Linux企業級發行:Univention Corporate Server 4.0-3 發布
Univention Corporate Server是一份企業級發行,它基于Debian GNU/Linux。其特色在于一份面向服務器集中式管理的集成管理系統,兼容微軟Active Directory的域服務,以及面向虛擬服務器和桌面操作系統并行操作的功能。

Download: UCS_4.0-3-amd64.iso (2,200MB, MD5, pkglist). 
Chapter 1. Release highlights
With Univention Corporate Server 4.0-3, the third point release of Univention Corporate Server (UCS) 4.0 is now available. It provides various improvements and bugfixes. An overview of the most important changes:
- 
The mail server Dovecot has been integrated as standard IMAP/POP3 server into UCS and offers an alternative to the still available Cyrus IMAP server. More information is available in this blog article. 
- 
The compatibility to Active Directory has been improved with the Samba update to 4.2.3. This includes, among others, improvements in the DRS replication and the printer driver handling. In addition, the join of Huawai storage systems in the Active Directory domain provided by UCS is now also possible. 
- 
Several enhancements in design and usability of the Univention Management Console have been implemented. For example, it is now possible to use the forward and back buttons of the web browser. This allows a simpler and faster navigation in the management interface. 
- 
LDAP filters can now be defined for LDAP policies. That means the LDAP policy applies only to the objects that match the LDAP filter. This makes it possible to use LDAP policies in an easy and generic way especially in large environments. 
- 
The Linux kernel has been updated to the latest stable version of the 3.16 longterm kernel. This includes several security updates as well as new and updated drivers for a better hardware support. 
- 
All security updates released for UCS 4.0-2 are included in this update. It is now also possible to redirect all HTTP requests to HTTPS by only setting an Univention Configuration Registry variable. This increases the security of the UCS system. 
Chapter 2. Notes on the update
During the update some services in the domain may not be available, i.e. the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update takes between 20 minutes and several hours.
In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:
The authoritative version of the LDAP directory service is maintained on the master domain controller and replicated on all the remaining LDAP servers of the UCS domain. As changes to the LDAP schemes can occur during release updates, the master domain controller must always be the first system to be updated during a release update.
Starting with UCS 4.0 UCS, installation DVDs are only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS 3 systems can still be updated to UCS 4.0 through the online repository or by using update DVDs. The 32 bit architecture will be supported over the entire UCS 4 maintenance.
Chapter 3. Preparation of update
It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 6 GB of disk space. Depending on the scope of the existing installation, the update will require about another 2 GB of disk space for downloading and installing all packages.
For the update, a login should be performed on the system's local console as user root, and the update should be initiated there. Alternatively, the update can be conducted using Univention Management Console. 
Remote updating via SSH is not recommended as this may result in the update procedure being cancelled, e.g., if the network connection is interrupted. In consequence, this can affect the system severely. If updating should occur over a network connection nevertheless, it must be verified that the update continues despite disconnection from the network. This can be done, e.g., using the tools screen and at. These tools are installed on all system roles by default. 
Chapter 4. Postprocessing of the update
Following the update, new or updated join scripts need to be executed. This can be done in two ways: Either using the UMC module  or by running the command univention-run-join-scripts as user root. 
Subsequently the UCS system needs to be restarted.
Chapter 5. Further notes on selected packages
The profile-based UCS network installation is available with UCS 4.0-2. Further details are described in [ext-doc-inst].
Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition version of UCS (which is generally used for evaluating UCS). The modules opened are logged in an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.
This logging is only performed when the UCS Core Edition license is used. The license status can be verified via the menu entry of the user menu in the upper right corner of Univention Management Console. If is listed under , this version is in use. When a regular UCS license is used, no usage statistics are collected.
Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false. 
WebKit, Konqueror and QtWebKit are shipped in the maintained branch of the UCS repository, but not covered with security support. WebKit is primarily used for displaying HTML help pages etc. Firefox should be used as web browser.
Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:
- 
Chrome as of version 33 
- 
Firefox as of version 24 
- 
Internet Explorer as of version 9 
- 
Safari and Safari Mobile as of version 7 
Users with older browsers may experience display or performance problems.
Chapter 6. Changelog
Listed are the changes since UCS 4.0-2:
- 
All security updates issued for UCS 4.0-2 are included: - curl (CVE-2015-3143 CVE-2015-3148) (Bug 38352)
- ntp (CVE-2015-1798 CVE-2015-1799) (Bug 38244)
- clamav (CVE-2015-2170 CVE-2015-2221 CVE-2015-2222 CVE-2015-2668 CVE-2015-2305) (Bug 38425)
- proftpd-dfsg (CVE-2015-3306) (Bug 38372)
- qemu-kvm (CVE-2015-3456) (Bug 38537)
- qemu-kvm (CVE-2015-4037 CVE-2015-3209) (Bug 38744)
- linux (CVE-2013-7421 CVE-2014-8133 CVE-2014-8134 CVE-2014-8159 CVE-2014-8160 CVE-2014-8559 CVE-2014-8989 CVE-2014-9419 CVE-2014-9420 CVE-2014-9428 CVE-2014-9529 CVE-2014-9584 CVE-2014-9585 CVE-2014-9644 CVE-2014-9683 CVE-2014-9710 CVE-2014-9715 CVE-2015-0239 CVE-2015-0275 CVE-2015-1421 CVE-2015-1465 CVE-2015-1593 CVE-2015-2041 CVE-2015-2042 CVE-2015-2150 CVE-2015-2666 CVE-2015-2830 CVE-2015-2922 CVE-2015-3331 CVE-2015-3332 CVE-2015-3339 CVE-2015-3636 CVE-2015-4036) (Bug 37385)
- openjdk-7 (CVE-2015-0460 CVE-2015-0469 CVE-2015-0477 CVE-2015-0478 CVE-2015-0480 CVE-2015-0488) (Bug 38302)
- openjdk-7 (CVE-2015-2590 CVE-2015-2596 CVE-2015-2601 CVE-2015-2613 CVE-2015-2619 CVE-2015-2621 CVE-2015-2625 CVE-2015-2628 CVE-2015-2632 CVE-2015-2637 CVE-2015-2638 CVE-2015-2808 CVE-2015-4000 CVE-2015-4731 CVE-2015-4732 CVE-2015-4733 CVE-2015-4748 CVE-2015-4749 CVE-2015-4760) (Bug 38928)
- bind9 (CVE-2015-5477) (Bug 39058)
- mysql-5.5 (CVE-2015-0411 CVE-2015-0382 CVE-2015-0381 CVE-2015-0391 CVE-2015-0432 CVE-2014-6568 CVE-2015-0374 CVE-2015-0441 CVE-2015-0433 CVE-2015-0499 CVE-2015-0501 CVE-2015-0505 CVE-2015-2568 CVE-2015-2571 CVE-2015-2573 CVE-2015-4752 CVE-2015-4737 CVE-2015-2648 CVE-2015-2643 CVE-2015-2620 CVE-2015-2582) (Bug 37578)
 
- The Linux kernel has been updated to 3.16.7-ckt11. It provides many bugfixes and fixes several vulnerabilities (Bug 37385).
- The title for the entry of UCS in the GRUB boot menu can be configured through the Univention Configuration Registry variable grub/title(Bug 38779).
- The diversion of the msgpo.schemafile introduced as a fix for Bug 38488 has been removed again (Bug 38566).
- The description for the UCR variable ldap/server/additionhas been improved (Bug 38094).
- The UCR variable ldap/server/additionis used to configure additional LDAP servers in case the primary LDAP server is unavailable. The setting can be configured through a UMC policy 'LDAP server'. Previously the so configured value was written into the NORMAL layer of the Univention Configuration Registry, which overwrote any setting configured by the user. The value is now written into the LDAP layer, which has a higher priority than the NORMAL layer and thus overrules any local configuration, but preserves the user configured setting. The value can still be overwritten locally by using the FORCED layer of UCR, e.g.ucr set --force ldap/server/addition=.... Setting the UCR variable through a UMC policy 'Univention Configuration Registry' is not recommended and will clash with the 'LDAP server' policy (Bug 38094).
- Adds UCR variables ldap/tls/ciphersuiteandldap/tls/minprotocolto configure the allowed ciphers and the minimum requires TLS version. By default 'RC4', 'NULL' and 'SSLv3' are now disabled (Bug 38685).
- Enables Forward Secrecy by default, which can be configured further through several new UCR variables starting with ldap/tls/dh/...(Bug 38685).
- The attribute ldapFilter has been added to the schema for univentionPolicyobjects (Bug 36255).
- LDAP entries using non-ASCII-characters in their DN are now handled more correctly in case of case differences (Bug 35334).
- A confusing error message was removed (Bug 32819).
- The Listener is now restarted asynchronously when the network interfaces are reconfigured (Bug 36532).
- The Notifier is now restarted asynchronously when the network interfaces are reconfigured (Bug 36532).
- The configuration files and scripts have been optimized to allow a faster restart when the network interfaces are re-configured (Bug 36532).
- The "clear input" and "view password" icons are now displayed correctly in the login dialogue with Internet Explorer 10 and above (Bug 38127).
- It is now possible to create a core dump of the UMC web-server (Bug 37280).
- A check for free disk space is now only done once per file upload request (Bug 38335).
- The place holders in the login dialogue are now displayed correctly in Internet Explorer 9 (Bug 38127).
- Scrolling in the App Center on mobile devices is now more responsive (Bug 38050).
- A missing pre dependency to python-univention-management-console has been added (Bug 38617).
- The query string parameters are now passed to automatically started UMC modules (Bug 38544).
- The handling of the UMC overview page on mobile devices has been improved (Bug 38658).
- A race condition in the UMC webserver has been fixed which could lead to failing starts of the UMC webserver (Bug 37844).
- The PID file is no longer created world-writable (Bug 38825).
- Behaviour and appearance of tooltips has been changed. Tooltips will no longer automatically pop up and need to be opened manually by clicking the tooltip icon (Bug 36771).
- The module header in UMC modules now sticks smoothly to the top when scrolling down (Bug 38491).
- The browser next/back buttons have been integrated into UMC in order to simplify its navigation (Bug 20714).
- The styling of hovered entries on the UMC overview page has been adapted for mobile devices (Bug 38658).
- New icons for tooltips have been added and the style for tooltips has been adapted (Bug 36771).
- Added a transition when a UMC module header reaches the top of the screen (Bug 38491).
- The size of the UMC installer header was too big. This issue has been fixed (Bug 39105).
- The UMC user wizard was not always terminated after creating a user. This issue has been fixed (Bug 39109).
- The UMC server does not crash anymore during request processing (Bug 37366).
- Errors due to a not running LDAP server are now handled by the UMC server process (Bug 36794).
- It is now possible to create a core dump of the UMC server and UMC module processes (Bug 37280).
- The username is not treated case sensitive anymore when changing an expired password in the UMC login (Bug 38826).
- Code for error handling has been moved into the UMC core server (Bug 36794).
- A parameter to open a specific object immediately on opening a module has been added (Bug 38544).
- If multiple policies of the same type are referenced UMC prevents removing policy references when saving the object (Bug 36256).
- If the initialization of the App Center module fails, an error message is shown (Bug 33627).
- Display error message if contacting the LDAP server fails (Bug 36794).
- The error messages when contacting the App Center server or the UCS activation fails have been improved (Bug 35678).
- Errors when opening APT Packagesfiles are now handled (Bug 38112).
- Errors when the system has too few free disk space are now handled (Bug 38129).
- Error messages which are raised from the package manager are now displayed instead of displaying a traceback (Bug 37230).
- The wording for app maintainer has been adjusted to app provider (Bug 37591).
- The startup performance of the App Center has been improved (Bug 38345).
- Fixed an exception in error handling (Bug 38926).
- The display of buttons for installing, updating etc. have been improved (Bug 39042).
- Added functionality for univention-upgradeto upgrade apps (Bug 38697).
- Ini files may now specify how the app is to be included in the app reporting tool (Bug 38954).
- Attributes of the UCR policy are now sorted (Bug 32146).
- Broken UDM handler modules are ignored when updating module list (Bug 38297).
- An exception when handling LDAP exceptions is prevented now (Bug 38616).
- The attribute ldapFilter has been added to policy UDM modules (Bug 36255).
- The UDM module policies/mailquotahas been moved to the package univention-mail-cyrus. From now on the module will only be available if the UCS domain contains an UCS system with installed Cyrus mail stack (Bug 38473).
- A default user template for new users can be configured by the UCR variable directory/manager/web/modules/users/user/add/default. The variable expects the DN or the label of a user template (Bug 38832).
- The evaluation of requiredObjectClass, prohibitedObjectClasses, fixedAttributes and emptyAttributes is now case insensitive (Bug 38663).
- Extended the list of default language settings to include Switzerland, Austria and the United Kingdom (Bug 38512).
- Show server address in Univention System Setup welcome screen in EC2 and other cloud environments (Bug 38391).
- Uppercase hostnames and hostnames beginning with a digit are now possible (Bug 37816)
- The package univention-welcome-screen has been added. It shows an informative screen which indicates how the system can be accessed via a web browser (Bug 37537).
- Fixed an error which could occur while installing UCS with non-default locales via the text based installer, resulting in an unconfigured system (Bug 38382).
- Changed the wording in the Univention System Setup to suit Univention App Appliances (Bug 38780 Bug 38781)
- The new package univention-system-activation has been released. It registers a web service to enforce the upload of an activated license key prior to accessing the management web interface (Bug 38547 Bug 38782 Bug 38850).
- Proxy settings were accidentally removed when changing network settings (Bug 38593).
- The network mask is not overwritten in the initial UCS configuration anymore if if was set manually (Bug 38593).
- A typo in the German translation has been corrected (Bug 38215).
- If accessible, the name server specified via DHCP is pre-configured on the network settings page (Bug 38330).
- The links on the last page of the setup wizard have been adjusted (Bug 38850).
- A non authoritative DNS answer is now correctly handled during validation of settings (Bug 38522).
- A information is shown during domain setup that the process might take a while (Bug 38833).
- The NetBIOS domain name of the Active Directory domain is used when the UCS system joins into an Active Directory domain (Bug 37460).
- The DHCP configuration of a system led to problems with the browser redirection at the end of the setup wizard. This has been corrected (Bug 39048)
- The network settings module can now also be executed on unjoined systems (Bug 39044).
- The wording on the activation page has been improved (Bug 39019).
- The loading animation is now visible in Firefox (Bug 38918).
- Renaming of Domaincontroller or Memberserver computers is prevented now (Bug 38364).
- The Shares module has been moved into the "Domain" category (Bug 38202).
- The update scripts have been adjusted to UCS 4.0-3 (Bug 38961).
- Two new internal functions for UCS license checks have been added to the package univention-lib (Bug 38951).
- If the initialization of the package manager failed it is retried (Bug 38951).
- Held packages can't cause a traceback anymore (Bug 38951).
- Error messages when opening APT Packages files have improved (Bug 38951).
- Error messages when the system has too few free disk space have improved (Bug 38951).
- The Python implementation of univention-policy-result did not evaluate the attributes requiredObjectClass and prohibitedObjectClasses. This has been fixed (Bug 38663).
- The Python implementation of univention-policy-result did not return the most specific policy in all cases. This has been fixed (Bug 38712).
- This update provides the new package univention-mail-dovecot which integrates the IMAP/POP3 server dovecot into the UCS mail stack (Bug 34839 Bug 38884).
- dovecot has been updated to version 2.2.13. The update provides several bugfixes and enhancements (Bug 34839 Bug 38475).
- The UCR variable mail/cyrus/auth/allowplaintextto (dis)allow plain text passwords over non-TLS connections has been added. The variable defaults tono. This changes the previous default behaviour! Plain text authentication over unencrypted connections is now disabled by default. To revert to the old behaviour setmail/cyrus/auth/allowplaintext=yesresp.mail/dovecot/auth/allowplaintext=yes(Bug 38500).
- The UDM module policies/mailquotahas been moved to the package univention-mail-cyrus. The UDM module will only be available if the UCS mail stack with Cyrus is installed (Bug 38473 Bug 39004).
- Postfix will no longer resolve address mappings (e.g. BCC) before handing them over to AMaViS for content scanning if an archive folder has been defined (Bug 14619 Bug 38884).
- To configure the max. number of concurrent AMaViS processes, a new UCR variable has been introduced: mail/antivir/max_servers. When unset, the current default2is used (Bug 37653).
- Add options to check IP FQDN mapping as a means to fight spam. Adds two new UCR variables: mail/postfix/smtpd/restrictions/sender/reject_unknown_client_hostnameandmail/postfix/smtpd/restrictions/sender/reject_unknown_reverse_client_hostnamefor weaker and stricter reverse DNS checking respectively (Bug 38292).
- The package sieve-connect has been updated to version 0.87-1 and provides several bugfixes and new security features (Bug 34839).
- The old printer model list is no longer deleted during the join (Bug 38117).
- The check_univention_ldapplugin has been modified to use the FQDN of the LDAP server (Bug 27043).
- A broken configuration was generated for named DHCP host entries. This issue has been fixed (Bug 38675).
- The DHCP policies are now linked directly to the first created DHCP subnet instead of the LDAP base (Bug 38584).
- The default DHCP policies are only used for the first created DHCP subnet (Bug 37614)
- The default routing policy is only updated for the first created DHCP subnet (Bug 38822).
- The Univention Configuration Registry variable apache2/force_httpscan be used to force using encryption by re-directing to HTTPS (Bug 38016).
- Huawei Unified Storage System S5500 V3 failed to join Samba AD domains. The Heimdal Kerberos server has been improved to allow the join (Bug 38827).
- The VirtIO drivers for Windows have been updated to version 0.1.105 to fix a problem with broken driver signatures in Windows 2012 server (Bug 38655).
- Samba has been upgraded to version 4.2.3 (Bug 37939).
- The list of groups in the Kerberos PAC_LOGON_INFO now also contains the RID of primary group, this fixes GPO security filtering for primary group membership (Bug 37101).
- Huawei Unified Storage System S5500 V3 failed to join Samba AD domains (Bug 38827).
- A coding error in the Samba implementation of the BACKUPKEY serverwrapprotocol may cause problems with retrieving saved passwords on Windows clients (DPAPI). This issue has been fixed (Bug 39025).
- This update adds support for the default profile directory paths of Windows 8, 8.1 and 10. For new users they will now be created automatically on first logon (Bug 38643).
- The ldb library and tools have been upgraded to version 1.1.20 (Bug 37939).
- The talloc library has been upgraded to version 2.1.2 (Bug 37939).
- The tdb library and tools have been upgraded to version 1.3.6 (Bug 37939).
- The tevent library has been upgraded to version 0.9.25 (Bug 37939).
- The package univention-ldb-modules has been rebuilt to match the new Samba version 4.2.3 (Bug 37939).
- The user synchronization failed if the username contains special characters like an apostrophe. This issue has been fixed (Bug 38614).
- The Samba 4/Active Directory lockout attributes are now reset while synchronizing the password from UCS to Samba 4 (Bug 38557).
- Some GPO and WMI attributes have not been treated as single-value. This issue has been fixed (Bug 37259).
- Some scripts have been optimized to allow a faster restart when the network interfaces are re-configured (Bug 36532).
- The synchronization of objects with umlauts has been improved, for example for nested groups (Bug 38645).
- A bug concerning renaming computer objects has been fixed (Bug 37709).
- Ignore unknown Samba4 DNS objects instead of creating a dns/host_record(Bug 39077).
- 
The following packages have been added to the maintained package repository (Bug 37972, Bug 38628): - altermime
- libboost-thread1.49.0
- libjansson4
- php-mdb2-driver-mysql
- php-net-ldap2
- php-net-url2
- ripole
- smarty3
- nodejs
- npm
- libv8-3.14.5
 
- The time zone database was updated to include information about the scheduled leap second at the end of June 2015 (Bug 38717).
- The package clucene-core has been updated to version 2.3.3.4 (Bug 34839).