Release notes for the installation and update of Univention Corporate Server (UCS) 4.2
§Chapter 1. Release Highlights
With Univention Corporate Server 4.2, the second minor release of Univention Corporate Server (UCS) is now
available. It provides several substantial feature improvements and extensions, new properties as well as
various improvements and bugfixes. An overview of the most important changes:
UCS 4.2 is based on Debian GNU/Linux 8 (Jessie). More than 16,000 source packages have been updated and
adapted to the needs of UCS administrators. Selected core components, e.g. Linux Kernel (4.9), Docker
(1.12) or QEMU (2.8) are more recent in UCS compared to Debian GNU/Linux 8.
From UCS 4.2, the management system offers a central portal for quick access to all applications in the
environment, as well as the management of the various UCS instances. This allows users to
access their applications more easily. The portal is configurable and can be adapted to individual needs.
The design and user experience have been improved further with UCS 4.2. For example, the password self
service provides a simplified usage. The management system now uses SAML (Web Single Sign-On) by default,
provided that the prerequisites, such as working name resolution, are given.
Samba has been updated to version 4.6.1. This includes various improvements in the areas of DRS
replication, Active Directory compatibility, file services and printer handling, among other things. In
addition, the performance has been improved in environments with many users.
§Chapter 2. Notes about the update
During the update some services in the domain may not be available temporarily, that is why the update should occur in a maintenance window.
It is recommended to test the update in a separate test environment prior to the actual update.
The test environment should be identical to the production environment.
Depending on the system performance, network connection and the installed software the update will take between 20 minutes and several hours.
§2.1. Recommended update order for environments with more than one UCS server
In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:
The authoritative version of the LDAP directory service is maintained on the master domain controller and replicated to all the remaining LDAP servers of the UCS domain.
As changes to the LDAP schema can occur during release updates, the master domain controller must always be the first system to be updated during a release update.
§2.2. UCS installation DVD only available for 64 bit
Starting with UCS 4.0, installation DVD are only provided for the x86 64 bit architecture (amd64).
Existing 32 bit UCS 3 systems can still be updated to UCS 4.0 through the online repository or by using update DVD.
The 32 bit architecture will be supported over the entire UCS 4 maintenance period.
§Chapter 3. Preparation of update
It must be checked whether sufficient disk space is available.
A standard installation requires a minimum of 6 GB of disk space.
Depending on the scope of the existing installation, the update will require about another 2 GB of disk space for download and installation all packages.
For the update, a login should be performed on the system's local console as user root
, and the update should be initiated there.
Alternatively, the update can be conducted using Univention Management Console.
Remote updating via SSH is not recommended as this may result in the update procedure being canceled, e.g., if the network connection is interrupted.
In consequence, this can affect the system severely.
If updating should occur over a network connection nevertheless, it must be verified that the update continues in case of disconnection from the network.
This can be achieved, e.g., using the tools screen
and at
. These tools are installed on all UCS system roles by default.
§Chapter 4. Postprocessing of the update
Following the update, new or updated join scripts need to be executed.
This can be done in two ways:
Either using the UMC module or by running the command univention-run-join-scripts
as user root
.
The packages univention-log-collector-server and univention-log-collector-client are no longer maintained. If these packages are installed, they should
be removed.
With Univention Corporate Server 4.2 the OpenLDAP server by default denies the LDAP bind if
passwords or the accounts are expired. This feature is not activated for systems updated
to Univention Corporate Server 4.2. but can be activated by setting the Univention Configuration Registry variable ldap/shadowbind
to true.
During the update the Univention Configuration Registry settings nameserver*
and dns/forwarder*
are checked and adjusted automatically to ensure that the nameserver*
variables only contain DNS servers that know about the UCS domain.
This is done by running /usr/share/univention-server/univention-fix-ucr-dns
once.
We recommend to check the values of these Univention Configuration Registry variables.
Subsequently the UCS system needs to be restarted.
§Chapter 5. Further notes on selected packages
§5.1. QEMU issues
For UCS-4.2 the package qemu has been updated from version 1.1 to version 2.8.
Currently this leads to problems with
- live migrating virtual machines from old to new versions of QEMU.
- restoring of snapshots of running virtual machines, which have been created with an older version of QEMU.
- restoring the state of old running virtual machines, which haven been put into the state of suspended to disk with an older version of QEMU.
Univention is working on a solution and delegates to article SDB 1384 for known temporary workarounds until then.
§5.2. Collection of usage statistics
Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition (which is generally used for evaluating UCS).
The modules opened are logged in an instance of the web traffic analysis tool Piwik.
This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.
This logging is only performed when the UCS Core Edition license is used.
The license status can be verified via the menu entry of the user menu in the upper right corner of Univention Management Console.
If is listed under , this version is in use.
When a regular UCS license is used, no usage statistics are collected.
Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik
to false.
§5.3. Scope of security support for WebKit, Konqueror and QtWebKit
WebKit, Konqueror and QtWebKit are shipped in the maintained branch of the UCS repository, but not covered by security support.
WebKit is primarily used for displaying HTML help pages etc.
Firefox should be used as web browser.
§5.4. Recommended browsers for the access to Univention Management Console
Univention Management Console uses numerous JavaScript and CSS functions to display the web interface.
Cookies need to be permitted in the browser.
The following browsers are recommended:
Users with older browsers may experience display or performance issues.
Listed are the changes since UCS 4.1-4 errata408:
§6.1. General
The Debian basis has been updated from Debian 7 (Wheezy) to Debian 8 (Jessie) (Bug 43560, Bug 41930, Bug 41929, Bug 44146).
This means, among other things, the following upgrades:
-
Apache has been updated to 2.4.10.
-
The BIND DNS server has been updated to 9.9.5.
-
OpenSSH has been updated to 6.7.
-
Perl has been updated to 5.20.2.
-
PHP has been updated to 5.6.30.
-
Postfix has been updated to 2.11.3.
-
UCS ships with systemd-sysv as default init system.
This package is installed automatically on upgrades.
All UCS init shell scripts have been made LSB compliant to be compatible with systemd.
If custom init scripts are used or standard UCS init scrips haven been modified, please be aware that these may now have been superseded by systemd unit files or
systemd
itself (Bug 43330).
-
The codename for UCS 4.2 has been set to Lesum (Bug 42054).
§6.2. Univention Installer
-
The installer now supports POSIX shared memory objects for non-privileged processes during the installation in the
chroot
(Bug 43915).
§6.3. Basic system services
§6.3.1. Linux kernel and firmware packages
-
The Linux kernel has been updated to 4.9.13 (Bug 42048, Bug 42047).
-
The kernel modules openafs-modules-dkms, blktap-dkms, virtualbox-dkms, virtualbox-guest-dkms, open-vm-tools-dkms, backfire-dkms and oss4-dkms have been updated to be compatible with the new Linux kernel 4.9.
The modules iscsitarget-dkms and xtables-addons-dkms are no longer supported Bug 42049.
§6.3.2. Univention Configuration Registry
-
The maximum transfer unit (MTU) for network interfaces can now be configured through the new Univention Configuration Registry variable
interfaces/interface
/mtu
(Bug 35814).
-
The functions
remove_ucr_template
and remove_ucr_info_file
from the shell library ucr.sh
have been deprecated.
The library itself was moved into the package univention-config (Bug 27872).
-
ucr update
is now automatically called when Univention Configuration Registry template files are added/modified/removed (Bug 23737).
-
Univention Configuration Registry now loads its data atomically to fix a problem when multiple threads access the database concurrently (Bug 37402).
-
The robustness of the services module has been improved to better handle process changes (Bug 34234).
-
An internal fallback implementation for
pipes.quote()
was added to fix an upgrade issue while python is not configured (Bug 43341).
-
The Python implementation has been changed to follow the Python contract for dictionaries, except one exception:
The method
get()
still returns None
instead of raising the exception KeyError
when the key is not found, as this is still required to be compatible with previous releases (Bug 33101).
§6.3.2.1. Changes to templates and modules
-
The
*/autostart
Univention Configuration Registry variables are now handled by a generic Univention Configuration Registry module.
The variables are still used in the individual init-scripts for backward compatibility with the classic System V init system, but are shadowed by the corresponding systemd mechanisms to enable/disable and mask/unmask services (Bug 43470).
§6.3.3. Other system services
-
Several network start scripts have been adapted to work with systemd (Bug 42380).
§6.4. Domain services
§6.4.1. OpenLDAP
-
The overlay module
shadowbind
has been added. This module checks
shadowExpire and shadowMax/shadowLastChange of the bind DN object
and denies the login if the account or the password is expired.
The overlay can be enabled/disabled with the Univention Configuration Registry variable
ldap/shadowbind
. An ignore LDAP filter (shadowbind
does not check account/password expiry if the bind DN object
matches this filter) can be configured with the Univention Configuration Registry variable
ldap/shadowbind/ignorefilter
(Bug 36215).
-
If the
slapd
is already running when trying to start, the init-script does not signal failure anymore.
A 5 second delay when starting slapd
was removed (Bug 43450).
§6.4.1.1. LDAP ACL changes
-
The slapd configuration option add_content_acl has been turned on (Bug 41797).
-
The overlay module constraint has been enabled.
Security restrictions for the attributes uidNumber and gidNumber have been added.
The value "0" is no longer valid for these attributes (Bug 43312).
§6.4.1.2. Listener/Notifier domain replication
-
The Listener daemon is now compiled with hardening options and return code checks have been improved (Bug 26039).
-
Kerberos support was removed from the Listener (Bug 42678).
-
The Listener cache backend has been converted to LMDB (Bug 23367).
§6.4.1.3. DNS server
-
The timeout and retry handling of the BIND9 LDAP database plugin has been improved (Bug 42389).
-
During the update of DNS servers having univention-bind installed the Univention Configuration Registry settings
nameserver123
and dns/forwarder123
are checked and fixed automatically.
This is done by running /usr/share/univention-server/univention-fix-ucr-dns
once (Bug 43217, Bug 44208).
-
The legacy System V init scripts
univention-bind
and univention-bind-proxy
have been removed.
The services are now handled through the System V init script bind9
and the systemd service unit file bind9.service
(Bug 43690).
§6.4.1.4. DHCP server
-
Quoting of the server name has been added (Bug 42240).
§6.5. Univention Management Console
§6.5.1. Univention Management Console web interface
-
The general design of the web interface has been improved. Several aspects of the design are borrowed from the Google Material Design guidelines. All Univention web interfaces reside now below
/univention
, e.g., Univention Management Console has moved from /univention-management-console
to /univention
(Bug 42261, Bug 42228, Bug 42264, Bug 43451, Bug 42266, Bug 43528, Bug 44007, Bug 44059, Bug 43531).
-
A central portal site has been added to UCS. It allows to have a central site which shows all installed Apps in a UCS domain. Furthermore, the portal page can be configured and customized
(Bug 42233, Bug 42175, Bug 42231, Bug 43495, Bug 43670, Bug 43887, Bug 43932, Bug 43933, Bug 42235, Bug 43928, Bug 44018, Bug 44048, Bug 44070).
-
A server overview site has been added to UCS. It allows to search for and navigate to particular server instances in the UCS domain (Bug 43595, Bug 43680).
-
JavaScript and CSS code has been moved from Univention Management Console into a generic and separate web library that can be used by other web applications, as well (Bug 38824).
-
Global menu entries can now be defined via JavaScript hook modules.
A JavaScript hook module needs to be placed as module in the JavaScript directory
umc/hook
and it needs to be defined via the Univention Configuration Registry variable umc/web/hooks/<packageName>=<javaScriptModule>
(Bug 42263).
-
Improved internationalization for JavaScript files in UMC (Bug 42293).
-
The correct service name is shown when the start behavior is configured through the Univention Configuration Registry variable
umc/http/autostart
(Bug 42340).
-
Various security improvements have been done to guard against Cross Site Request Forgery (XSRF), Cross Site Scripting (XSS) and Clickjacking attacks.
The HTTP response header X-Frame-Options, Content-Security-Policy, X-Content-Type-Options, X-XSS-Protection and X-Permitted-Cross-Domain-Policies are now set by default (Bug 39733, Bug 39731).
-
A menu entry for changing the language has been added (Bug 40612).
-
A menu entry for downloading the root certificate and certificate revocation list has been added (Bug 43695).
-
In certain situations it was possible that the translations were mixed. This has been fixed (Bug 38370).
-
Traceback reports do not require an authenticated session anymore and can be sent anonymously (Bug 42169).
-
Plural forms for translations are now supported in the JavaScript code (Bug 42220).
-
The JavaScript libraries dojo (1.12.1), xstyle (3.2.0) and dgrid (1.1.0) have been updated (Bug 42291).
-
Data grids now have a dynamic height depending on the number of items in it, instead of a fixed height. (Bug 32027, Bug 43630).
-
The design of the login dialog has been restructured and moved into a single login page. By default the login to Univention Management Console now uses the SAML Single Sign On login mechanism.
The session timeout has been increased to 8 hours of inactivity (Bug 42174, Bug 43918).
-
The French translation has been updated w.r.t. the new structure of the web packages (Bug 43462).
§6.5.2. Univention Management Console server
-
The correct service name is shown when the start behavior is configured through the Univention Configuration Registry variable
umc/server/autostart
(Bug 42339).
-
A crash in the UMC server has been fixed which could occur during connecting to module processes under heavy load (Bug 43713).
-
UMC modules are able to serve requests for unauthenticated client now (Bug 42114).
§6.5.3. Univention App Center
-
Docker Apps now send notifications after an App update. This fix was
cherry picked from an an upcoming 4.1-4 update
(Bug 44148).
-
More characters in the version of an App are allowed
(Bug 41905).
-
The version comparison for supported UCS Version has been fixed so
that it does not fail on testing minor versions that are lower than
the current version (Bug 43901).
-
Adjustments have been made to work with the new Docker version or
other software components (Bug 43338, Bug 43607,
Bug 43458).
-
The status message in the App details Page has been improved and
shows the installed and candidate version (Bug 43905).
-
The App Center can now install certain Docker Apps from other UCS
versions (Bug 43496, Bug 43662, Bug 43709).
-
Code cleanup where deprecated functions of Univention Directory
Manager were used (Bug 43624).
-
Before UCS 4.2, the Docker init scripts are created as link. Since the new init scripts needs unique identifiers, the
init scripts are now copied from a default init script. All existing init scripts are migrated during the upgrade to UCS
4.2 (Bug 43674, Bug 44071).
-
To support systemd based containers, univention-appcenter-docker now
asks docker to mount
/run
and /run/lock
as tmpfs
in newly created containers and pre-mounts /sys/fs/cgroup
.
Additionally it uses an adjusted seccomp profile, which allows the system call name_to_handle_at
, which
avoids granting SYS_ADMIN
capabilities to containers (Bug 43455).
-
The command
univention-app shell
no longer implicitly sets the docker exec options
-it
. Instead, univention-app shell
provides these options as
parameters for interactive usage (Bug 44062).
§6.5.4. Univention Directory Manager UMC modules and command line interface
-
The existence of objects is now checked before initializing it (Bug 38110).
-
The syntax class
ObjectFlag
now accepts the
value docker
(which is used to mark computer
objects that are created specifically for Docker App Containers);
the corresponding attribute is now multivalued, making it possible
to store more than one flag on an object (Bug 43148).
-
The UDM specific JavaScript widget
LinkList
has been moved to univention-management-console-module-udm from univention-management-console-frontend (Bug 42321).
§6.5.5. Modules for system settings / setup wizard
-
The setup wizard has been refactored to be a standalone web application (Bug 42172).
-
The package dbus-x11 is installed by default to silence firefox (Bug 36168).
-
The file
/etc/localtime
no longer is a symbolic link, but contains a copy of the time zone data (Bug 24090).
§6.5.6. Software update module
-
Illegal characters don't cause a crash when viewing the logfile anymore (Bug 41539).
-
During an update, the view is scrolling automatically with the last line of the log file (Bug 43508).
§6.5.7. Domain join module
-
The "execute pending join scripts" button is now grayed out if no unconfigured join scripts exists (Bug 35326).
-
Illegal characters don't cause a crash when viewing the logfile anymore (Bug 41539).
§6.5.8. Users module
-
An alternative tile view has been added to the user list which displays the users' profile pictures (Bug 42229, Bug 43868).
-
Templates used when creating new users now work for all properties regardless (Bug 43428).
-
The layout of user templates has been synchronized with the layout of the users modules (Bug 42765).
-
Some broken mappings of user templates have been fixed (Bug 29672).
§6.5.9. DNS module
-
The help and example for the DNS reverse zone subnet property has been improved (Bug 34131).
-
The description for the negative time-to-live property has been corrected (Bug 33165).
-
Long descriptions have been added to all DNS module properties (Bug 42820).
-
DNS names are now checked for validity according to RFC 2181.
PTR entries are now shown in forward notation as IP addresses and can be searched for (Bug 25354).
§6.5.10. DHCP module
-
The DHCP modules now validate the input fields better and require a valid IP address or host name to be entered (Bug 33211).
-
Long descriptions have been added to all DHCP module properties (Bug 42820).
-
Listing policies for DHCP host entries now works with multiple DHCP services and for entries with none or multiple IP addresses (Bug 42849).
-
Support for dynamic address assignment using pools for known hosts has been improved Bug 16923.
-
A memory leak has been fixed.
A crash during startup if the LDAP server was unreachable has been fixed (Bug 31078).
-
DHCP options and DHCP statements can now be configured via Univention Management Console (Bug 32557).
-
The
univention-dhcp
package update script has been adjusted to tolerate temporary
systemd related service restart failure (Bug 43651).
§6.5.11. Policies
-
The long descriptions of the DHCP server statements policy have been corrected (Bug 34441).
§6.5.12. Filesystem quota module
-
Clicking on an activated partition opens the quota settings for that partition (Bug 43507).
§6.6. Software deployment
-
The updater scripts
preup.sh
and postup.sh
have been adapted to the needs of UCS 4.2 (Bug 42037).
-
The pre-check of the UCS 4.2 upgrade now checks if essential server role packages should be removed
during the upgrade. In this case the upgrade process is stopped previously (Bug 39092).
-
The pre-check of the UCS 4.2 upgrade now ensures that all computer objects have valid LDAP object classes
(Bug 41868).
-
To avoid errors in the UMC when choosing English as language, the pre-check of the UCS 4.2 upgrade now ensures that en_US is specified as available locale
(Bug 44150).
-
The program
univention-updater
checks now also the locking status if the option
--check
is used (Bug 43625).
§6.7. Univention base libraries
-
The basic Univention LDAP Python library uldap.py allows now the deletion
of the following LDAP attributes: univentionPortalBackground,
univentionPortalLogo, univentionPortalEntryIcon and
univentionUMCIcon (Bug 44019, Bug 44040).
§6.8. System services
§6.8.1. SAML
-
The package python-pysaml2 3.0.0-5 has been ported back from Debian Stretch (Bug 43547).
-
The package simplesamlphp 1.14.11-1 has been ported back from Debian Stretch (Bug 43783).
-
The Apache configuration has been adjusted (Bug 43708).
§6.8.2. Univention self service
-
The usability of the password self service module has been improved. In addition, the module has been updated
to the UCS 4.2 web structure (Bug 42267, Bug 44111).
-
The self service links for the password reset and password change have been consolidated into one portal entry.
If a password reset entry should be added to the portal, it can be created through the LDAP browse module
(Bug 44102).
-
The self service now communicates directly with the UMC server instead of being proxied through a WSGI process (Bug 42132).
§6.8.3. Kerberos
-
The missing package conflicts between univention-heimdal-kdc and univention-heimdal-member were added (Bug 34258).
-
The Listener scripts for creating Kerberos keys were fixed to no drop root permissions (Bug 43409).
-
The Listener scripts for creating Kerberos keys were updated to use the new location of
ktutil
and kadmin
(Bug 43492).
-
The list of supported encryption types in
/etc/krb5.conf
has been adjusted to make e.g. nsupdate
work with the new Samba version (Bug 43850).
§6.8.4. SSL
-
During univention-system-setup, the certificate for the initially configured
undefined-hostname.unassigned-domain
is not recreated (Bug 43626, Bug 43983).
-
The root SSL certificate used for the UCS domain is now registered as a trusted
root certificate for all applications using
/etc/ssl/certs/
(Bug 39179, Bug 43811).
§6.8.5. Proxy services
-
The Squid proxy server was upgraded to version 3.4.8 and its configuration adapted (Bug 43580, Bug 43717, Bug 44210).
-
The Squid proxy server now uses STARTTLS to encrypt all LDAP connections (Bug 43676).
-
For squidguard a fix for the script
update-squidguard
was ported back from the 1.5-5 release (Bug 43581).
§6.8.6. Apache
-
Apache configuration files in the packages univention-apache,
univention-novnc, univention-nagios and
univention-system-activation
have been adapted to Apache version 2.4 (Bug 42196, Bug 42296).
-
The SSL proxy peer checks for CN and for hostname have been disabled since newer Apache
versions check this by default and the Docker container web interfaces are available via localhost
(Bug 43813).
-
A
robots.txt
file has been added to the default server configuration which prevents search engines and similar web services from indexing the content delivered
by Apache. During the upgrade to UCS 4.2 any existing robots.txt
in /var/www/
will be backed up to robots.txt.orig
(Bug 32521).
§6.8.7. PAM / Local group cache
-
The PAM configuration now uses the
user_envfile
option for reading files from the user home directory (Bug 43287).
§6.8.8. Other services
-
univention-tftp has been updated due to a newer syslinux version, this fixes the path to the
pxelinux.0
binary.
-
univention-postgresql has been updated to support the newer postgresql-9.4 by adding a new univention-postgresql-9.4 and changing univention-postgresql to install that on new installations (Bug 43682).
-
univention-appcenter has been updated to support the newer univention-postgresql-9.4 (Bug 43682).
-
univention-printquota has been updated to support the newer univention-postgresql-9.4 (Bug 43682).
-
univention-pkgdb has been updated to support the newer univention-postgresql-9.4 (Bug 43682).
-
univention-bacula has been updated to support the newer univention-postgresql-9.4 (Bug 43682).
§6.9. Virtualization
§6.9.1. Univention Virtual Machine Manager (UVMM)
-
Profiles for UCS 4.2 and Windows Server 2016 have been added (Bug 44067).
-
Error handling has been improved (Bug 38634).
-
The start script for
libvirtd
has been updates to be compatible with systemd (Bug 43493).
-
libvirtd is no longer started through runit but through systemd (Bug 43875).
-
qemu, libvirt, VirtIO and related packages have been updates to newer versions.
Live-migration and snapshots from previous versions might not work in all cases due to large changes in the code base.
In such cases it is recommended to cleanly shutdown the virtual machines before the upgrade and to cold-boot the virtual machines after the upgrade (Bug 38877).
-
univention-novnc was adapted, the start of the service is moved to a later point in the installation. (Bug 44067).
§6.10. Container Technologies
-
Docker has been updated to 1.12 (Bug 42282, Bug 43449, Bug 44006).
-
The Univention Configuration Registry variable
docker/daemon/default/parameter/.*
has been added to configure additional
parameter for the Docker daemon (Bug 44033).
-
The parameter
live-restore
is now used by default (Bug 44033).
-
The Docker daemon is now started through systemd (Bug 44033).
§6.11. Services for Windows
§6.11.1. Samba
-
The Univention Directory Listener is restarted after the Univention Configuration Registry variable
samba4/role
gets set in the joinscript (Bug 43501).
-
Samba has been updated to version
4.6.1
(Bug 40661, Bug 42045, Bug 43681).
-
univention-samba4 has been adjusted
to flush caches during initial install before committing
the SYSVOL ACLs (Bug 41319).
-
Samba has been adjusted to avoid problems in case
an administrator created a container
CN=System
somewhere
(Bug 31763).
-
The
samba4-idmap.py
listener module has been improved to initialize the idmap during module resynchronization
(Bug 42819).
-
The
samba4-idmap.py
listener module now flushes the samba gencache at the end of --direct-resync
(Bug 41319).
-
univention-samba and univention-samba4 now use the interfaces defined in Univention Configuration Registry (Bug 43073).
-
samba_dnsupdate
now avoids adding a _msdcs NS record if the corresponding SOA record is not present (Bug 43291).
§6.11.2. Univention S4 Connector
-
The escaping of LDAP filter expressions in the S4 Connector has been improved (Bug 32086).
-
The generation of filters from Univention Configuration Registry variable
connector/s4/mapping/dns/ignorelist
has been fixed (Bug 43397).
-
The S4 Connector can now handle large groups if Samba returns ranged results (Bug 41764).
§6.12. Other changes
-
All packages have been updated to no longer depend on deprecated packages and features (Bug 42183).
-
ucslint
check for missing quoting in function local variable assignments (Bug 41926).
-
ucslint
checks Debian maintainer scripts for wrong comments naming a different maintainer script (Bug 32539).
-
ucslint
warns of dependencies on transitional packages (Bug 37203).
-
ucslint
checks were added to the build process of some packages (Bug 23837).
-
ucslint
skips checking some generated files (Bug 43284).
-
The service
portmap
was renamed to rpcbind
(Bug 36571).
-
The init scripts of all services have been made Linux Standard Base (LSB) compliant to allow
insserv
to automatically reorder them based on dependencies (Bug 38438).
The test for insserv
has been remove (Bug 43306).
-
The Univention Configuration Registry variable
version/erratalevel
gets reset to 0
(Bug 43300).
-
Renaming and moving objects into names containing a comma is now possible (Bug 43332).
-
The generation of the maintenance script to remove obsolete files form a local repository has been fixed:
It no longer removes the cryptographic signatures of the updater scripts and
dists/
directories required for network installation (Bug 39582).
It also uses the correct path to remove obsolete packages (Bug 28048).
-
unbind()
methods have been added to the classes univention.uldap
and univention.admin.uldap
(Bug 37519).
-
The class
univention.lib.umc_connection.UMCConnection
has been replaced with the new and more flexible class univention.lib.umc.Client
(Bug 34498).
-
The following packages have been back-ported and built in order to update to the newer docker version:
golang, containerd, golang-1.6, runc,
golang-codegangsta-cli, golang-github-coreos-go-systemd,
golang-github-docker-go-units, golang-github-opencontainers-specs,
golang-github-seccomp-libseccomp-golang, golang-github-vishvananda-netlink,
dh-golang, golang-dbus, golang-github-xeipuuv-gojsonschema,
golang-testify, golang-github-xeipuuv-gojsonreference,
golang-github-xeipuuv-gojsonpointer, golang-github-davecgh-go-spew,
golang-github-pmezard-go-difflib, libseccomp,
golang-github-vishvananda-netns, golang-objx (Bug 42282).
-
The following packages have been added to the maintained section of
the software repository:
python-cups, univention-mysql,
recode, freetds, xmlrpc-epi,
libwebp, uw-imap, firebird2.5
(Bug 42311, Bug 42509, Bug 43481)
-
The package xserver-xorg-input-all does no longer depend on xserver-xorg-input-vmmouse
since it is obsolete with the latest kernel changes (Bug 43460).
-
The package python-univention-directory-manager-legacy-ucd-tcs has been removed (Bug 41637).
-
The packages univention-log-collector-server and univention-log-collector-client have been removed from UCS (Bug 41638).
-
During the upgrade to UCS 4.2, it could happen that a restart of the SpamAssassin daemon failed due to old Perl modules.
The updated perl package ensures now that the spamassassin package is previously
updated (Bug 43534).
-
Some old packages like emacs23 are no longer part of Debian Jessie.
Dependencies on such old packages have been updated to their replacements (Bug 43649).
-
Old custom firefox packages have been replaced with the Debian upstream package firefox-esr.
During the update to Univention Corporate Server 4.2-0 the old package are automatically replaced (Bug 42322).
-
The time service (TCP port 37) has been disabled and the corresponding UCR variables for the firewall accept rule are not set by default any longer.
During update, the UCR variables for the firewall accept rule are unset (Bug 42109).
-
univention-join now uses SNTP for initial time sync (Bug 43987).
-
univention-firewall has been adapted to new iptables rules created by the upgraded docker service (Bug 43707).