Plucky Puffin Release Notes
Table of Contents
Introduction
These release notes for Ubuntu 25.04 (Plucky Puffin) provide an overview of the release and document the known issues with Ubuntu and its flavours.
Support lifespan
Ubuntu 25.04 will be supported for 9 months until January 2026. If you need long term support, we recommend you use Ubuntu 24.04.2 LTS which is supported until at least 2029.
Upgrades
-
Upgrades to to Ubuntu 25.04 will refresh seeded snaps to the appropriate snap channels, regardless of what was being tracked before. Snaps that are newly-seeded will be installed during the upgrade. In particular, the following snaps will be installed or refreshed on upgrade:
Early upgrades may wish to perform these updates manually.
New features in 25.04
Updated Packages
Linux kernel 
Ubuntu 25.04 includes the new 6.14 Linux kernel that brings many new features.
[âŠ]
systemd v257.4
The init system was updated to systemd v257.4. See the upstream changelog for more information about individual features. To highlight a few things:
-
In Ubuntu, systemd is no longer built with utmp support. Among other things, this means that systemdâs default
/usr/lib/tmpfiles.d/systemd.conf
no longer creates/run/utmp
. While some tools, such asw
from theprocps
package have support forsystemd-logind
sessions, other tools likewho
fromcoreutils
do not. -
The complete removal of support for cgroup v1 (âlegacyâ and âhybridâ
hierarchies) is scheduled for v258. -
Support for System V service scripts is deprecated and will be
removed in v258. Please make sure to update your software
now to include a native systemd unit file instead of a legacy
System V script to retain compatibility with future systemd releases.
Netplan v1.1.2 
Adding support for wpa-psk-sha256 WiFis and allowing to configure routing-policy on the NetworkManager backend (LP: #2086544). Additionally, the version shipped in Ubuntu enables new functionality in systemd-networkd-wait-online to wait for DNS servers to be configured and reachable, before considering an interface to be online.
Toolchain Upgrades 
- GCC
is updated to 14.2, binutils to 2.44, and glibc to 2.41.
- Python
is updated to 3.13.2
- LLVM
now defaults to version 20
- Rust
toolchain defaults to version 1.84
- Golang
is updated to 1.24
- OpenJDK
versions 24 GA and 25 early access snapshot are now available
OpenJDK
.NET
Default configuration changes 
Ubuntu Desktop
Installer and Upgrades
- Added the option to replace an existing Ubuntu installation
- Improved dual boot UX (with a focus on BitLocker protected Windows systems):
- Added the option to install Ubuntu alongside existing BitLocker partitions if enough unallocated space (or a sufficiently large and resizable partition) is available
- Made encrypted installations and other âadvanced optionsâ available for dual boot scenarios
Store
Enterprise
GNOME 
- GNOME has been updated to include new features and fixes from the latest GNOME release, GNOME 48
- GNOME 48 now includes the triple buffering feature from Ubuntu
Default app changes
- The Document Viewer app for viewing PDFs is now provided by Papers instead of Evince. Papers started with the Evince codebase but it has been updated to use GTK4 and partially rewritten in Rust.
xdg-terminal-exec
is installed by default making it easier to switch a userâs default terminal for the Ctrl+Alt+T keyboard shortcut and for opening terminal apps- Geolocation services are now backed by BeaconDB after Mozilla Location Services was retired last year
Updated Applications
- Firefox 136
- LibreOffice 25.2
- Thunderbird 128 âSupernovaâ
- GNU Image Manipulation Program 3.0
is available for install
- The
fish
shell has always been known for its smart and user-friendly interface, making command-line interactions more intuitive and efficient. With the release of version 4,fish
has undergone a significant transformation, rewritten entirely in Rust. This change brings a on one side the values of the ecosystem like enhanced performance and improved stability, while on the other side is not compromising on the feature set. The upstream community had a great blog about the rust port, which we recommend reading if you are curious. As shells go, this is about your taste and preferences - If you have not been trying fish before, consider to try it out now and experience its features for yourself.
Updated Subsystems
- BlueZ 5.79
- Cairo 1.18.4
- NetworkManager 1.52 đ§
- Pipewire 1.2.7
- Poppler 25.03
- xdg-desktop-portal 1.20
- Nvidia
Ubuntu Foundations
Cryptography
Libraries
OpenSSL has been updated to 3.4.1 and GnuTLS has been updated to 3.8.9. In addition, patches from their git stable branches have been added in order to include as many fixes as possible starting with release day.
Crypto-config
crypto-config has seen continued development and has been uploaded to universe. Both gnutls and openssl are wired in at the moment and next Ubuntu cycle will see many more such connections.
Ubuntu Server
Apache2
- mod_md: update to version 2.4.31
- Improved behavior waiting for ACME server to verify domains.
- Fix certificate retrieval on ACME renewal to not require a âLocation:â header returned by the ACME CA. This was the way it was done in ACME before it became an IETF standard. Letâs Encrypt still supports this, but other CAs do not.
- When the server starts, it looks for new, staged certificates to activate. If the staged set of files in âmd/staging/â is messed up, this could prevent further renewals to happen. Now, when the staging set is present, but could not be activated due to an error, purge the whole directory.
- Restore compatibility with OpenSSL < 1.1.
- Add the ldap-search option to mod_authnz_ldap, allowing authorization to be based on arbitrary expressions that do not include the username.
- mod_ssl: Restore support for loading PKCS#11 keys via ENGINE without âSSLCryptoDeviceâ configured.
- http: Remove support for Request-Range header sent by Navigator 2-3 and MSIE 3.
- mod_rewrite: Donât require [UNC] flag to preserve a leading // added by applying the perdir prefix to the substitution.
- mod_proxy: Avoid AH01059 parsing error for SetHandler âunix:â URLs in (incomplete fix in 2.4.62).
- mod_tls: removed the experimental module. It now is availble standalone from GitHub - icing/mod_tls: rustls based TLS for Apache httpd. The rustls provided API is not stable and does not align with the httpd release cycle.
- mod_rewrite: Better question mark tracking to avoid UnsafeAllow3F.
- mod_http2: Return connection monitoring to the event MPM when blocking on client updates.
Clamav
ClamAV was updated from 1.3 in Ubuntu 24.10, to version 1.4.2 in 25.04.
This brings a number of fixes, along with the following noteworthy
changes from the Clamav 1.4.0 feature release:
- Added support for extracting ALZ archives. The new ClamAV file type for ALZ archives is CL_TYPE_ALZ. Added a DCONF (Dynamic CONFiguration) option to enable or disable ALZ archive support, via ClamAV .cfg âsignaturesâ.
- Added support for extracting LHA/LZH archives. The new ClamAV file type for LHA/LZH archives is CL_TYPE_LHA_LZH. Added a DCONF option to enable or disable LHA/LZH archive support.
- Added the ability to disable image fuzzy hashing, if needed. For context, image fuzzy hashing is a detection mechanism useful for identifying malware by matching images included with the malware or phishing email/document.
- Added a DCONF option to enable or disable image fuzzy hashing support.
- Fixed an unaligned pointer dereference issue on select architectures.
For complete details of all changes leading up to 1.4.2, please see the upstream release notes at: https://blog.clamav.net/
Chrony
Starting with version 4.5-3ubuntu4, chrony will ship with a default configuration set to use Ubuntu NTS servers by default.
The two main changes are:
a) NTS/KE uses a separate port (4460/tcp) to negotiate security parameters, which are then used via the normal NTP port (123/udp). This is a new deployment, running on different IP addresses than the service without NTS.
b) A new CA is installed in /etc/chrony/nts-bootstrap-ubuntu.crt
that is used specifically for the Ubuntu NTS bootstrap server, needed for when the clock is too far off. This is added to certificate set ID â1â, and defined via /etc/chrony/conf.d/ubuntu-nts.conf
. There is also a staging CA shipped with the package, but itâs not referred to anywhere and is just there as a convenience for testing the staging servers.
If your network does not allow access to the Ubuntu NTS servers and the required ports, and the new configuration is in place, chrony will not be able to adjust this systemâs clock. To revert to NTP, just edit the configuration file in /etc/chrony/sources.d/ubuntu-ntp-pools.sources
and revert to using the listed NTP servers in favor of the NTS ones. Or revert to your previous copy of that configuration file.
For other changes introduced in version 4.6.1, please refer to the upstream release notes.
cloud-init v. 24.3.1
Containerd
The containerd (src:containerd-app) package was updated to version 2.0.2. Version 2 includes the stabilization of new features added in the last 1.x release as well as the removal of features which were deprecated in 1.x, meaning you should expect breaking changes here.
For further details on such changes, please refer to the upstream release notes.
runc
runc (src:runc-app) was updated to upstream version 1.2.5. This new version includes several fixes and changes including
- When using cgroups v2, allow to set or update memory limit to âunlimitedâ and swap limit to a specific value.
- Mount options on bind-mounts that clear a mount flag are now always applied. Previously, if a user requested a bind-mount with only clearing options (such as
rw,exec,dev
) the options would be ignored and the original bind-mount options would be set. - Container configurations using bind-mounts with superblock mount flags (i.e. filesystem-specific mount flags, referred to as âdataâ in
mount(2)
, as opposed to VFS generic mount flags likeMS_NODEV
) will now return an error. - Fix CVE-2024-45310, a low-severity attack that allowed maliciously configured containers to create empty files and directories on the host.
runc features
is no longer experimental.runc
option--criu
is now ignored (with a warning), and the option will be removed entirely in a future release.runc kill
option-a
is now deprecated. Previously, it had to be specified to kill a container (with SIGKILL) which does not have its own private PID namespace (so that runc would send SIGKILL to all processes). Now, this is done automatically.- runc now supports id-mapped mounts for bind-mounts (with no restrictions on the mapping used for each mount).
- runc will now use
cgroup.kill
if available to kill all processes in a container (such as when doingrunc kill
).
For a complete list of changes and more details on the ones above, refer to the upstream changelog.
Docker
The docker.io (src:docker.io-app) package was updated to version 27.5.1. Some highlights of this version include:
docker image ls
now supports--tree
flag that shows a multiplatform-aware image list.- The
Aliases
field returned bydocker inspect
contains the container short ID once the container is started. This behavior was removed. Now, theAliases
field only contains the aliases set through thedocker container create
anddocker run
flag--network-alias
. A new fieldDNSNames
containing the container name (if one was specified), the hostname, the network aliases, as well as the container short ID, has been introduced in v25.0 and should be used instead of theAliases
field. - Add
--platform
flag todocker image push
and improve the default behavior when not all platforms of the multi-platform image are available locally. - Several improvements to IPv6 network configuration.
ip6tables
is no longer experimental. You may remove theexperimental
configuration option and continue to use IPv6, if it is not required by any other features.ip6tables
is now enabled for Linux bridge networks by default.
Watch out for deprecation or removal of features in this upstream page
docker-buildx: docker-buildx was updated to version 0.20.1. This version introduces new features such as
- New
--call
option allows setting evaluation method for a build, replacing the previous experimental--print
flag. - Build command now ensures that multi-node builds use the same build reference for each node.
- Several improvements for the
bake
command. - New
buildx history
command has been added that allows working with build records of completed and running builds.
docker-compose-v2: docker-compose-v2 was updated to version 2.33.0. This version introduces several fixes and new features such as
- A new
--environment
flag toconfig
command to output the resolved environment variables used for interpolation. - A new
--prune
option to the docker-composewatch
command to ensure that dangling images are pruned automatically when rebuilding. - Support to bake was added.
HAProxy
The HAProxy package was upgraded to version 3.0.7. This new version introduces performance improvements for Lua scripts and stick tables, support for virtual ACL and map files, limiting glitchy HTTP/2 connections, and persistent stats after a reload.
Breaking changes include detection of accidental multiple commands sent to the Runtime API, rejecting the enabled
keyword for dynamic servers, stricter parsing of non-standard URIs and renaming of tune.ssl.ocsp-update
to tune.ocsp-update
. You can learn more about it at https://www.haproxy.com/blog/announcing-haproxy-3-0. A complete list of changes is avalilable at https://www.haproxy.org/download/3.0/src/CHANGELOG.
libvirt
The libvirt package was upgraded to version 10.10.0. Here are the changes since Ubuntu Oracular:
-
network: make networks with
<forward mode='open'/>
more useful.
It is now permissable to have a<forward mode='open'>
network that has no IP address assigned to the hostâs port of the bridge. This is the only way to create a libvirt network where guests are unreachable from the host (and vice versa) and also 0 firewall rules are added on the host.It is now also possible for a
<forward mode='open'/>
network to use thezone
attribute of<bridge>
to set the firewalld zone of the bridge interface (normally it would not be set, as is done with other forward modes). -
qemu: zero block detection for non-shared-storage migration
Users can now request that all-zero blocks are not transferred when migrating non-shared disk data without actually enabling zero detection on the disk itself. This allows sparsifying images during migration where the source has no access to the allocation state of blocks at the cost of CPU overhead.
This feature is available via the
--migrate-disks-detect-zeroes
option forvirsh migrate
orVIR_MIGRATE_PARAM_MIGRATE_DISKS_DETECT_ZEROES
migration parameter. See the documentation for caveats. -
qemu: internal snapshot improvements
The qemu internal snapshot handling code was updated to use modern commands which avoid the problems the old ones had, preventing use of internal snapshots on VMs with UEFI NVRAM. Internal snapshots of VMs using UEFI are now possible provided that the NVRAM is in
qcow2
format. -
qemu: add multi boot device support on s390x
For classical mainframe guests (i.e. LPAR or z/VM installations), you always have to explicitly specify the disk where you want to boot from (or âIPLâ from, in s390x-speak â IPL means âInitial Program Loadâ).
In the past QEMU only used the first device in the boot order to IPL from. With the new multi boot device support on s390x that is available with QEMU version 9.2 and newer, this limitation is lifted. If the IPL fails for the first device with the lowest boot index, the device with the second lowest boot index will be tried and so on until IPL is successful or there are no remaining boot devices to try.
Limitation: The s390x BIOS will try to IPL up to 8 total devices, any number of which may be disks or network devices.
-
qemu: Add support for versioned CPU models
Updates to QEMU CPU models with
-vN
suffix can now be used in libvirt just like any other CPU model. -
qemu: Automatically add IOMMU when needed
When domain of
qemu
orkvm
type have more than 255 vCPUs, IOMMU with EIM mode is required. Starting with this release libvirt automatically adds one (or turns on the EIM mode if thereâs IOMMU without it). -
In 10.5 (thereby oracular) already support for
SEV-SNP
was introduced as another type of . Its support is reported in both domain capabilities and virt-host-validate. Now also the qemu version in the release is ready to provide that. -
The Debian (and consequently the Ubuntu) libvirt package has been significantly redesigned. To quote its NEWS file:
All the various drivers and storage backends come in their own separate binary packages now, which makes it possible to install exactly as many or as few as desired.
The system-wide configuration for the libvirtd daemon is no longer shipped separately from the daemon itself, as was the case until now. The
libvirt-daemon-system
package still exists, but itâs now simply a convenient way to install the âtypicalâ libvirt deployment consisting of all the components needed to run a QEMU-based hypervisor.
For more details, please see the upstream changelog .
Monitoring Plugins
Monitoring-plugins is upgraded to the 2.4.0 release in Plucky Penguin. While primarily a bugfix release, this includes a few minor enhancements:
- Add new test function for percentage expressions
- check_ups: output ups.realpower if supported
- check_curl: add haproxy protocol option
- check_disk: increase alert precision
- check_ircd: IPv6 support
- check_nwstat: adds percentage used space
- check_swap: Possibility to run check_swap without thresholds
- check_ups: additional alarm conditions
For the full list of changes, please see the upstream release notes
Nginx
The upgrade from Oracularâs 1.26.0 to Pluckyâs 1.26.3 brings a handful of bug fixes, along with security fixes (already backported to the Oracular version). There are no feature changes this release.
OpenLDAP
The 2.6.9 release is a bugfix-only release with improvements to libldap, slapd, and slapo subcomponents. For the full list of changes please see the release notes.
Openssh
OpenSSH was updated to version 9.9. Here are some highlights since 9.7, last shipped in Ubuntu 24.10:
- new
PerSourcePenalties
option that will penalise client addresses that for some reason do not complete authentication. New in version 9.8. - support for a new hybrid post-quantum key exchange algorithm, called âmlkem768x25519-sha256â. Described in https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03, itâs available by default. New in version 9.8.
- new match option
invalid-user
, which can be used when the target username is not valid - prevent private keys from being included in core dump files for most of their lifespans. New in version 9.8.
- and more
For a detailed list of the changes since 9.7, please consult the upstream release notes at https://www.openssh.com/releasenotes.html.
In terms of Ubuntu and Debian packaging, here are the most important changes:
- New
sshd.service
alias tossh.service
. Both names can now be used insystemctl
commands. - New binary packages called
openssh-client-gssapi
andopenssh-server-gssapi
. This is in preparation for a future split of the GSSAPI authentication mechanism into separate packages in the near future. For now, they just pull in their non-gssapi counterparts, if installed. See https://lists.debian.org/debian-devel/2024/04/msg00044.html for the detailed plan. - Host DSA keys are no longer generated.
Valkey
Valkey was updated to version 8, starting with 8.0.2. This includes significant performance and reliability improvements, without any backwards-incompatible changes to commands and responses. For more information on the new version, see the Valkey 8 blog post. Release notes are available on the Valkey project GitHub.
MySQL
MySQL was updated from 8.0 to 8.4 LTS, starting with 8.4.4. This is MySQLâs first official long term support release, including various internal improvements, new features, and some important configuration changes.
Upstream release notes are now available in the Mysql 8.4 documentation library. For more information about the transition from MySQL 8.0 to 8.4, see the MySQL 8.4 overview.
Due to upstream policy, support for 32-bit MySQL Server has been removed. However, Ubuntu will continue to provide a MySQL client and client library for 8.4.
MySQL Shell
MySQL Shell was updated from 8.0.38 to 8.4.4 to coencide with MySQL 8.4. It adds support for MySQL 8.4 servers, and provides additional improvements for interacting with MySQL 8.0 servers. For a list of features, see the MySQL Shell 8.4 documentation. Release notes for MySQL Shell 8.4 can be found here.
Percona Xtrabackup
Percona-Xtrabackup was updated from the 8.0 track to 8.4 with 8.4.0-1, also to coencide with the release of MySQL 8.4. This version provides changes to match MySQL 8.4, along with support for the keyring_vault
component. For more information see the upstream release notes.
PHP
PHP was updated to version 8.4. This is a major update of the languages including new features such as property hooks, asymmetric visibility, an updated DOM API, and more.
For more details see the upstream release notes.
PostgreSQL
PostgreSQL was updated to version 17, which contains several new features and enhancements, including
- A new memory management system for
VACUUM
, which reduces memory consumption and can improve overall vacuuming performance; - New SQL/JSON capabilities, including constructors, identity functions, and the
JSON_TABLE()
function, which converts JSON data into a table representation; - Various query performance improvements and Logical replication enhancements; and
- A new client-side connection option,
sslnegotiation=direct
], that performs a direct TLS handshake to avoid a round-trip negotiation.
For more details, see the upstream release notes.
QEMU
The QEMU package was updated to version 9.2.0. Here are the changes since Ubuntu Oracular.
-
The
scsi
property ofvirtio-blk
devices has been removed. SCSI command passthrough had never been present onvirtio-blk
1.0 devices, and is now removed from legacy devices as well. Usevirtio-scsi
instead. -
The
block migration
options to the migrate commands (blk
andinc
for QMP,-b
/-i
for the human monitor) have been removed; guest management software such as libvirt is able to perform block migration more efficiently using block jobs and NBD devices. -
The
compress
migration capability has been removed;multifd
migration is able to do compression and can be used instead. -
The
proxy
backend for 9pfs, and thevirtfs-proxy-helper
program, have been removed. Use thelocal
backend driver orvirtio-fs
instead. -
x86
- Support for AMD SEV-SNP using the â-object sev-snp-guestâ command line option in QEMU 9.1 followed by fixups for related virtio handling in QEMU 9.2.
- As usual new named CPU models and detection of their related CPU features, this time new variants of Icelake-Server, Cascadelake-Server, GraniteRapids, and SapphireRapids
-
ARM
- New CPU architectural features emulated:
FEAT_NMI
FEAT_CSV2_3
FEAT_ETS2
FEAT_Spec_FPACC
FEAT_WFxT
FEAT_Debugv8p8
FEAT_EBF16
FEAT_CMOW
- The
max
CPU and any new CPU types will default to a 1GHz generic timer frequency rather than the old 62.5MHz (this is architecturally required from ARMv8.6 onwards). - KVM-based VMs can now support MTE (if the host CPU has MTE support).
- New CPU architectural features emulated:
-
RISC-V
- Support RISC-V privilege 1.13 spec.
- Implement SBI debug console (
DBCN
) calls for KVM. - Add support for
Zve32x
extension. - Add support for
Zve64x
extension. - Add
th.sxstatus
CSR emulation. - Remove experimental prefix from
B
extension. - Support the
zimop
,zcmop
,zama16b
andzabha
extensions. - Add decode support for
Zawrs
extension. - Add
smcntrpmf
extension support. - Support 64-bit addresses for
initrd
. - QEMU support for KVM Guest Debug on RISC-V.
- Add
fcsr
register to QEMU log as a part of F extension. - Add
Svvptc
extension support. - Support for control flow integrity extensions.
- Support for the IOMMU with the virt machine.
-
s390x
- New architectural features emulated:
FMAF
IMA
VIS3
VIS4
- No new cpu types with these features are added, yet, but one may enable them manually with
-cpu <type>,+<feature>
. - The
s390-ccw
guest firmware now supports booting from other devices in case the previous ones fail.
- New architectural features emulated:
For more details, please see related upstream changelogs:
Ruby 3.3
Samba
Samba was updated to series 4.21.x. Here are some of the highlights:
- LDAP TLS/SASL channel binding support
- Group Managed Service Accounts
- Samba can now claim Functional Level 2012R2 support
- Some Samba public libraries made private by default
- Samba AD will rotate expired passwords on smartcard-required accounts
- Automatic keytab update after machine password change
- and more
For a more detailed explanation, please refer to the upstream release notes at https://www.samba.org/samba/history/samba-4.21.0.html
samba on i386
Samba version 4.21.x added a dependency to the python3-samba
package: python3-cryptography
. Unfortunately, python3-cryptography
was last built for i386 for Ubuntu Bionic 18.04, and is no longer available for that architecture, making this new dependency unsatisfiable.
For Ubuntu Plucky, it was decided to not build python3-samba
for i386. Please see LP: #2099895 for details. The main consequence is that the samba-tool
script (part of that package) is no longer available for i386.
Upgrading an AD/DC from previous Ubuntu releases
If you have deployed a Samba Active Directory Domain Controller WITHOUT having installed the samba-ad-dc
package, you should install it before doing a release upgrade to Ubuntu Plucky Puffin 25.04. If samba-ad-dc
is not installed prior to the release upgrade, the Active Directory Domain Controller functionality will not work on the upgraded system due to many missing components.
See LP: #2101838 for more information.
Squid
Squid 6.13 is a stable release consisting mainly of bugfixes and cleanups. One functional change of note is that ext_time_quota_acl
no longer supports the -l option. For the complete list of changes, see the v6.13 change list.
SSSD
SSSD has been updated to 2.10.1 and these are the highlights:
- unprivileged service user: there is initial support for running sssd with less privileges, but in Debian/Ubuntu the main daemons still run under root. Filesystem capabilities had to be added to many binary helpers, though:
sssd_pam
: cap_dac_read_searchselinux_child
: cap_setuid, cap_setgidldap_child
: cap_dac_read_searchkrb5_child
: cap_dac_read_search, cap_setuid, cap_setgid
This should all be transparent.
- The
sssctl cache-upgrade
command was removed. SSSD will do automatic cache upgrades at startup if needed. - Default
ldap_id_use_start_tls
value changed fromfalse
totrue
. - Obsolete
config_file_version
option was removed. - Option
reconnection_retries
was removed.
For more details and other changes, please refer to the upstream release notes at https://sssd.io/release-notes/sssd-2.10.0.html.
Subiquity
thin-provisioning-tools
The thin-provisioning tools package was updated to version 1.1.0, which was fully re-written in rust from scratch.
See the upstream changelog for more details.
Ubuntu HA/Clustering
fence-agents
fence-agents was updated to version 4.16.0, which introduces bug fixes and a new fence-agents-nutanix-ahv which adds support for Nutanix AHV Cluster.
resource-agents
fence-agents was updated to version 4.16.0, which introduces bug fixes and improvements, including support for the asure aznfs filesystem.
Ubuntu WSL
- WSL images publication has moved to cdimage.ubuntu.com (previously on cloud-images.ubuntu.com)
OpenStack
Ceph
Open vSwitch (OVS) and Open Virtual Network (OVN)
GRUB2
Platforms
Public Cloud / Cloud images
Public Images (cloud-images.ubuntu.com) images
LXD Containers
AWS EC2
Microsoft Azure
How to report any issues resulting from these changes
If you notice any unexpected changes or bugs in the minimal images, create a new bug in cloud-images.
Raspberry Pi 
-
Camera support is now included with libcamera 0.4 and libpisp (LP: #2038669)
-
The desktop now uses gnome-initial-setup as the first time setup guide. This runs directly under Wayland, and is much quicker than the legacy ubiquity installer. Please see the known issues section below before reporting bugs against gnome-initial-setup as it is possible you are running into something being worked on
-
The legacy libraspberry-bin utilities have been replaced with raspi-utils
-
nbd-client is now seeded in the Raspberry Pi images, making it simple to network boot your Pi with these images
arm64
- In addition to arm64 server ISO there is now also an official generic arm64 desktop ISO targeting VMs, ACPI + EFI platforms and Snapdragon based WoA devices.
- Initial hardware enablement work for the Snapdragon X Elite platform is included in the desktop ISO
IBM Z and LinuxONE (s390x) 
The key package, âs390-toolsâ, was step-by-step upgraded to latest version v2.37.0 (LP: #2096789, via LP: #2091549), that covers the removal of scsi_logging_level, since itâs now in sg3_utils (LP: #2098500), the new pyimg and with that the rewritten genprotimg tool in Rust (LP: #2098046), with itâs new info command (LP: #2098047), to display of encrypted & unencrypted Secure Execution (SE) image information, validations in genprotimg, if an SE image can run on particular host (LP: #2097576), supporting unencrypted SE images by exposing the resp. SE header flag (LP: #2098045), supporting extended attestation for SE (LP: #2097535) and support for retrievable secrets in SE guests (LP: #2097533 and kernel LP: #2097534).
Further enhancements based on the new 6.14 kernel are support for kprobes without stop machine (LP: #2100329), providing topology-map information to userspace (LP: #2098392), PCHID per port toleration (LP: #2095480) and the new option to display available host key hashes for SE, aka Query Host-key hash UVC (LP: #2101108).
Improvements in the area of zPCI came on top, with enhanced RAS and Call Home support (LP: #2095413), the new option of optics monitoring for PF in access mode (s390-tools: LP: #2095429, kernel: LP: #2095427), the promiscuous mode exploitation for new VFs (LP: #2096791) and base work in the kernel for CPU-MF counters in support for new IBM Z hardware (LP: #2101111).
So support of new hardware is another significant area of work - starting with new IBM Z hardware base support in the kernel (LP: #2100303) PAI/NNPA was updated for new IBM Z hardware (LP: #2100302) and a new CPU model for new IBM Z hardware (kernel: LP: #2097523 and qemu: LP: #2097521).
Also user space components were enabled for new IBM Z hardware, like for gdb v16.2 (LP: #2095361), valgrind v3.24 (LP: #2095363), binutils v2.44 (LP: #2095372), libzdnn v1.1.1 for exploiting new AI hardware (LP: #2095373) - and the smc-tool update to latest v1.8.4 (LP: #2095005).
Several dedicated new features were added, like:
- the cpacfinfo tool to provide CPACF (on-chip crypto co-processor) information (kernel: LP: #2096894, s390-tools: LP: #2096896)
- the zpwr tool, for LPAR level power consumption reporting (kernel: LP: #2098391, s390-tools: LP: #2098358)
- the chpstat tool, for additional channel measurements (kernel: LP: #2095483, s390-tools LP: #2095485)
- full boot order support in KVM (qemu: LP: #2049698, libvirt: LP: #2051239)
- enablement of virtio-mem support (kernel: LP: #2097883, qemu: LP: #2097884 and libvirt: LP: #2097886) and
- enablement of dynamic updates of vfio-ap mediated (crypto) devices for management applications (kernel: LP: #2097489, s390-tools: LP: #2097488, libvirt: LP: #2097487 and mdevctl: LP: #2097486)
While mentioning cryptography, there are many more enhacements in this area, like in kernel crypto support:
- for MSA 10 XTS (LP: #2096809)
- for MSA 11 HMAC (LP: #2096812)
- for for MSA 12 (SHA3) (LP: #2100946)
- for PAES support for MSA 10 XTS (LP: #2100935)
but also: - of MSA 10 and MSA 11 in cpacfstats (LP: #2096890)
- for zkey key for dm-crypt with XTS keys (LP: #2096892)
- for pkey, protected XTS and HMAC keys (LP: #2100936) and support
- for SE retrieved protected keys (LP: #2097543)
This partially also requires updates in openSSL: - for MSA 10 XTS support (LP: #2096810)
- for MSA 11 HMAC support (LP: #2096811) and support
- for MSA 12 (SHA3) (LP: #2096949)
In addition openCryptoki was upgraded to the latest v3.24 (LP: #2095337), that includes support for: - CCA token SHA3 (LP: #2096950)
- CCA token RSA OAEP v2.1 (LP: #2096951)
- CCA token cipher keys (LP: #2097111)
- CCA token of Dilithium (LP: #2096897) and support of
- CKM_RSA_AES_KEY_WRAP for cca, ica and soft tokens (LP: #2097110)
Finally further cryptography-related packages were updated, like: - p11-kit v0.25.5, to update IBM specific mechanisms (up to IBM z16) (LP: #2098092)
- libica, to latest v4.4.0 (LP: #2095409)
- libzpc v1.3.0, to support protected key derived from SE retrievable secrets (LP: #2097545)
IBM POWER (ppc64el)
RISC-V
- Provide a single pre-installed image for all JH7110 boards.
- Support Pine64 Star64
Known Issues
As is to be expected with any release, there are some significant known bugs that users may encounter with this release of Ubuntu. The ones we know about at this point (and some of the workarounds) are documented here, so you donât need to spend time reporting these bugs again:
General
- TPM FDE installs seem to fail to boot after the installation is complete (LP: #2104316). This is an issue with the beta image, and it is projected to be fixed by the plucky release.
- There is a bug (LP: #2104316) in the beta images that prevents netboot installs in some scenarios.
- It has been reported that cloud-init may fails to upgrade properly in the Oracular to Pluck upgrade path, see LP: #2104316.
- The Live Session of the new Ubuntu Desktop installer is not localized. It is still possible to perform a non-English installation using the new installer, but internet access at install time is required to download the language packs. (LP: #2013329)
- ZFS with Encryption on Ubuntu 24.10 will fail to activate the cryptoswap partition. This affects both new installs and upgrades. We expect to address this post-release with an archive update.
- Some particular hardware (e.g. Thinkpad x201) might have issues (general freeze,
desktop-security-center
not launching), when booted withoutnomodeset
(Safe graphics). Follow these steps if you encounter such an issue:
- At the GRUB boot menu, press
e
(keepShift
pressed during early boot if the menu doesnât show up). - Add
nomodeset
tolinux
line, like the example below:
linux /casper/vmlinuz nomodeset ---
- Press
Ctrl-x
to continue the boot process - After installation is complete, reboot, use
nomodeset
again, like the example below:
linux /boot/vmlinuz-6.11.0-8-generic nomodeset root=UUID=c5605a23-05ae-4d9d-b65f-e47ba48b7560 ro
- Add
nomodeset
to the GRUB config file,/etc/default/grub
, like the example below:
GRUB_CMDLINE_LINUX="nomodeset"
- Finally, run
sudo update-grub
to make the change take effect.
Linux kernel
- A bug prevents the IO scheduler from being reset to ânoneâ (LP: #2083845): the fix is already in v6.11.2, and will be part of the first SRU kernel.
- Support for FAN networking has been dropped in the 6.11 release kernel. It will be re-introduced in the next 6.11 kernel update shortly.
Ubuntu Desktop
-
Screen reader support is present with the new desktop installer, but is incomplete (LP: #2061015, LP: #2061018, LP: #2036962, LP: #2061021)
-
OEM installs are not supported yet (LP: #2048473)
-
Application icons donât use the correct High Contrast theme when High Contrast is enabled (LP: #2013107)
-
GTK4 apps (including the desktop wallpaper) do not display correctly with VirtualBox or VMWare with 3D Acceleration (LP: #2061118).
-
Incompatibility between TPM-backed Full Disk Encryption and Absolute: TPM-backed Full Disk Encryption (FDE) has been introduced to enhance data security. However, itâs important to note that this feature is incompatible with Absolute (formerly Computrace) security software. If Absolute is enabled on your system, the machine will not boot post-installation when TPM-backed FDE is also enabled. Therefore, disabling Absolute from the BIOS is recommended to avoid booting issues.
-
Hardware-Specific Kernel Module Requirements for TPM-backed Full Disk Encryption: TPM-backed Full Disk Encryption (FDE) requires a specific kernel snap which may not include certain kernel modules necessary for some hardware functionalities. A notable example is the
vmd
module required for NVMe RAID configurations. In scenarios where such specific kernel modules are indispensable, the hardware feature may need to be disabled in the BIOS (such as RAID) to ensure the continued availability of the affected hardware post-installation. If disabling in the BIOS is not an option, the related hardware will not be available post-installation with TPM-backed FDE enabled. -
Some Nvidia desktops perform worse in Wayland sessions than Xorg (LP#2081140). To work around this you can select âUbuntu on Xorgâ from the login screen.
-
Nvidia hybrid machines that have an external monitor connected to the discrete GPU (usually via the laptopâs HDMI port) may experience lower performance on that monitor in Wayland sessions (LP#2064205). To work around this you may:
- Plug all external monitors into the integrated GPU (such as by USB-C). The discrete GPU can still be used to launch apps.
- Or select âUbuntu on Xorgâ from the login screen.
-
Installing
ubuntu-fonts-classic
results in a non-Ubuntu font being displayed (LP#2083683). To resolve this, installgnome-tweaks
and set âInterface Textâ to âUbuntuâ.
Ubuntu Server
rabbitmq-server
Certain version hops may be unsupported due to feature flags, raising questions about how Ubuntu will maintain this package moving forward. We are currently exploring the use of snaps as a potential solution to enable smoother upgrades. For more information please read Bug #2074309 âupgrade 22.04 -> 24.04 won't start due to feature ...â : Bugs : rabbitmq-server package : Ubuntu.
Installer
- In some situations, it is acceptable to proceed with an offline installation when the mirror is inaccessible. In this scenario, it is advised to use:
apt:
fallback: offline-install
- Network interfaces left unconfigured at install time are assumed to be configured via dhcp4. If this doesnât happen (for example, because the interface is physically not connected) the boot process will block and wait for a few minutes (LP: #2063331). This can be fixed by removing the extra interfaces from
/etc/netplan/50-cloud-init.conf
or by marking them asoptional: true
. Cloud-init is disabled on systems installed from ISO images, so settings will persist.
samba apparmor profile
Due to bug LP: #2063079, the samba smbd.service
unit file is no longer calling out to the helper script to dynamically create apparmor profile snippets according to the existing shares.
By default, the smbd
service from samba is not confined. To be affected by this bug, users have to:
- install the optional
apparmor-profiles
package - switch the
smbd
profile confinement fromcomplain
toenforce
Therefore, only users who have taken those steps and upgrade to Noble, will be affected by this bug. An SRU to fix it will be done shortly after release.
Docker
There is a AppArmor related bug where containers cannot be promptly stopped due to the recently added AppArmor profile for runc
. The containers are always killed with SIGKILL
due to the denials when trying to receive a signal. More details about this bug can be found here, and a workaround is described here.
PPC64EL
- PMDK sees some hardware-specific failures in its test suite, which may make the software partially or fully inoperable on the ppc64el architecture. (LP: #2061913)
Raspberry Pi
-
The current plucky beta image fails to boot from SD card on all models prior to the Pi 4 (LP: #2104371)
-
The new gnome-initial-setup has some teething issues:
- Time zone input dropdown can âwobbleâ (LP: #2084611)
- The localization of the application fails on the beta (LP: #2104148)
WiFi setup must occur before langpack installation is attempted (LP: #2101826)- The hostname change is mandatory (LP: #2093132)
- The starting icon is not rendered (LP: #2103423)
-
During boot on the server image, if your
cloud-init
configuration (inuser-data
on the boot partition) relies upon networking (importing SSH keys, installing packages, etc.) you must ensure that at least one network interface is required (optional: false
) innetwork-config
on the boot partition. This is due to netplan changes to the wait-online service (LP: #2060311) -
The seeded totem video player will not prompt users to install missing codecs when attempting to play a video requiring them (LP: #2060730)
-
With the removal of the
crda
package in 22.04, the method of setting the wifi regulatory domain (editing/etc/default/crda
) no longer operates. On server images, use theregulatory-domain
option in the Netplan configuration. On desktop images, appendcfg80211.ieee80211_regdom=GB
(substitutingGB
for the relevant country code) to the kernel command line in thecmdline.txt
file on the boot partition (LP: #1951586). -
The power LED on the Raspberry Pi 2B, 3B, 3A+, 3B+, and Zero 2W currently goes off and stays off once the Ubuntu kernel starts booting (LP: #2060942)
-
Colours appear incorrectly in the Ubuntu App Centre (LP: #2076919)
-
On server images, re-authentication to WiFi APs when regulatory domain is set result in dmesg spam to the console (LP: #2063365)
ARM64 Systems with NVIDIA GPUs
- The current versions of the NVIDIA GPU drivers may cause hangs or crashes (LP: #2062380). This will be fixed in a future driver update.
Google Compute Platform
Nothing yet.
Microsoft Azure
- The current version of walinuxagent fails to build and run due to the crypt module being dropped in Python 3.13 (LP: #2063365).
s390X
Nothing yet.
Official flavours
Find the release notes for the official flavours at the following links:
- Edubuntu Release Notes
- Kubuntu Release Notes
- Lubuntu Release Notes
- Ubuntu Budgie Release Notes
- Ubuntu MATE Release Notes
- Ubuntu Studio Release Notes
- Ubuntu Unity Release Notes
- Xubuntu Release Notes
- Ubuntu Kylin Release Notes
- Ubuntu Cinnamon Release Notes
More information
Reporting bugs
Your comments, bug reports, patches and suggestions help fix bugs and improve the quality of future releases. Please report bugs using the tools provided. If you want to help with bugs, the Bug Squad is always looking for help.
What happens if there is a high or critical priority CVE during release day?
Server, Desktop and Cloud plan to release in lockstep on release day, but there are some exceptions.
In the unlikely event that a critical or high-priority CVE is announced on release day, the release team have agreed on the following plan of action:
-
For critical priority CVEs, the release of Server, Desktop and Cloud will be blocked until new images can be built addressing the CVE.
-
For high-priority CVEs, the decision to block release will be made on a per-product (Server, Desktop and Cloud) basis and will depend on the nature of the CVE, which might result in images not being released on the same day.
This was discussed in the ubuntuârelease mailing list March/April 2023.
The mailing list thread also confirmed there is no technical or policy reason why a package cannot be pushed to the Updates or Security pocket to address high or critical-priority CVEs prior to the release.
Participate in Ubuntu
If you would like to help shape Ubuntu, look at the list of ways you can participate at community.ubuntu.com/contribute.
More about Ubuntu
You can find out more about Ubuntu on the Ubuntu website.
To sign up for future Ubuntu development announcements, subscribe to Ubuntuâs development announcement list at ubuntu-devel-announce.