With Univention Corporate Server 4.2-2, the second point release of Univention Corporate Server (UCS) 4.2 is now available. It provides several feature improvements and extensions, new properties as well as various improvements and bugfixes. An overview of the most important changes are:

The portal is now also easily usable in cloud setups. The services installed on UCS are directly accessible without further configuration steps. For this purpose, the portal converts existing links into relative links. For portal entries with multiple links, heuristic procedures are used to determine the best link.
The usability of the management system has been improved further. Users and groups can be copied, the error handling has been enhanced in various places and the performance has been increased.
Every app provider can now create simple app appliances through the App Provider Portal. App appliances bundle an app with UCS into a directly usable virtual machine. In addition, the integration depth of the apps can be significantly increased by so-called app settings. These can be created by the app provider simply via the provider portal without additional programming knowledge.
Various security updates have been integrated into UCS 4.2-2, e.g. OpenLDAP, the Linux kernel, Samba, MySQL and PostgreSQL.

§Chapter 2. Notes about the update

During the update some services in the domain may not be available temporarily, that is why the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update will take between 20 minutes and several hours.

§2.1. Recommended update order for environments with more than one UCS server

In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:

The authoritative version of the LDAP directory service is maintained on the master domain controller and replicated to all the remaining LDAP servers of the UCS domain. As changes to the LDAP schema can occur during release updates, the master domain controller must always be the first system to be updated during a release update.

§2.2. UCS installation DVD only available for 64 bit

Starting with UCS 4.0, installation DVD are only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS 3 systems can still be updated to UCS 4.0 through the online repository or by using update DVD. The 32 bit architecture will be supported over the entire UCS 4 maintenance period.

§Chapter 3. Preparation of update

It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 6 GB of disk space. Depending on the scope of the existing installation, the update will require about another 1 GB of disk space for download and installation all packages.

For the update, a login should be performed on the system's local console as user root, and the update should be initiated there. Alternatively, the update can be conducted using Univention Management Console.

Remote updating via SSH is not recommended as this may result in the update procedure being canceled, e.g., if the network connection is interrupted. In consequence, this can affect the system severely. If updating should occur over a network connection nevertheless, it must be verified that the update continues in case of disconnection from the network. This can be achieved, e.g., using the tools screen and at. These tools are installed on all UCS system roles by default.

§Chapter 4. Postprocessing of the update

Following the update, new or updated join scripts need to be executed. This can be done in two ways: Either using the UMC module Domain join or by running the command univention-run-join-scripts as user root.

Subsequently the UCS system needs to be restarted.

§Chapter 5. Further notes on selected packages

§5.1. Collection of usage statistics

Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition (which is generally used for evaluating UCS). The modules opened are logged in an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.

This logging is only performed when the UCS Core Edition license is used. The license status can be verified via the menu entry License -> License information of the user menu in the upper right corner of Univention Management Console. If UCS Core Edition is listed under License type, this version is in use. When a regular UCS license is used, no usage statistics are collected.

Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.

§5.2. Scope of security support for WebKit, Konqueror and QtWebKit

WebKit, Konqueror and QtWebKit are shipped in the maintained branch of the UCS repository, but not covered by security support. WebKit is primarily used for displaying HTML help pages etc. Firefox should be used as web browser.

§5.3. Recommended browsers for the access to Univention Management Console

Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:

Chrome as of version 37
Firefox as of version 38
Internet Explorer as of version 11
Safari and Safari Mobile as of version 9

Users with older browsers may experience display or performance issues.

§Chapter 6. Changelog

Listed are the changes since UCS 4.2-1:

§6.1. General

All security updates issued for UCS 4.2-1 are included:
- postgresql-9.4 (CVE-2017-7486 CVE-2017-7484 CVE-2017-7485 CVE-2017-7546 CVE-2017-7547 CVE-2017-7548) (Bug 44679 Bug 45211).
- postgresql-9.1 (CVE-2017-7486 CVE-2017-7546 CVE-2017-7547) (Bug 45237).
- erlang (CVE-2016-10253) (Bug 45216).
- wget (CVE-2017-6508) (Bug 45179).
- vim (CVE-2017-6350 CVE-2017-6349) (Bug 45178).
- unzip (CVE-2014-9913 CVE-2016-9844) (Bug 45177).
- sudo (CVE-2017-1000367) (Bug 44730).
- firefox-esr (CVE-2016-10196 CVE-2017-5031 CVE-2017-5398 CVE-2017-5400 CVE-2017-5401 CVE-2017-5402 CVE-2017-5404 CVE-2017-5405 CVE-2017-5407 CVE-2017-5408 CVE-2017-5410 CVE-2017-5429 CVE-2017-5430 CVE-2017-5432 CVE-2017-5433 CVE-2017-5434 CVE-2017-5435 CVE-2017-5436 CVE-2017-5438 CVE-2017-5439 CVE-2017-5440 CVE-2017-5441 CVE-2017-5442 CVE-2017-5443 CVE-2017-5444 CVE-2017-5445 CVE-2017-5446 CVE-2017-5447 CVE-2017-5448 CVE-2017-5449 CVE-2017-5451 CVE-2017-5454 CVE-2017-5455 CVE-2017-5456 CVE-2017-5459 CVE-2017-5460 CVE-2017-5461 CVE-2017-5462 CVE-2017-5464 CVE-2017-5465 CVE-2017-5466 CVE-2017-5467 CVE-2017-5469 CVE-2017-5470 CVE-2017-5472 CVE-2017-7749 CVE-2017-7750 CVE-2017-7751 CVE-2017-7752 CVE-2017-7753 CVE-2017-7754 CVE-2017-7755 CVE-2017-7756 CVE-2017-7757 CVE-2017-7758 CVE-2017-7760 CVE-2017-7761 CVE-2017-7763 CVE-2017-7764 CVE-2017-7765 CVE-2017-7766 CVE-2017-7767 CVE-2017-7768 CVE-2017-7778 CVE-2017-7779 CVE-2017-7784 CVE-2017-7785 CVE-2017-7786 CVE-2017-7787 CVE-2017-7791 CVE-2017-7792 CVE-2017-7798 CVE-2017-7800 CVE-2017-7801 CVE-2017-7802 CVE-2017-7803 CVE-2017-7807 CVE-2017-7809) (Bug 44858).
- mysql-5.5 (CVE-2017-3302 CVE-2017-3305 CVE-2017-3308 CVE-2017-3309 CVE-2017-3329 CVE-2017-3453 CVE-2017-3456 CVE-2017-3461 CVE-2017-3462 CVE-2017-3463 CVE-2017-3464 CVE-2017-3600 CVE-2017-3635 CVE-2017-3636 CVE-2017-3641 CVE-2017-3648 CVE-2017-3651 CVE-2017-3652 CVE-2017-3653) (Bug 44519).
- bind9 (CVE-2016-2775 CVE-2016-2776 CVE-2016-8864 CVE-2016-9131 CVE-2016-9147 CVE-2016-9444 CVE-2017-3142 CVE-2017-3143 CVE-2017-3136 CVE-2017-3137 CVE-2017-3138 CVE-2017-3135) (Bug 44656).
- samba (CVE-2017-11103 CVE-2017-2619) (Bug 44982 Bug 44891).
- heimdal (CVE-2017-11103) (Bug 44984).
- eject (CVE-2017-6964) (Bug 44410).
- wireshark (CVE-2017-5596 CVE-2017-5597 CVE-2017-6467 CVE-2017-6468 CVE-2017-6469 CVE-2017-6470 CVE-2017-6471 CVE-2017-6473 CVE-2017-6474 CVE-2017-6472 CVE-2017-6014) (Bug 44401).
- univention-kernel-image, univention-kernel-image-signed, linux (CVE-2017-2636 CVE-2017-6874 CVE-2016-2188 CVE-2017-7184 CVE-2017-7187 CVE-2017-7261 CVE-2017-7294 CVE-2017-7308 CVE-2016-9604 CVE-2017-2596 CVE-2017-2671 CVE-2017-5986 CVE-2017-6353 CVE-2017-6951 CVE-2017-7374 CVE-2017-7472 CVE-2017-7477 CVE-2017-7487 CVE-2017-7618 CVE-2017-7645 CVE-2017-7889 CVE-2017-8061 CVE-2017-8063 CVE-2017-8064 CVE-2017-8067 CVE-2017-9150 CVE-2017-1000363 CVE-2017-8890 CVE-2017-9074 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077 CVE-2017-9242 CVE-2017-9211 CVE-2017-7346 CVE-2017-9605 CVE-2017-1000380 CVE-2017-0605 CVE-2017-7895 CVE-2017-8924 CVE-2017-8925 CVE-2017-1000364) (Bug 44416).
- shadow (CVE-2017-2616) (Bug 44673).
- rtmpdump (CVE-2015-8270 CVE-2015-8271 CVE-2015-8272) (Bug 44681).
- openldap (CVE-2017-9287) (Bug 44731).
- nss (CVE-2017-5461 CVE-2017-5462 CVE-2017-7502) (Bug 44777).
- libtasn1-6 (CVE-2017-6891) (Bug 44689).
- jbig2dec (CVE-2017-7885 CVE-2017-7975 CVE-2017-7976 CVE-2016-9601) (Bug 44407).
- libreoffice (CVE-2017-7870) (Bug 44664).
- imagemagick (CVE-2017-7606 CVE-2017-7619 CVE-2017-7941 CVE-2017-7943 CVE-2017-8343 CVE-2017-8344 CVE-2017-8345 CVE-2017-8346 CVE-2017-8347 CVE-2017-8348 CVE-2017-8349 CVE-2017-8350 CVE-2017-8351 CVE-2017-8352 CVE-2017-8353 CVE-2017-8354 CVE-2017-8355 CVE-2017-8356 CVE-2017-8357 CVE-2017-8765 CVE-2017-8830 CVE-2017-9144 CVE-2017-9142 CVE-2017-9143 CVE-2017-9098 CVE-2017-6498 CVE-2017-6500 CVE-2017-6499 CVE-2017-6501 CVE-2017-6497) (Bug 44403).
- git (CVE-2017-8386) (Bug 44677).
- ghostscript (CVE-2016-10219 CVE-2016-10220 CVE-2017-5951 CVE-2017-7207 CVE-2017-8291) (Bug 44569).

§6.2. Univention Installer

Some profile settings have been adjusted to the new Firefox version for the System Setup after the installation (Bug 45321).

§6.3. Basic system services

§6.3.1. Univention Configuration Registry

The sequence : in a Univention Configuration Registry variable key is now prohibited (Bug 25095).

§6.4. Domain services

§6.4.1. OpenLDAP

The LDAP overlay module pwd_scheme_kinit has been adapted to return more error information if authentication at the Kerberos server fails (Bug 44912).

§6.4.1.1. LDAP schema changes

The LDAP attribute univentionUDMPropertyCopyable for extended attributes has been added (Bug 1567).
The new attribute univentionUDMPropertyCopyable is now indexed only if the attribute is known to the LDAP server (Bug 44909).

§6.4.2. DNS server

The BIND9 name server was not restarted after the automatic password change when using the LDAP backend. This has been fixed (Bug 45090).

§6.4.3. DHCP server

The runsv service for the DHCP server is now always started, even when the initial check of the configuration file /etc/dhcp/dhcpd.conf fails. This sometimes happens when BIND and OpenLDAP start too slowly during boot, in which case that is mis-detected as an error in that configuration file (Bug 45065).

§6.5. Univention Management Console

§6.5.1. Univention Management Console web interface

The button styling of referenced policy objects has been adapted (Bug 44066).
Hidden objects are no longer shown by default in an multi object select widget (Bug 44044).
The design of disabled input fields has been improved to be more recognizable (Bug 43402).
No duplicated tool tips are shown anymore for the links in the footer of the login page (Bug 44072).
A check box to select all entries has been added to widgets with selection choices (Bug 19928).
Text in grid cells is now selectable (Bug 44481).
A display problem in tables with multiple lines per row has been corrected. Especially DNS zones were affected by this problem (Bug 44431).
The design of notifications has been adjusted (Bug 43658).
The uninstallation on a base system is now possible (Bug 44894).

§6.5.2. Univention Portal

The portal was empty on unjoined systems. Therefore it was not possible to reach UMC for the initial domain join after logging in (Bug 44865).
The handling of portal links has been improved to be more robust. Links are now converted to relative links if possible (e.g., on EC2 DC master systems). For multiple links of one portal entry, the best matching link is now being chosen using a heuristic (Bug 44371).

§6.5.3. Univention Management Console server

Errors during connecting to the LDAP server are now handled (Bug 39963).
Errors during module initialization are now handled (Bug 44670).
The SSL security of the UMC server has been strengthened by disabling SSLv3 and making the TLS Ciphers configurable via Univention Configuration Registry (Bug 40998).
The build utilities have been adjusted to enhance the creation of translation packages (Bug 44841).
The permissions of the log file /var/log/univention/ec2.log have been fixed (Bug 44803).
The keywords for the module search on the UMC overview page are now localized (Bug 34960).
A crash of the UMC server during uninstallation of a module is prevented (Bug 38375).
The UMC web server falls back to English language in case no language is provided in HTTP request, which is the case for clients using UCS 4.1. This makes it possible to join UCS 4.1 Appliances into UCS 4.2 domains (Bug 44719).
Using UMC was not possible with multiple docker instances on the system as the browser then sends multiple cookies which caused that the session could not be detected (Bug 45043).
A memory leak in the UMC server has been corrected which caused the UMC web server to crash with [Errno24] Too many open files errors (Bug 44965).
The uninstallation on a base system is now possible (Bug 44894).
Since erratum 139 the Univention Configuration Registry variable umc/module/timeout was not evaluated anymore which caused that the connection to module processes was closed after 30 seconds bug (Bug 45307).

§6.5.4. Univention App Center

The initial archives for the App Center meta data have been updated. This also adds Self Service to the software selection during system setup (Bug 44240).
Apps may now ship a file describing settings that can be applied dynamically (Bug 44872).
The host listing for an installed app incorrectly warned about limited manageability in some cases (Bug 44036).
A crash during creation of translation files when the name or description of an app is not set has been fixed (Bug 43896).
Docker Apps are now stopped before backing up their data (Bug 44763).
Fixed an issue while detecting the installation status during package updates (Bug 43079).
Improved speed of download routines for App meta data (Bug 43847).
Use docker cp to copy files into the container (Bug 44814).
Fixed univention-app update zsync issue (Bug 45180).

§6.5.5. Univention Directory Manager UMC modules and command line interface

Group and user objects can now be copied in UMC (Bug 1567).
The :umlauts modifier in the template mechanism of e.g. user templates now normalizes all characters (Bug 44370).
When creating policy objects the DN of the created object is returned (Bug 43150).
The LDAP base could not be modified via UMC anymore since erratum 39. This has been fixed (Bug 43395).
An error in the UDM python interface has been fixed which caused that default values containing template variables (e.g. the mail property of a user) were not reset resulting in wrong default values if multiple objects were created at once (Bug 41092).
It is prevented to move or remove the own object now (Bug 42526).
It is now checked if the create, modify and remove operation is allowed before executing the action (Bug 39253).
Objects of type Settings: Service were not editable through the LDAP directory module. This has been fixed (Bug 30214).
An error during creation of existing objects has been fixed when policies should be referenced (Bug 38856).
The descriptions of properties belonging to print quota policies have been enhanced (Bug 39862).
The Span both columns option for extended attributes is functioning again (Bug 40487).
An error is prevented when trying to attach an unknown object class to an object (Bug 41802).
It is now possible to hide existing properties in the layout via an extended attribute (Bug 43373).
More descriptions have been added to the windows settings of user objects (Bug 40964).
The UDM CLI now shows a readable error message when the LDAP server is not available (Bug 43975).
The home share and home share path properties are now correctly displayed (Bug 37611).
It is now possible to remove values from Univention Configuration Registry policies via CLI (Bug 43562).
The udm --help output has been cleaned up to improve readability (Bug 31768).
The --position argument has been added to the --help output of the udm list command (Bug 29501).
The layout of container objects has been adapted so that the configuration options for default containers are visible on the General tab (Bug 33652).
The license evaluation now respects renamed default user and group names (Bug 33891).
Searching for the printmodel property in printer driver lists is working again (Bug 35925).
The DN of objects removed with udm remove --filter is now displayed (Bug 37285).
Legacy and unused code has been removed (Bug 29929).
The ObjectFlag syntax now allows the value synced (Bug 37676).
The syntax check for udm search filter has been improved (Bug 34276).
The performance of search filters for user objects has been improved (Bug 28633).
The output from the list command of the UDM CLI is now sorted (Bug 34180).
Legacy code related to custom attributes has been removed (Bug 41556).
The listener module for handling UDM extensions now removes old python files when the file was renamed (Bug 42862).
A programmatic error when creating container objects has been fixed (Bug 43396).
Error messages now contain more details in case of errors with invalid LDAP DN syntax (Bug 42403).
The remove operation of the UDM CLI now allows the option --ignore_not_exists (Bug 40737).
A package dependency to python-ipaddr has been added (Bug 28054).
Overwritten syntax classes for properties which are shown in a wizard for creating objects can now use ComboBox widgets (Bug 44847).
The options of objects are now sorted (Bug 41015).
A crash is prevented if a default container contained special characters like , (Bug 42423).
A possible crash when loading widget definitions for UDM properties is now prevented (Bug 42466).
Some spelling mistakes in the UDM CLI Client have been corrected (Bug 31927).
Unused legacy code has been removed (Bug 43299).
Legacy code regarding the ordering number of extended attributes has been cleaned up (Bug 32781).
A lookup function for the users/self and users/passwd modules have been added for convenience (Bug 37623).
The error handling during adding hosts to nagios services has been improved (Bug 38362).
The temporary locking objects are removed when an error happens during object creation. This prevents that one needs to save an object twice to create it after resolving the error (Bug 41294).
It is currently possible to supply a wrong object type when modifying objects. This erratum prepares for preventing this by adding more error messages to the log files instead (Bug 30368).
Passing univention.uldap.access() instances to UDM objects is handled more gracefully (Bug 41368).
The detection of DNS TXT and Host records has been improved to not detect objects as the wrong type (Bug 40839).
The description for the "options" property of extended attributes has been improved (Bug 39201).
An LDAP error is prevented when changing the user password and the "Change password on next login" option at the same time (Bug 42015).
Unused legacy code regarding container/dc objects has been removed (Bug 24374).
Some undefined python references have been fixed (Bug 36631).
Removing the IP range from a network object is possible again (Bug 35074).
The hosts property has been added to the settings/umc_operationset (Bug 25187).
The description property of settings/umc_operationset is now a required field (Bug 25189).
It was not possible to automatically get the next free IP address for a newly created computer object when the license was exceeded (Bug 30351).
The group members of printer groups with multiple spool hosts are now detected correctly again (Bug 29707).
The validation when removing and modifying printers and printer groups has been corrected (Bug 40765).
The Spool Host label of printers and printer groups has been renamed into Print server (Bug 23888).
The e-mail property of a user is no longer copyable. The default values for empty properties are now properly evaluated after copying an object (Bug 44908).
Support lookup of specific attributes via PostReadControl (RFC 4527) (Bug 43628).
The tab that is opened when editing a user in a new tab can now be closed (Bug 40486).
LDAP attributes which are required by their schema are now marked as required in UMC (Bug 24601).
Some performance optimizations during modification of user and group objects has been done (Bug 37081).
The next free sambaRID is used when only a S4 Connector with IPv6 is part of the domain (Bug 25058).
The error handling during creation of network objects with an invalid netmask has been improved (Bug 24828).
A regression in univention.admin.objects.get() has been fixed which caused that the Univention Corporate Client UMC configuration was not possible anymore (Bug 45116).
The mapping of the sambaWriteList property of shares has been corrected to not raise an exception if the value is not set (Bug 45207).

§6.5.6. Modules for system settings / setup wizard

It is possible again to install UCS systems without joining directly into any domain when no DNS server is configured during set up (Bug 43402).
Adapt univention-app-appliance to changes in UCS 4.2 branding. The package univention-system-activation has been updated to work with UCS 4.2 App Appliances (Bug 44523).
The license upload step was displayed first even if no license mail was sent (Bug 44910).
A crash during startup of the settings UMC modules has been fixed which occurred if certain values were not correctly encoded (Bug 28070).
The host name of a system which joins into an Active Directory domain is now restricted to 13 characters in the initial system configuration (Bug 40212).
The network configuration does not list TUN/TAP interfaces as configurable Ethernet interfaces anymore (Bug 33132).
The naming restrictions for bridge and bonding network interfaces have been adjusted so that is is not required to have any number in the name anymore (Bug 33131).
The error handling when executing system setup scripts has been improved (Bug 32817).
The startup of the welcome screen after the setup in appliance mode has been fixed (Bug 44061).
The license check during an app appliance join has been fixed (Bug 44995).
The univention-system-setup package now depends on gettext-base (Bug 38342).
A display error when configuring multiple network interfaces has been corrected (Bug 44194).
Fixed a typo on the appliance first steps overlay (Bug 45084).
The error handling during the initial system configuration has been improved (Bug 43152).
The handling of applying network settings in the setup wizard has been improved to be more robust against network timeouts (Bug 45280).

§6.5.7. Software update module

The temporary APT sources.list used for release updates is now removed if any of the pre-update scripts signals an abort condition (Bug 44821).
The check for QEMU virtual machines has been removed from the pre-update script (Bug 44842).
App updates that merely update software packages inside the App's Docker container are not displayed anymore as these updates are currently not supported through the App Center module (Bug 44623).

§6.5.8. Domain join module

Improved error message for failing server join in univention-join (Bug 44429, Bug 42021, Bug 42425).

§6.5.9. Users module

A warning is now shown if a user name is too long to be usable for a login on Windows clients (Bug 34973).

§6.5.10. Univention Directory Reports

The generation of PDF reports has been optimized: They are now generated with the RML language instead of LaTeX. LaTeX reports are still supported by installing the new package univention-directory-reports-latex (Bug 39239).
The PDF user report did not include all groups of the user (Bug 45231).

§6.5.11. Process overview module

The error handling has been improved when a process stops during the calculation of the CPU consumption of a process (Bug 38738).

§6.5.12. Policies

The join script 20univention-directory-policy now aborts on errors (Bug 40247).

§6.5.13. Univention Configuration Registry module

The validation of Univention Configuration Registry variable names has been improved (Bug 25095).

§6.5.14. Other modules

The start/stop/restart actions are prohibited now if the service is already in that state (Bug 36563).
The error handling during starting/stopping/restarting services has been improved: Upon error the service status is shown (Bug 36562).
A non-working proxy server is now classified as an critical error in the diagnostic module (Bug 36750).
An unset gateway causes an error message to be shown in the diagnostic module (Bug 42155).

§6.6. Univention base libraries

Legacy and unused code has been removed in univention-python (Bug 41234).

§6.7. System services

§6.7.1. SAML

Optimizations in the UDM module for SAML service providers have been done (Bug 41695).
The error handling during the SAML configuration of the UMC service provider has been improved (Bug 44966).
The univention-saml Apache site is now disabled upon package removal (Bug 41500).
The path to the packages unjoin script has been fixed (Bug 44815).
crudesaml has been updated to version 1.8. This corrects a segmentation fault in slapd which occurs during SAML authentication at the UMC server if the certificates are expired (Bug 45042).
A segmentation fault in pam-saml has been corrected, which caused the UMC server to crash in certain situations during loading of identity provider metadata (Bug 39355).

§6.7.2. Mail services

A regression has been fixed which was introduced in erratum 36. The regression prevented the delivery of mails to shared folders in Cyrus (Bug 44948).
The use of UDM utility functions has been corrected in the listener script dovecot_shared_folder.py (Bug 41368).

§6.7.3. Printing services

Old code from UCS 2.4 has been removed from the package univention-printserver (Bug 39419).

§6.7.4. Nagios

Fixed a nscd Nagios warning on systems with docker apps installed. The check now inspects the processes on the nscd socket instead of just counting the number of running nscd processes (Bug 42812).
Fix UNIVENTION_NSCD service (Bug 45186).

§6.7.5. Apache

The uninstallation on a base system is now possible (Bug 44894).

§6.7.6. PAM / Local group cache

UCS specific patches have been re-applied which got dropped for UCS 4.2-0. This includes the patch for Bug 29393, which allows configuring the memory for parsing large groups through the Univention Configuration Registry variable pamaccess/maxent (Bug 45039).

§6.7.7. NFS

Remove remaining HA support (Bug 32272).
Remove port 4660 from firewall (Bug 33254).
Start NFS server for first NFS share (Bug 45101).
Make RPCNFSDCOUNT configurable (Bug 25446).

§6.8. Virtualization

§6.8.1. Univention Virtual Machine Manager (UVMM)

It is now possible to open virtual machines in a new tab via the UMC module (Bug 24721).
The MAC address in the network interfaces view of a virtual machine can be selected again (Bug 44481).

§6.9. Container Technologies

UDM objects with the object flags synced and docker can now be deleted (Bug 43846).
The script univention-fix-ucr-dns is installed in Docker containers too (Bug 45040).
Disable update check on boot in container mode (Bug 45103).
The docker service is now restarted right after installation to ensure the correct storage backend is used immediately (Bug 44986).
Always apply docker iptables rules (even if the univention-firewall is disabled) in Univention firewall. Can be configured with the Univention Configuration Registry variable security/packetfilter/docker/disabled (Bug 44829).

§6.10. Services for Windows

§6.10.1. Samba

Skip re-provision of Samba on DC Master and DC Backup if the system already provides the S4-Connector service and sam.ldb and secrets.ldb look functional (Bug 44787).
Fixed an error in univention-samba4.prerm (Bug 44936).
Fixed en error message due to missing phpldapadmin-config.php (Bug 33235).

§6.10.2. Univention AD Takeover

Unused legacy code has been removed (Bug 43299).

§6.10.3. Univention S4 Connector

Fix CNAME and PTR record deletion in the S4-Connector (Bug 43072).
Some objects were identified as the wrong object type. The identification handling has been fixed (Bug 44976).
It is possible to start the S4 Connector service process in foreground (Bug 45001).
During sync_to_ucs remember entryCSN of msGPO changes to be able to identify and skip them later in sync_from_ucs (Bug 43628).

§6.10.4. Univention Active Directory Connection

The error handling in the Active Directory setup has been improved during looking up the _domaincontroller_master._tcp SRV record in case no DNS servers are available (Bug 44849).

§6.11. Other changes

The package python-trml2pdf has been moved to maintained (Bug 39239).
Configure systemd-journald.service for time limited log retention (Bug 44234).
The packages univention-system-activation, phantomjs and univention-app-appliance are now maintained (Bug 44990).
The transition from bootsplash to welcome screen is now flicker free. Improved systemd integration for the welcome screen. Crashes and graphic errors on VirtualBox and VMware have been fixed. Always use framebuffer driver to ensure a working welcome screen (Bug 44061).
The welcome screen design has been improved and adapted to the UCS 4.2 design style. The FQDN has been removed from the screen (Bug 45031, Bug 45025).
Fix for hard to read status messages during boot because they were overlaid by the appliance logo (Bug 44952).
Fixed calling univention-fix-ucr-dns when not default gateway is set (Bug 45120).
The package libjsoncpp is now maintained as a new dependency of firefox-esr (Bug 44858).
The packages jquery-goodies and wxwidgets3.0 are now maintained as a new dependency of erlang (Bug 45216).