With Univention Corporate Server 4.1-1, the first point release of Univention Corporate Server (UCS) 4.1 is now available. It provides various improvements and bugfixes. An overview of the most important changes:

The Linux kernel has been updated to 4.1.16. This includes several security updates as well as new and updated drivers for better hardware support.
The compatibility to Active Directory has been improved with the Samba update to 4.3.3. This includes, among others, improvements in the DRS replication and several security updates.
Univention Virtual Machine Manager is now able to manage Virtual Private Clouds (VPC) in Amazon AWS. This provides the possibility to administrate virtual machines in the EC2 region eu-central-1 (Frankfurt am Main).
The performance of the directory service replication has been increased significantly. Thus, the join into a domain with thousands of users is much faster.
Several enhancements in design and usability of the Univention App Center have been implemented. For example, it is now possible to navigate easily between the different Apps. Additionally, the App Center startup performance has been increased significantly.

§Chapter 2. Notes about the update

During the update some services in the domain may not be available temporarily, that is why the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update will take between 20 minutes and several hours.

§2.1. Recommended update order for environments with more than one UCS server

In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:

The authoritative version of the LDAP directory service is maintained on the master domain controller and replicated to all the remaining LDAP servers of the UCS domain. As changes to the LDAP schema can occur during release updates, the master domain controller must always be the first system to be updated during a release update.

§2.2. UCS installation DVD only available for 64 bit

Starting with UCS 4.0, installation DVD are only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS 3 systems can still be updated to UCS 4.0 through the online repository or by using update DVD. The 32 bit architecture will be supported over the entire UCS 4 maintenance period.

§Chapter 3. Preparation of update

It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 6 GB of disk space. Depending on the scope of the existing installation, the update will require about another 2 GB of disk space for download and installation all packages.

For the update, a login should be performed on the system's local console as user root, and the update should be initiated there. Alternatively, the update can be conducted using Univention Management Console.

Remote updating via SSH is not recommended as this may result in the update procedure being canceled, e.g., if the network connection is interrupted. In consequence, this can affect the system severely. If updating should occur over a network connection nevertheless, it must be verified that the update continues in case of disconnection from the network. This can be achieved, e.g., using the tools screen and at. These tools are installed on all UCS system roles by default.

§Chapter 4. Postprocessing of the update

Following the update, new or updated join scripts need to be executed. This can be done in two ways: Either using the UMC module Domain join or by running the command univention-run-join-scripts as user root.

Subsequently the UCS system needs to be restarted.

§Chapter 5. Further notes on selected packages

§5.1. Collection of usage statistics

Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition (which is generally used for evaluating UCS). The modules opened are logged in an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.

This logging is only performed when the UCS Core Edition license is used. The license status can be verified via the menu entry License -> License information of the user menu in the upper right corner of Univention Management Console. If UCS Core Edition is listed under License type, this version is in use. When a regular UCS license is used, no usage statistics are collected.

Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.

§5.2. Scope of security support for WebKit, Konqueror and QtWebKit

WebKit, Konqueror and QtWebKit are shipped in the maintained branch of the UCS repository, but not covered by security support. WebKit is primarily used for displaying HTML help pages etc. Firefox should be used as web browser.

§5.3. Recommended browsers for the access to Univention Management Console

Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:

Chrome as of version 37
Firefox as of version 38
Internet Explorer as of version 11
Safari and Safari Mobile as of version 9

Users with older browsers may experience display or performance issues.

§Chapter 6. Changelog

Listed are the changes since UCS 4.1-0:

§6.1. General

All security updates issued for UCS 4.1-0 are included:
- eglibc (CVE-2015-1472 CVE-2015-1473 CVE-2012-3406 CVE-2014-4043 CVE-2014-9402 CVE-2013-7424) (Bug 37643).
- mysql-5.5 (CVE-2015-4792 CVE-2015-4802 CVE-2015-4815 CVE-2015-4816 CVE-2015-4819 CVE-2015-4826 CVE-2015-4830 CVE-2015-4836 CVE-2015-4858 CVE-2015-4861 CVE-2015-4870 CVE-2015-4879 CVE-2015-4913) (Bug 40183).
- openjdk-7 (CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4868 CVE-2015-4871 CVE-2015-4872 CVE-2015-4881 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4903 CVE-2015-4911) (Bug 40043).
- ldb (CVE-2015-3223 CVE-2015-5330) (Bug 40221).
- Firefox (CVE-2015-7181 CVE-2015-7182 CVE-2015-7183 CVE-2015-7197 CVE-2015-7198 CVE-2015-7199 CVE-2015-7200 CVE-2015-7196 CVE-2015-7194 CVE-2015-7193 CVE-2015-7189 CVE-2015-7188 CVE-2015-4513 CVE-2015-7214 CVE-2015-7222 CVE-2015-7213 CVE-2015-7205 CVE-2015-7212 CVE-2015-7210 CVE-2015-7201 CVE-2015-7575 CVE-2016-1935 CVE-2016-1930) (Bug 40025, (Bug 40272).
- gnutls26 (CVE-2015-7575 CVE-2015-8313) (Bug 40412).
- openssh (CVE-2016-0777 CVE-2016-0778) (Bug 40438).
- ntp (CVE-2014-9750 CVE-2014-9751 CVE-2015-3405 CVE-2015-5146 CVE-2015-5194 CVE-2015-5195 CVE-2015-5219 CVE-2015-5300 CVE-2015-7691 CVE-2015-7692 CVE-2015-7701 CVE-2015-7702 CVE-2015-7703 CVE-2015-7704 CVE-2015-7705 CVE-2015-7850 CVE-2015-7851 CVE-2015-7852 CVE-2015-7855 CVE-2015-7871) (Bug 40024).
- rpcbind (CVE-2015-7236) (Bug 40023).
- libxml2 (CVE-2015-1819 CVE-2015-7941 CVE-2015-7942 CVE-2015-8035 CVE-2015-5312 CVE-2015-7497 CVE-2015-7498 CVE-2015-7499 CVE-2015-7500 CVE-2015-8241 CVE-2015-8317) (Bug 40368).
- samba (CVE-2015-2535 CVE-2015-3223 CVE-2015-5252 CVE-2015-5296 CVE-2015-5299 CVE-2015-5330) (Bug 40221).
- grub2 (CVE-2015-8370) (Bug 40280).
The package univention-sudo has been added. It provides default rules for sudo. If installed and the Univention Configuration Registry variable auth/sudo is turned on, users in the group Domain Admins are allowed to run arbitrary commands with root privileges (Bug 37995).

§6.2. Univention Installer

hw-detect has been updated to add support for missing firmware for newer Linux kernels (Bug 40630).
The UUID generation has been moved to the setup process (Bug 40640).
A pop up which asks for a page reload is no longer shown at the end of an installation (Bug 39974, Bug 39156).
Small text and translation adjustments have been done (Bug 40140, Bug 40053).
The join scripts are now executed in a working chroot environment to allow the installation of a DC Master using the profile based installation (Bug 40559).
The repository path and versions in the template file for profile based installations were updated for UCS-4.1 (Bug 39937).
The name of the menu entry for booting from the local hard disk was changed to local to prevent a name collision (Bug 38821).
The package description has been extended to simplify finding the package when searching for Preboot Execution Environment (PXE) (Bug 33361).
The daemon used to wait for successful installations has been changed to listen on all network interfaces by default (Bug 34061).
The installer automatically selected the first interface for the installation. If multiple network interfaces are used, an interface selection dialog is now shown (Bug 38032).

§6.3. Basic system services

§6.3.1. Linux kernel and firmware packages

The Linux kernel has been updated to 4.1.16. It provides many bugfixes and fixes several vulnerabilities (Bug 40481, Bug 40059, Bug 40558).

§6.3.2. Boot Loader

Two new Univention Configuration Registry variables grub/default and grub/savedefault have been added. These variables allow the selection of the next kernel to boot (Bug 26763).
The UEFI boot hangs on some hardware in the boot loader. This issue has been fixed (Bug #39009).

§6.4. Domain services

§6.4.1. OpenLDAP

When a domain controller (DC) master or DC backup is created, two policies are now created or modified: a LDAP server policy to be used by member servers and a UCR policy be used by DC slaves. The policies configure them to use the LDAP servers of all available DC backups, in case the DC master is down. The LDAP server policy is activated on members, the UCR policy for slaves is not activated by default (Bug 38091).
The attribute printerModel has been added to LDAP sub-string search index (Bug 39884).
The script /usr/share/univention-ldap/ldap_setup_index has been extracted. It can be used to manage the attributes, which are indexed by the LDAP server (Bug 39866).
Some shell quoting errors have been fixed (Bug 40031).
Only initialize the LDAP server on the DC Master and abort on errors (Bug 38051).
The attribute univentionMessageCatalog has been added to the LDAP schema for the univentionUDMHook and univentionUDMSyntax object classes (Bug 35840).

§6.4.1.1. Listener/Notifier domain replication

The listener cache flushing has been disabled during module initialization (Bug 39957).
Some replicated objects were not deleted when the LDAP server closed its side of the LDAP connection. This issue has been fixed (Bug 40067).
The Samba 4 Connector is now stopped during re-joins (Bug 40391).
Translation format strings with multiple unnamed arguments have been adjusted (Bug 40339)
If the connection to the LDAP server is closed, it is now automatically re-connected. This fixes joining in large environments, when the LDAP server is restarted while a new system is joined. The number of re-tries can be configured through the new Univention Configuration Registry variable listener/ldap/retries (Bug 40460).

§6.4.1.2. DNS server

The Univention Configuration Registry variables dns/nameserver/registration/forward_zone and dns/nameserver/registration/reverse_zone have been added. These variables allow to disable the automatic registration as additional nameserver (Bug 40139).
Some shell quoting errors have been fixed (Bug 40031).

§6.5. Univention Management Console

§6.5.1. Univention Management Console web interface

The username field in the login dialog doesn't get cleared anymore (Bug 39898).
The help text field in the login dialog shows a hint about the root user when username=root is given as a query parameter (Bug 40144).
The alignment of the single sign on button has been adjusted (Bug 40146).
Display problems in the grid header when using Internet Explorer have been fixed (Bug 39498).
A crash is prevented if a notifier timer removes a socket while there are pending IO events from this socket. Univention Management Console was affected by this bug and it resulted in faulty behavior of UMC modules (Bug 40510).
Missing translation files won't cause a HTTP 404 Not Found error anymore (Bug 40242).
Translation format strings with multiple unnamed arguments have been adjusted (Bug 40339).
Internet Explorer 11 doesn't show a download pop up anymore when accessing UMC (Bug 39861).
The versions of outdated browsers have been updated (Bug 40402).
Some minor usability adjustments for the login dialog have been implemented (Bug 40402).

§6.5.2. Univention Management Console server

The dh_umc debhelper doesn't create duplicated message entries or false warnings about fuzzy PO file headers anymore (Bug 40341).
Translation format strings with multiple unnamed arguments have been adjusted (Bug 40339).
The file permissions of files installed by the dh_umc debhelper have been adjusted (Bug 30520).
The categories of UMC modules can now be configured more easily. It is also possible to add links to the UMC module overview (Bug 40528).

§6.5.3. Univention App Center

On touch devices the description of an app is now visible by touching the app once. Touching a second time will open the detail page (Bug 39663).
Installed apps are now correctly stored in repository/app_center/installed even when bypassing the App Center (Bug 40087).
The check whether docker is up and running at the startup of the App Center can now be disabled by setting the Univention Configuration Registry variable appcenter/docker to =disabled. In this case, Docker Apps cannot be installed anymore (Bug 40074).
The command univention-app shell has been added. It runs a command within the environment of a Docker App (Bug 40119).
Warnings shown before App installations do not show up as errors after a successful installation anymore (Bug 39926).
Failed Docker App installations now correctly remove their Docker containers when cleaning up (Bug 40135).
Downloading specific files from the App Center server now makes use of ETags, resulting in a speedup of module opening (Bug 40136).
The layout of the App Center gallery has been improved (Bug 39662).
On an app details page, it is now possible to navigate to the previous and next app in the search results (Bug 39664).
The app details page for small domains has been simplified (Bug 40116).
Apps now support RequiredAppsInDomain which can be used to state that a specific App has to be installed somewhere in the domain in order for the current App to work (Bug 37539).
Various performance optimizations have been done in the App Center code (Bug 40239, Bug 40240).
The developer scripts for using a local App Center have been fixed (Bug 40359).
One function of the Docker Apps join script helpers has been fixed when called from within the UMC module (Bug 40264).
Uninstalling the last app doesn't cause a Forbidden pop up anymore (Bug 39157).
Calling univention-app does not log the complete set of options, instead just the name of the action being called (Bug 40287).
The command univention-app upgrade now correctly upgrades all packages for non Docker Apps (Bug 40060).
The attribute univentionAppID has been added to the LDAP equality search index (Bug 39866).
Translation format strings with multiple unnamed arguments have been adjusted (Bug 40339).
The function joinscript_run_in_container from the Docker Apps join script helper functions now correctly passes its arguments to univention-app shell (Bug 40523).
The support for plain Docker images has been enhanced (Bug 40604).
The attribute Screenshot has been replaced by Thumbnails (Bug 40160).
Support for upgrading conventional Apps to Docker Apps has been added (Bug 40561).
The error handling has been improved. This results in useful error messages especially when a connection to the LDAP service failed (Bug 40069).

§6.5.4. Univention Directory Manager UMC modules and command line interface

The locale is not replaced by the Country syntax class anymore. This caused side effects in all processes which imported the UDM python modules. For example the translation of the App Center UMC modules was not possible (Bug 39146).
From now on domain names for mail domains will be lowercased when created or modified. Existing domain names will not be changed automatically, only when they are modified. Mixed case domain names caused inconsistent behavior with Dovecot and shared folders (Bug 39721).
The syntax check for the Base64GzipText attribute type had an error that made it impossible to store data in such an attribute. This issue has been fixed (Bug 40348).
The simple syntax class now allows None values to be able to e.g. remove the birthday of a user (Bug 32321).
Some shell quoting errors have been fixed (Bug 40031).
Translation format strings with multiple unnamed arguments have been adjusted (Bug 40339).
It is now possible to ship translations for UDM hooks and UDM syntax settings (Bug 34556).
The modification list is now generated independent of the ordering of attribute values. This prevents errors when modifying objects in case the permissions of the executor aren't sufficient (Bug 40120).

§6.5.5. Modules for system settings / setup wizard

The package univention-system-activation has been rebuild with all intended changes for UCS 4.1. This fixes a bug with system setup not being able to finish correctly (Bug 40019).
The term Univention App has been replaced by Appliance (Bug 40304).
More input validation for certificate values has been added (Bug 39376).
The country name field in the ldap DN is now validated (Bug 39941).
The email address field provides a virtual keyboard for special characters (Bug 38567).
Some shell quoting errors have been fixed (Bug 40031).
The term Univention App has been replaced by Appliance (Bug 40304).
Translation format strings with multiple unnamed arguments have been adjusted (Bug 40339).
Fixed typos in German translation have been fixed (Bug 39886, Bug 40344).

§6.6. Software deployment

The free disc space requirement in the updater's preup script has been increased to 1.5GiB (Bug 39991).
The AWS EC2 image Univention Corporate Server (UCS) 4.1 (official image) rev. 0 uses the repository server updates-test.software-univention.de instead of updates.software-univention.de. This update resets the Univention Configuration Registry variable repository/online/server on EC2 images to updates.software-univention.de (Bug 40142).
The layout in the UMC software update module has been adjusted to be responsive (Bug 36444).
UCS-3.0 errata updates are no longer mirrored with newer systems (Bug 29633).
The inheritance of using https for components has been fixed (Bug 40148).
If no update process is currently running, the UMC module won't block closing UMC anymore (Bug 39780).
The update process via the UMC module can be started if the logfiles don't exist (Bug 40051).
The HTTP timeout has been reduced to 30 seconds (Bug 39954).
Some shell quoting errors have been fixed (Bug 40031).
A vulnerability has been fixed which could lead to code execution (Bug 39993).
A progress bar is now shown while rebooting the system (Bug 40343).
The update scripts have been adjusted to UCS 4.1-1 (Bug 40624).

§6.6.1. Software monitor

The package database was not updated automatically on systems other than the database server. This issue has been fixed (Bug 33935).

§6.7. Univention base libraries

Some shell quoting errors have been fixed (Bug 40031).
Atjob comments are now properly encoded (Bug 39993).
It is now possible to ship translations for UDM hooks and UDM syntax settings (Bug 34556).

§6.8. System services

§6.8.1. SAML

The SAML logout process is now more robust (Bug 39815).
It is now possible to import a license file when being logged in via single sign on (Bug 39675).

§6.8.2. Univention self service

The sender address of token emails is now changeable with the Univention Configuration Registry variable umc/self-service/passwordreset/email/sender_address (Bug 40048).
It is now possible to use the password reset service with the primary email address instead of the username (Bug 40049).
The server name used in token emails is now configurable via the Univention Configuration Registry variable umc/self-service/passwordreset/email/webserver_address (Bug 40107).
Tokens aren't written to log files regardless of the configured debug level (Bug 39996).
The unjoin scripts are executed when removing the package (Bug 39980).
The links on the ucs-overview are removed when uninstalling (Bug 40033).
Redirections are now restricted to relative paths only (Bug 39981).
Protect against denial of service attacks. The Univention Configuration Registry variable umc/self-service/passwordreset/limit/.* may be used to configure request limits (Bug 39720).
It's not possible to gain information about existence of users anymore (Bug 39939).
The postrm script has been modified to correctly restart apache2 (Bug 40061).
When a password policy checking password quality was activated, the password reset module would crash on a bad password. This issue has been fixed (Bug 40433).
The error handling during connecting to the UMC server has been improved (Bug 40581).
If the self-service app was installed during the initial system configuration, the service could not connect to the UMC server (Bug 40582).

§6.8.3. Mail services

An error in the Dovecot listener could lead to the unintended deletion of a shared folder if the corresponding LDAP objects is changed. This issue has been fixed (Bug 40014).
The UMC permissions write and all for shared folders did not contain the IMAP permission for expunge. A removal of mails or moving mails was not possible. This problem has been fixed and the permission will be updated automatically if the join script of univention-mail-dovecot is called (Bug 40038).
A premature scheduling of the DH parameter generation caused an atd process to hang in Docker containers. This issue has been fixed (Bug 40134).
A bug in the mailing list filter policy server allowed senders with an empty envelope email address to send to restricted mailing lists. This issue has been fixed (Bug 40353).
The timeout for the initial LDAP search during domain join was increased to two hours, as joining in a large domain can take much longer than the default five minutes. The time can be changed through the Univention Configuration Registry variable listener/timeout/scans (Bug 40373).
A file for the process of handling user renames has been moved to a secure location (Bug 40245).
A problem regarding IMAP ACLs at shared folders with primary mail address has been fixed. ACLs that have been removed via Univention Management Console or CLI have not been removed on the IMAP server (Bug 40194).
A file for the process of handling user renames has been moved to a secure location (Bug 40246).
Errors when checking restrictions of mailing lists and mail groups are now written to the system mail log (Bug 40376).
The user that wants to send to a restricted mailing list or group mail is now determined using the SASL login. This requires, that the sender logs into the server to deliver the email. To enable the previous behavior (to use the email address declared by the sender), set the Univention Configuration Registry variable mail/postfix/policy/listfilter/use_sasl_username to no (Bug 29615).
The policy server checking restrictions of mailing lists now exits without error, when told to by Postfix (Bug 40569).

§6.8.4. Printing services

The default CUPS policy has been fixed and is now configurable via the Univention Configuration Registry variables cups/policy/.* (Bug 38023).
The univention-printserver join script now restarts the cups daemon (Bug 40591).

§6.8.5. Kerberos

Some shell quoting errors have been fixed (Bug 40031).

§6.8.6. SSL

Certificate variables are now correctly escaped when writing to configuration file before creating new certificates (Bug 39376).

§6.8.7. Proxy services

This update adds the possibility to define the number of squid's rewrite helper processes via the new Univention Configuration Registry variable squid/rewrite/children (Bug 40095).
When basic auth is enabled, disabled user accounts cannot use the proxy anymore (Bug 39901).
Added new configuration option dbtemp to squidGuard that specifies a directory for temporary backing files of the in-memory databases (Bug 40592).

§6.8.8. Apache

The init script now stops the apache process before restarting if a reload crashes the apache process (Bug 40061).
A warning about unencrypted HTTP connections has been added to the UCS overview page (Bug 39361).
The HTTP redirection has been changed to a permanent redirection when forcing HTTPS access (Bug 40121).
HTTPS is not enforced for the apache mod_status resources (Bug 40173).
Links on the UCS overview preserve the port if accessed through a non default port (Bug 40070).

§6.8.9. PAM / Local group cache

A German word list has been added, so that passwords can be checked to not include German words (Bug 24840).
A dependency on the package univention-sudo has been added. The sudo rules are not automatically activated on updating systems, only on new installations (Bug 37995).
Create the user messagebus as the owner for /etc/libnss-ldap.conf. Thanks to Lutz Willek (Bug 38993).

§6.9. Virtualization

§6.9.1. Univention Virtual Machine Manager (UVMM)

VMs not specifying the disk driver type don't crash anymore (Bug 39825).
The migration of paused VMs is now allowed (Bug 39242).
The VNC button tool-tip has been fixed (Bug 33982).
The AWS API for EC2 region eu-central-1 (Frankfurt am Main) is now supported (Bug 36141).
Support for Virtual Private Clouds (VPC) with AWS EC2 has been added (Bug 36289).
The deprecated support for TLS/SSL connections and authentication through PAM has been removed (Bug 40180).
The deprecated code for booting old VMs through PXE has been removed (Bug 40181).
The command line tool for debugging UVMM has been improved (Bug 40182).
Some unused helper code has been removed to fix an import error of the Python libvirt module from the UVMM Univention Directory Listener module handling the dynamic addition and removal of virtualization hosts (Bug 40133).
The cron job to check libvirtd is no longer required and has been removed (Bug 35101).

§6.10. Container Technologies

The Docker engine now uses a HTTP proxy for downloading of images, if the Univention Configuration Registry variable proxy/http is configured (Bug 40030).

§6.11. Services for Windows

§6.11.1. Samba

Samba has been updated to 4.3.3. This includes an update of the packages talloc, tdb, tevent, ldb, univention-ldb-modules (Bug 40221).
In certain situations samba restart left samba in a non-functional state (Bug 40132).
When closing sessions the smbd server processes exited with a memory corruption error (Bug 40131).
The Univention Configuration Registry variable samba/register/exclude/interfaces has been added to configure samba to ignore certain network interfaces. The interface docker0 is ignored by default (Bug 39601).
The sysvol-sync script now checks if any changes need to be synchronized at all and it uses file locking to coordinate concurrent read and write processes (Bug 40186).
The ACL check in the sysvol-sync script is now limited to the Policies directory (Bug 40266).
There are two new Univention Configuration Registry variables samba4/sysvol/sync/from_upstream and samba4/sysvol/sync/from_downstream which can be used to deactivate copying files from other DCs (Bug 40313).
This update fixes an issue where libunivention-ldb-modules would refuse to load due to an updated ldb library (Bug 40437).
Translation format strings with multiple unnamed arguments have been adjusted (Bug 40339).
On UCS@school Samba AD DC Slaves the univention-samba4 joinscript could take a long time to wait in vain for an object to get synchronized to the DC Master (Bug 33399).
Some shell quoting errors have been fixed (Bug 40031).
Re-join during UCS@school Samba AD DC Slave setup could fail due to krb5.keytab containing differing Kerberos key hashes for the same key version number. This issue has been fixed (Bug 40434).

§6.11.2. Univention S4 Connector

The new package univention-nagios-s4-connector provides a Nagios plugin to check the state of the univention-s4-connector (Bug 37006).
The synchronization failed if a removed user was recreated at a different position. This issue has been fixed (Bug 40233).
msPrint-ConnectionPolicy objects are now synced if the Univention Configuration Registry variable connector/s4/mapping/msprintconnectionpolicy is set to true. The S4 connector has to be restarted after changing this Univention Configuration variable. This is required for UCS@school and will be set there accordingly (Bug 40298).
Wildcard DNS records didn't get synchronized any more. This issue has been fixed (Bug 40380).
UCS 4.1-0 Erratum 39 accidentally set connector/s4/listener/disabled to true on UCS Samba/AD DCs which run an S4 Connector in an UCS domain where multiple S4 Connector services are registered in LDAP. This may affect a DC Master in an UCS@school environment. This doesn't affect UCS Samba/AD DCs where the Univention Configuration Registry variable connector/s4/allow/secondary is set to true, which comprises UCS@school Samba AD DC Slave systems (Bug 40467).

§6.12. Other changes

The C library can deadlock in a call to getaddrinfo(), when the Linux kernel returns an empty answer for the used NETLINK call (Bug 40059).
The package pylibmc has been added to the maintained package repository of UCS (Bug 40209).
This update fixes a crash of the UCS policy conformance checker ucslint for the case, when issues don't include a file name or reference a not existing file (Bug 36456).
This update adds an updated SSL implementation for Python, which is required to support the new AWS API for EC2 region eu-central-1 (Frankfurt am Main) (Bug 36141).
The program wget loads the SSL certificates multiple times, which makes is slow and consumes a lot of memory, which can lead to it being killed by the Linux kernel. This issue has been fixed (Bug 39940).
The backend of univention-welcome-screen has been changed from Firefox to Plymouth (Bug 39241).
The package xml-security-c was re-built to satisfy the dependency of open-vm-tools (Bug 40244).
The robustness of the univention-ucs-translation-build-package.py has been enhanced (Bug 40340).
No fuzzy PO file header entries are created anymore in univention-ucs-translation-template (Bug 40341).
The package sysstat has been added to the maintained package repository of UCS (Bug 40203).
The univention-welcome-screen now uses vt7 (Bug 40631).