 32628).
The deprecated package php5-suhosin will be purged during the update (Bug 35203).
Support for LanMan hashes has been removed in the Univention Directory Manager Users module (Bug 32584).
During the update the package console-tools is replaced with kbd (Bug 36224).
During the join of DC backup and slave systems all dns/forwarder* Univention Configuration Registry settings from the DC master will be copied to the joining system (Bug 36245).
The syntax check for jpeg images has been fixed in Univention Directory Manager (Bug 36304).
The keyboard layout is now configured with the Univention Configuration Registry variable xorg/keyboard/options/XkbModel, xorg/keyboard/options/XkbLayout and xorg/keyboard/options/XkbVariant. The old Univention Configuration Registry variable locale/keymap has been removed (Bug 35709).
The package ocfs2-tools has been updated to 1.6.4-3 (Bug 36377).
The KDE design has been adapted for UCS 4.0 (Bug 35936).
The xrdp App has been updated to version 0.8.0 with better rdp and linux terminal server support (Bug 35885).
Several packages are no longer in the maintained packages repository. If these packages are installed before the update, they will be removed during the update (i.a. gimp, k3b, kdepim, mplayer, krdc, krfb, kontact and nautilus, Bug 36050)
kdm is not used as the display manager for graphical login. The PAM configuration was updated to reflect this change (Bug 35266, Bug 36743)

§Bibliography

[ext-doc-uvmm] Univention GmbH. 2014. Extended virtualization documentation. https://docs.software-univention.de/uvmm-4.0.html.

[ucs-uvmm-profile] Univention GmbH. 2014. UCS manual - Virtualization - Profiles. https://docs.software-univention.de/manual-4.0.html#uvmm::profile::network.

[ucs-performance-guide] Univention GmbH. 2014. UCS performance guide. https://docs.software-univention.de/performance-guide-4.0.html.

UCS 4.0-0 Release Notes