Questing Quokka Release Notes

Project Discussion Release
, , ,
1

ubuntu_logo-400

Questing Quokka Release Notes

Table of Contents

Introduction

These release notes for Ubuntu 25.10 (Questing Quokka) provide an overview of the release and document the known issues with Ubuntu and its flavours.

Support lifespan

Ubuntu 25.10 will be supported for 9 months until July 2026. If you need long term support, we recommend you use Ubuntu 24.04.3 LTS which is supported until at least 2029.

Upgrades

Upgrades to 25.10 are expected to be enabled on or before Oct 23.

New features in 25.10

Updated Packages

Linux kernel 6.17🐧

This release delivers the newest 6.17 Linux kernel. Due to the final upstream release occurring after Kernel Freeze, the kernels shipped with the release images will be based on 6.17-rc7. Updates for all Questing Quokka kernels are scheduled for release in the subsequent week to incorporate the final upstream 6.17 release.

Highlights for this release:

  • The linux-modules-extra-* packages have been deprecated (LP#2042831). All the kernel modules are now shipped by the linux-modules-<version>-<flavor> packages.
  • linux-generic for arm64 will provide via stubble broader compatibility for arm64 desktop platforms that utilize UEFI for booting (LP#2121352).
  • The foundation for Intel TDX Host Support was merged upstream on Linux 6.16 with additional improvements included in 6.17. The Ubuntu 6.17 kernel will ship with early support for kexec/kdump for TDX-enabled hosts (LP#2121873).
  • From 25.10, the Ubuntu RISC-V kernel (linux-riscv) will only support hardware that implements the RVA23S64 ISA profile. Systems that don’t satisfy this requirement will not be able to run 25.10. The RISC-V kernel in 24.04 will continue to support boards with RVA20 processor cores.
  • Other features can be found in the Linux 6.17 upstream changelog.

systemd v257.9

The init system was updated to systemd v257.9. See the upstream changelog for more information about individual features.

sudo-rs and sudo

sudo-rs is the default sudo provider on Ubuntu from 25.10 onwards. 0.2.8 release includes support for older Linux kernels < 5.9, sudoedit, support for NOEXEC and AppArmor profile switching. The Ubuntu release also includes various bug fixes picked from the main upstream branch.

sudo (original sudo maintained by Todd C. Miller) has been upgraded to the latest version 1.9.17p2. The binary files are now renamed with the .ws suffix. Additionally, sudo-ldap package has been removed, please switch to using LDAP authentication via PAM.

Please see Ubuntu Server Docs for configuring default sudo provider and differences between sudo-rs and sudo.ws.

rust-coreutils and gnu-coreutils

The core utilities of the operating system are now provided by the rust-coreutils package. We just updated to the latest version of it: 0.2.2, which features incredible performance improvements to base64 amongst other things.

As rust-coreutils are not necessarily fully compatible yet, we are providing the old utilities by the side, so you can switch back and forth between them. We are also keeping a list of these diversions here.

Netplan v1.1.2ubuntu3 :globe_with_meridians:

Adds support non-standard OVS setups, e.g. inside snap environments.

Toolchain Upgrades :hammer_and_wrench:

  • GCC :cow: GCC is updated to 15.2, binutils to 2.45, and glibc to 2.42
  • Python :snake: is updated to 3.13.7 while 3.14 is now available
  • LLVM :dragon: defaults to version 20 while 21 is now available
  • Rust :crab: toolchain defaults to version 1.85 while 1.88 is now available
  • Golang :rat: is updated to 1.24
  • OpenJDK :coffee: defaults to 21 (LTS), while version 25 (LTS) and an early access snapshot of version 26 are now available
  • .NET 10 :unicorn: now available
  • Zig :zap: is available for the first time in Ubuntu, defaults to version 0.14.1.
  • And Ubuntu Toolchains has a new homepage

OpenJDK

OpenJDK 21 is still the default. OpenJDK 25 (LTS) is now available. An early access snapshot of OpenJDK 26 is also included. Support for OpenJDK LTS versions 17, 11 and 8 is being maintained. OpenJDK with CRaC version 25 is also made available, while versions 17 and 21 continue to be supported.

The devpack-for-spring snap now supports development environment setup, by automating the installation and configuration of development tools (OpenJDK, container runtime, IDEs etc.) selected by the user. The Maven and Gradle plugins for Rockcraft have been extended to support native images compiled by GraalVM.

GraalVM Community Edition v25 is available through the graalvm-jdk snap, while GraalVM CE v21 continues to be supported. The snap is now available on arm64 too.

.NET

.NET versions 8 and 9 continue to be supported.

The .NET 10 RC1 SDK and runtimes are now included. Following its general availability in November, the final release will be provided as a subsequent package update.

Alternatively, .NET 10 is available on the latest/beta channel of the official .NET snap. It will be promoted to the latest/stable channel upon final release in November.

Support for the PowerShell snap has been expanded to include the arm64, s390x, and ppc64el architectures, broadening its availability across platforms.

Default configuration changes :gear:

Ubuntu Desktop

Installer

New TPM-Backed disk encryption features include:

  • Passphrase support and management
  • Regeneration of the recovery key
  • Better integration with firmware updates

When you enable Install third-party software for graphics and Wi-Fi hardware and additional media formats during installation, screen recording will be hardware accelerated for supported hardware.

The installer has also seen plenty of accessibility fixes.

Updates

When system updates are available, the Software Updater window no longer pops up unprompted, stealing the keyboard focus. Instead, a notification shows up with options to open the Software Updater or to install all updates directly.

An icon in the system tray reminds you that updates are available even after dismissing the notification. It also provides a quick way to apply all the updates or inspect them in the Software Updater.

Enterprise

authd : Ubuntu’s cloud authentication solution:

  • Supports device registration with EntraID
  • authctl is a new command line tool to manage authd
  • Many improvements and important bug fixes such as UID/GID handling

Wayland

  • The Ubuntu Desktop session now runs only on the Wayland back end. The Ubuntu on X.org session is no longer available because GNOME Shell can no longer run as an X.org session.

  • Suspend-resume support is now enabled in the proprietary Nvidia driver so as to prevent corruption and freezes when waking an Nvidia desktop.

GNOME :footprints:

  • GNOME Shell and related components have been updated to GNOME 49.
  • You can now set an application to start automatically after login in Settings → Apps.
  • Fractional scaling factors are now optimized so as to minimize blur.
  • The default monospace font size has been reduced to match the default user interface font size. The monospace font is used in terminals and similar applications.

New default applications

  • The Image Viewer app is now provided by Loupe instead of Eye of GNOME (EOG). Loupe is written in Rust and powered by the Glycin library.
  • The Terminal app is now provided by Ptyxis instead of GNOME Terminal.

Security Center

Ubuntu Insights

Ubuntu Insights is being developed as a replacement for Ubuntu Report and gives you more control over the non-personally identifying system metrics that you choose to share with Canonical. The metrics collection is opt-in.

In this release, Ubuntu Insights introduces periodic metric collection and replaces Ubuntu Report integration in GNOME Initial Setup.

Note: Any consent that you previously granted to Ubuntu Report will not be carried over to Ubuntu Insights.

Dracut

Ubuntu Desktop 25.10 now uses Dracut as its default initial ramdisk infrastructure, replacing initramfs-tools. Dracut uses systemd in the initial ramdisk and supports new features like Bluetooth and NVM Express over Fabrics (NVMe-oF). Ubuntu Server installations continue to use initramfs-tools while we port the remaining hooks. The original initramfs-tools remains supported and you can switch between the two implementations if required. For details about the switch, see [Spec] Switch to Dracut.

Updated Applications

Updated Subsystems

Support for new Intel® integrated and discrete GPUS

This release brings full support for Intel® Core™ Ultra Xe3 integrated Intel® Arc™ graphics, and Intel® Arc™ Pro B50 and B60 “Battlemage” discrete GPUs. Further Intel® Graphics related features are now available by changes in various components:

  • Via the Linux Kernel v6.17:
    • Initial support for Intel’s next-gen client platform codenamed Panther Lake
    • Enhanced IOMMU and PCIe subsystem for improved GPU virtualization and passthrough.
    • Improved multi-GPU configuration support for Intel hardware.
  • Via Mesa 25.2.3:
    • VK_KHR_shader_bfloat16 enabled in Intel ANV Vulkan driver for Battlemage and Panther Lake** (GFX125+).
    • Completed OpenCL 2.0 coarse grain buffer SVM support in Iris driver.
    • Improved color fast-clear handling and multi-engine surface usage for Intel Vulkan (ANV) driver.
  • Via intel-media-driver 25.3.0:
    • Panther Lake Upstream decoding and VP9 encoding support
  • Via intel-compute-runtime 25.31:
    • Enabling a Level Zero device unified shared memory (USM) pool as a performance change.
    • A performance-minded change for Xe2 graphics to ensure Level Zero events are always allocated in the local device memory.
  • Via level-zero 1.24
    • Update Level Zero Loader and Headers to support v1.13.1 of L0 Spec
  • Via level-zero-raytracing 1.1.0:
    • Ray Tracing Acceleration Structure (RTAS) Extensions

Ubuntu Foundations

Cryptography

Libraries

OpenSSL has been updated to 3.5.3 (It includes security patches from 3.5.4). The most notable updates are:

  • Support for server side QUIC (RFC 9000).
  • Support for PQC algorithms (ML-KEM, ML-DSA and SLH-DSA).
  • The default TLS supported groups list has been changed to include and prefer Hybrid PQC KEM groups.

Package Management: APT 3.1

APT has been updated to 3.1.6, the latest release, including many new features:

  • The new solver is now the default. For more insight, see the post “How we delivered the new APT solver in 25.10
  • The apt why and apt why-not commands have been added that tell you why the solver installed or could not install a package.
  • Repositories can now be configured with Include and Exclude directives. In the Include case, only these packages are included; in the Exclude case, these packages are excluded from the repository. This allows you to restrict a repository to specific packages.
  • The apt history-list and apt history-info commands are included as an early preview easter egg. Enjoy!

Ubuntu Server

ubuntu-server Meta and Seed

Starting in 25.10, the default Ubuntu server image and ubuntu-server metapackage have been updated. Read more at the public spec on Discourse.

  • screen has been removed from the ubuntu-server seed, and moved to a supported seed. screen remains in main. Users will still see screen installed in most cases, as it is now listed as a dependency of ubuntu-release-upgrader
  • wget has been removed from the ubuntu-server seed, and moved to a supported seed. wget remains in main. Users utilizing wget have a number of options.
    • for simple cases (downloading a file from the internet), wcurl is available as part of the still included curl. This can be a drop-in replacement for simple calls such as wget $URL to wcurl $URL. wcurl exposes all of curl’s options, so adding retries is easy.
    • For more specialized cases, ensuring wget is installed prior to running is required.
  • byobu has been removed from the ubuntu-server seed and meta-package and demoted to universe. byobu is still available in Ubuntu.
  • cloud-guest-utils has been removed from the ubuntu-server seed and meta-package. It is expected to still be installed via cloud-init-base which is a dependency of cloud-init.
  • dirmngr has been removed from the ubuntu-server seed and metapackage. it is expected to still be installed as it is a dependency of many packages (gnupg, gpg, vanilla-gnome-desktop and other desktop flavors).

Apache 2

Apache 2 has been upgraded to version 2.4.64. This new release includes several bug and security fixes. It also includes the following changes to specific modules:

  • core: Report invalid Options= argument when parsing AllowOverride directives.
  • mod_systemd added systemd socket activation support.
  • Mod_http2 was updated to version 2.0.32, which includes a new directive H2MaxHeaderBlockLen to set the limit on response header sizes.
  • Mod_proxy now reuses ProxyRemote connections when possible.

For more details, see the upsteam release notes.

Bacula

This is a newly supported package in our “main” repo (was “universe” before).

It was updated from 13.0.4 to 15.0.3 (there was no v14).

  • You must upgrade the director and storage daemons at the same time.
  • Old file daemons are still compatible.
  • Storage volume format was updated from BB02 to BB03, old volumes are still supported.
  • The catalog database schema needs migration, which is automatically applied if you have installed dbconfig-common.

For more details, see the upstream v15 and v15.0.3 changelog.

Chrony

Chrony was upgraded to version v4.7 and comes pre-installed as the new default time-daemon in Ubuntu 25.10, replacing systemd-timesyncd. It ships with a configuration set to use Ubuntu Network Time Security (NTS) servers by default. In order to migrate upgraded systems to chrony you can execute apt-mark auto systemd-timesyncd && apt install chrony.

See upstream release notes for v4.7.

The two primary changes related to NTS are:

  • NTS/KE (“Key Exchange”) uses a separate port (4460/tcp) to negotiate security parameters, which are then used via the normal NTP port (123/udp).

  • A new CA is installed in /etc/chrony/nts-bootstrap-ubuntu.crt that is used specifically for the Ubuntu NTS bootstrap server, needed for when the clock is too far off. This is added to certificate set ID “1”, and defined via /etc/chrony/conf.d/ubuntu-nts.conf.

If your network does not allow access to the Ubuntu NTS servers or the required ports, and the new configuration is in place, chrony will not be able to adjust this system’s clock. To revert to NTP, edit the configuration file in /etc/chrony/sources.d/ubuntu-ntp-pools.sources and revert to using the listed NTP servers in favor of the NTS ones.

cloud-init v. 25.3

Notable features beyond 25.1.2 in Plucky:

  • Add RaspberryPi OS support
  • CentOS support for ca_certs writing
  • Azure: better reporting of platform VM ID errors
  • CloudStack: add ephemeral network support for early boot config
  • EC2: Support metadata retrieval over multiple NICs when crawling the datasource
  • GCE: add template rendering support for processing instance data
  • Hetzner: report private networks in cloud-init metadata
  • Oracle: detect ipv6 only for private ULA addresses
  • VMware: support to apply network configuration updates per-boot and hotplug events
  • WSL: support for Landscape installation request id provisioning
  • Add a generalized datasource clean operation for sudo cloud-init clean
  • Security fix: hotplug socket file is now only root-writable CVE-2024-11584
  • NetworkManager bug fix for reloading multiple connections
  • ENI rendering filter out dns entries from written config

Breaking changes:

  • Security fix CVE-2024-6174: cloud-init will be disabled on non-x86 platforms which do not declare a known datasource in early boot through DMI data, kernel boot params, filesystem configuration or environment files. Such environments may experience inability to SSH into launched VMs. This may require action for non-x86 image creators or OpenStack admins.

Container runtimes

Containerd was updated to the recent 2.1.3 and runC to 1.3.0, docker.io was updated to 28.2
But even more importantly along these updates it established a pattern to either keep the regular updates to the latest version or to opt for slower more stable updates throughout the time the release is active. For more please read Ubuntu Server Gazette - Issue 8 - Containers: Steady paths for agile stacks

Django

Django has been updated to the latest LTS release 5.2 from 4.2, which includes many new features and bug fixes. All Django middleware provided in Ubuntu has also been updated to be compatible with the new version. See the 5.0 release notes for features and updates added with the major version change and the 5.2 release notes for the changes made leading up to the LTS release.

Dovecot

Upgrading from Dovecot 2.3.x to 2.4 requires several important config file changes. These are explained in detail in the link below. This includes renamed configuration parameters as well as a major change to the syntax. While converting an existing config is possible, it will need careful review to ensure your site customizations are carried through properly.

Additionally, Dovecot 2.4 brings new features including support for the ARGON2 password scheme, SCRAM-SHA-1 and SCRAM-SHA-256 SASL mechanisms, and the X25519 and X448 cryptographic curves for some plugins. A number of features are being removed, changed, or deprecated; for the full list please see:

Notably, support for building for 32-bit architectures has ended, so dovecot will no longer be natively installable on i386 and armhf platforms.

EDK2

  • Added firmware for Intel ® TDX guests with secure boot capability (LP#2125123)

frr

FRRouting is a free and open source Internet routing protocol suite for Linux and Unix platforms. It implements BGP, OSPF, RIP, IS-IS, PIM, LDP, BFD, Babel, PBR, OpenFabric and VRRP, with alpha support for EIGRP and NHRP.

The FRRouting package was updated to version 10.4.1. Series 10.4.x introduced many new features and bugfixes: please see Release FRR Release 10.4.0 · FRRouting/frr · GitHub for details.

HAProxy

Updated from 3.0.8 to the recent release 3.0.10 which includes

Furthermore, it now uses jemalloc for memory allocation which is faster and less memory hungry than the default allocator.

iPXE

  • iPXE was updated to upstream version from June 2025.
  • For physically booting to iPXE (e.g. via grub), make sure to install the grub-ipxe package and to adjust you GRUB scripts/config to use ipxe.efi (UEFI) or ipxe.lkrn (x86 BIOS).
  • UEFI network boot roms for qemu (from ipxe-qemu) are network drivers only (for PXE or HTTP boot) without the iPXE stack.
    To boot x86-64 qemu VMs with UEFI and network boot using iPXE scripts, make sure to chainload ipxe.efi (from ipxe package) (see https://ipxe.org/howto/chainloading).

libvirt

The libvirt package was upgraded to version 11.6.0. Here are the important changes since Ubuntu Plucky:

  • qemu: ppc64 POWER11 processor support
  • Allow control over QEMU TLS priority strings
  • qemu: Add support for NVMe disks
  • qemu: add support for AMD IOMMU device
  • qemu: Add support for Intel ® TDX guests
  • Adds TDX as a new type of <launchSecurity/>.
  • All helper programs are now detected from $PATH during runtime - allowing you to modify its behavior more easily
  • qemu: Added guest load averages to the output of virDomainGetGuestInfo
  • qemu: Add support for multiple iothreads for virtio-scsi controller
  • qemu: integrate support for VM shutdown on host shutdown - a new opt-in way to shut down guests on host shutdown
  • qemu: Add support for parallel save/restore
  • qemu: Support for Block Disk Along with Throttle Filters
  • nodedev: Support ccwgroup based qeth devices
  • Introduce virtio-mem model for s390 guests

For more details, please see the upstream changelog .
Additionally in Ubuntu, the default URI choice behavior was modified slightly: In the past Ubuntu enforced the qemu:///system URI by overriding LIBVIRT_DEFAULT_URI in /etc/profile.d/libvirt-uri.sh. Starting with Ubuntu 25.10, we’re dropping that profile.d script in favour of a fallback mechanism, which still perserves the default beahvior as qemu:///system for privileged and non-privileged users, but allows to override that default choice by setting LIBVIRT_DEFAULT_URI manually or changing the uri_default parameter in /etc/libvirt/libvirt.conf or ~/.config/libvirt/libvirt.conf (for non-privileged users) respectively.

MySQL

MySQL 8.4 now builds directly against tcmalloc for additional memory efficiency. For more information, see the most recent edition of the Ubuntu Server Gazette.

Nginx

Nginx was updated from 1.26.3 that we had in plucky to the latest stable version 1.28 which, among many other fixes and improvements, brings:

  • Performance and stability improvements in HTTP/3 and QUIC

  • Feature: SSL certificates, secret keys, and CRLs are now cached on start or during reconfiguration.

For more details see the upstream release notes

OpenLDAP

Updated from 2.6.9 to 2.6.10, which contains various bugfixes. See the 2.6 series upstream release notes

OpenSSH

Updated to the new major 10.0 upstream release, which among other things now uses a hybrid post-quantum algorithm by default for key agreement. It also adds support for glob patterns in “Authorized{Keys,Principals}File” and Match version/sessiontype/command stanzas inside ssh[d]_config, e.g. “Match version OpenSSH_10.*”. And adds support for FIDO tokens that return no attestation data.

Breaking changes

  • Removes support for the weak DSA signature algorithm.
  • Announces itself as “SSH-2.0-OpenSSH_10.0”. Do not match on “OpenSSH_1*”.

For more please see the full release notes

PHP

Upgrade to the 8.4.11 upstream version. The upgrade mostly improves stability and security, fixing crashes and leaks. It brings fixes for a few CVEs (CVE-2025-1735, CVE-2025-6491, CVE-2025-1220).

For more read the upstream changelog since the former version in Plucky that was 8.4.5

PostgreSQL

PostgreSQL stayed on version 17, but received the stable updates (which we also backport regularly) and now is on 17.6.

A dump/restore is not required for those running 17.X.

If you have self-referential foreign key constraints on partitioned tables, it may be necessary to recreate those constraints to ensure that they are being enforced correctly.

If you have any BRIN numeric_minmax_multi_ops indexes, it is advisable to reindex them after updating.

For more details check the upstream release notes for 17.5 and 17.6.

QEMU

The QEMU package was updated to version 10.1.0. Here are the changes since Ubuntu 25.04.

  • Arm is able to emulate Secure EL2 physical and virtual timers as well as architectural features FEAT_AFP, FEAT_RPRES, FEAT_XS and even more by 10.1
  • Arm’s virt board can configuring a larger PCIe MMIO regions via highmem-mmio-size
  • RISC-V got various improvements like
    • support for Smdbltrp, Ssdbltrp and Smrnmi extensions
    • Add ‘sha’ support
    • Support of the RVA23 Profile
  • s390x added support for generation 17 mainframe CPUs and virtio-mem
  • s390x Control program identification data can now be retrieved via QOM
  • x86 emulation got a performance boost handling string instructions
  • x86 furthermore got more recent CPU types like ClearwaterForest
  • virtio-scsi has gained true multiqueue support
  • Support for Intel ® TDX included
  • Support for starting a TDX or SEV-SNP virtual machine from an IGVM file.
  • Support for VFIO on TDX and SNP virtual machines and many more vfio improvements.
  • 32 bit hosts never could never provide the atomicity requirements of 64-bit guests. From 10.0, QEMU has disabled configuration of 64-bit guests on 32-bit hosts.

It is important to note that very old machine types have been deprecated for a while and now finally have been removed upstream and in Ubuntu.

  • x86 dropped every type <= 2.5 which translates to anything <=xenial. That implies that you can migrate your older guests e.g. from trusty up to 24.04 LTS (noble) or 25.04 (plucky). The former giving another 4 + 5 +5 (basic, pro, legacy) years of support. But then after way more than a decade, guests would need to be bumped to a newer machine type which is generally recommended regularly.
  • On s390x the cleanup was a bit more agressive - with <=4.1 and thereby <=eoan gone. This is a slightly shorter timeline, but still all the 5+5+5 years of support of an Ubuntu LTS plus the 4 years between focal and noble and thereby quite a long time until you need to consider updating your guest to a newer machine type.
  • On ppc64 no Ubuntu related machine type was dropped yet, on arm we didn’t yet need to introduce them.

For more details, please see related upstream changelogs and the general log on removed features:

Samba

Samba has been updated to the new upstream 4.22 version.

New features:

  • SMB3 Directory Leases
  • Netlogon Ping over LDAP and LDAPS
  • Experimental Himmelblaud Authentication in Samba
  • AD DC schema upgrade and provision performance improvements

Removed features:

  • nmbd proxy logon
  • cldap port
  • fruit:posix_rename

Please refer to the upstream release notes for details: https://www.samba.org/samba/history/samba-4.22.0.html

Strongswan

Strongswan was upgraded to v6.0.1, following upstream in dropping the NTRU post-quantum encryption algorithm. See upstream changelogs for the full listing of changes:

Intel® QuickAssist Technology (Intel® QAT)

Intel® QAT components have been updated to their most recent versions. Those are:

  • qatlib : 25.08.0
    For more information, visit the project’s repo.
  • qatengine : updated to 2.0.0
    For more information, visit the project’s repo.
  • qatzip : updated to 1.3.1
    For more information, visit the project’s repo.

sos (sosreport)

sos was updated to version 4.10.0. Key updates below

  • The temporary directory has now been changed from /tmp to /var/tmp. This follows changed in systemd-tmpfiles and the cleaning of /var/tmp, this aligns with other distros.
  • sos clean now cleans the sos concurrently, improving the speed of cleaning.
  • Many new additional plugins include authd, charmed_mysql, helm, opensearch, pulseaudio and valkey
  • Many other plugins have also been updated.

Upstream release notes can be viewed on the sos project GitHub

Subiquity

Please see the 25.10 Release Notes post on GitHub.

Valkey

Valkey was updated to version 8.1, starting with 8.1.1. This includes additional significant performance and efficiency improvements, without any backwards-incompatible changes to commands and responses. For more information on the new version, see the Valkey 8.1 blog post . Release notes are available on the Valkey project GitHub .

Additionally, now that Redis has been updated to 8.0, Valkey no longer acts as a drop-in replacement. Therefore, the valkey-redis-compat package has been removed. If you are planning to swap from Redis to Valkey, make sure to do so prior to upgrading.

OpenStack

OpenStack has been updated to the 2025.2 (Flamingo) release. This includes packages for Aodh, Barbican, Ceilometer, Cinder, Designate, Glance, Heat, Horizon, Ironic, Keystone, Magnum, Manila, Masakari, Mistral, Neutron, Nova, Octavia, Swift, Vitrage, Watcher and Zaqar.

This release is also provided for Ubuntu 24.04 LTS via the Ubuntu Cloud Archive.

The Flamingo release significantly strengthens OpenStack’s security posture with new confidential computing features in Nova (SEV-ES support, one-time passthrough devices), credential rotation capabilities in Magnum, and bring-your-own encryption keys in Manila. The Eventlet Removal is still underway, already being removed across multiple core services including Ironic, Barbican, Heat, modernizing OpenStack’s asynchronous operations foundation for long-term sustainability.

Ceph

Open vSwitch (OVS) and Open Virtual Network (OVN)

OVS was updated to 3.6.0 and OVN was updated 25.09.0. Please refer to the upstream NEWS files for more information about individual features:

Platforms

GRUB2

We’ve started shipping a pre-release beta of GRUB 2.14 as the bootloader. Everything should work smoothly, but if you notice anything strange, please file a bug report and let us know!

Public Cloud / Cloud images

How to report any issues resulting from these changes

Raspberry Pi :strawberry:

  • A new layout of the boot partition is introduced to enhance the reliability of the boot process (LP: #2116266). This will automatically “test” new boot assets written to the boot partition before committing them as the current “known good” set. See the call for testing for more information, or the blog post covering the feature for the full details (including advice on how to opt-out of this feature, where required)

  • Please note that, due to the new boot process, the boot firmware on your Pi must be up to date. On the Pi 3, 3+, and Zero 2W, the boot firmware is in the image itself, and so is guaranteed to be up to date. On the Pi 5, all boot firmware since release are compatible. However, on the Pi 4 your boot firmware must be dated no earlier than 2022-11-25. To check this, run sudo rpi-eeprom-update. If your firmware is dated earlier than this, using Ubuntu 24.04 (noble) or later, run sudo rpi-eeprom-update -a and reboot.

  • The Ubuntu desktop images for Raspberry Pi are now based upon the “desktop-minimal” seed rather than “desktop” (LP: #2103808). This greatly reduces the default set of applications installed on the images (saving approximately 777MB of space on the uncompressed image, and thus on user’s systems). The list of applications removed from the image is:

    • deja-dup (backup service)
    • file-roller (archive handler)
    • gnome-calendar
    • gnome-snapshot (camera application)
    • libreoffice-*
    • remmina (remote desktop client)
    • rhythmbox (music player)
    • shotwell (photo catalogue)
    • simple-scan (flat-bed scanner application)
    • thunderbird (email client)
    • totem (video player)
    • transmission-gtk (bittorrent client)

  • The applications mentioned above will not be automatically removed for upgraders as the ubuntu-desktop meta-package remains manually installed in this circumstance. If you wish to remove these applications (in bulk), you may do so with: sudo apt purge ubuntu-desktop --autoremove. If you wish to keep specific applications, simply “install” them with apt first (which will mark them as “manually installed”, excluding them from automatic removal).

  • The creation of the swap-file on the desktop images is now handled by cloud-init (LP: #2116275). You may customize the size of the swapfile by editing user-data on the boot partition prior to first boot

IBM Z and LinuxONE (s390x) image

  • With every new Ubuntu release, the s390-tools package got upgraded to it’s latest available release v2.38 (LP: #2115416), that now includes support to provide Topology-Map information to user-space (LP: #2098361), support to convert LUKS2 volume from AES keys to retrievable PAES keys (LP: #2117450) as well as Control Program Identification (CPI) hardening for SEL (Security Enhanced Linux) guests (LP: #2118866).

  • Further support and enhancements were done in the virtualization stack with the implementation of virsh hypervisor-cpu-models in libvirt (LP: #2027925, performance enhanced refresh PCI translation in qemu (LP: #2049699) and kernel (LP: #2049700), the implementation of Control Program Identification (CPI) in qemu (LP: #2118769) and the new reporting of vfio-ap configuration changes with CHSC Store Event Information in KVM, kernel (LP: #2118771) and qemu (LP: #2119160).

  • Significant effort was spent to enable Ubuntu for the latest IBM Z (z17) and LinuxONE (LinuxONE 5) hardware generations, with support in glibc (LP: #2117398), and the tool-chain, namely:

  • Another big area of enhancements is cryptography:

    • with the upgrade to opencryptoki v3.25 (LP: #2116720) there is now also
    • support for ep11 token based import and export of secure key objects (LP: #2117436)
    • the new tools p11kmip that allows to import/export PKCS #11 keys from to a KMIP server (LP: #2117449)
    • and basic support for AES-GCM in CCA tokens (LP: #2117451)
      In addition several cryptography packages were updated, like:
    • openssl-ibmca to v2.5.0 (LP: #2116709)
    • openssl-pkcs11-sign-provider to v1.0.2 (LP: #2116721)
    • libzpc to v1.4.0 (LP: #2116711)
    • libica4 to v4.4.1 (LP: #2116716) and
    • cryptsetup to v2.8.0 (LP: #2116736)

  • The kernel also comes with new PHMAC support for MSA 11 HMAC (LP: #2096891).

  • Finally further tools were updated, like the

    • smc-tools to v1.8.5, used for shared memory communication cards (LP: #2119285)
    • libzdnn to v1.1.2, for neuronal network usage with IBM Z hardware support (LP: #2116713) and the
    • qclib to v2.5.1, that allows to query s390x hardware data (LP: #2116708)

IBM POWER (ppc64el)

RISC-V

Ubuntu 25.10 targets the RVA23S64 ISA profile. Systems that don’t satisfy this requirement cannot run Ubuntu 25.10. RVA20 hardware will continue to be supported by Ubuntu 24.04 LTS.

If you’d like to try it out in a VM, please refer to this guide https://canonical-ubuntu-boards.readthedocs-hosted.com/en/latest/how-to/qemu-riscv/

Known Issues

As is to be expected with any release, there are some significant known bugs that users may encounter with this release of Ubuntu. The ones we know about at this point (and some of the workarounds) are documented here, so you don’t need to spend time reporting these bugs again:

General

  • Offline installs ticking the box for Nvidia drivers result in Nouveau drivers being installed instead - to work around, install online or update drivers after install. (LP: #2127099)

  • There is a bug (LP: #2104316) in the beta images that prevents netboot installs in some scenarios.

  • It has been reported that cloud-init may fails to upgrade properly in the Oracular to Pluck upgrade path, see LP: #2104316.

  • The Live Session of the new Ubuntu Desktop installer is not localized. It is still possible to perform a non-English installation using the new installer, but internet access at install time is required to download the language packs. (LP: #2013329)

  • ZFS with Encryption on Ubuntu 24.10 will fail to activate the cryptoswap partition. This affects both new installs and upgrades. We expect to address this post-release with an archive update.

  • Some particular hardware (e.g. Thinkpad x201) might have issues (general freeze, desktop-security-center not launching), when booted without nomodeset (Safe graphics). Follow these steps if you encounter such an issue:

    1. At the GRUB boot menu, press e (keep Shift pressed during early boot if the menu doesn’t show up).

    2. Add nomodeset to linux line, like the example below:

      linux /casper/vmlinuz nomodeset ---

    3. Press Ctrl-x to continue the boot process

    4. After installation is complete, reboot, use nomodeset again, like the example below:

      linux /boot/vmlinuz-6.11.0-8-generic nomodeset root=UUID=c5605a23-05ae-4d9d-b65f-e47ba48b7560 ro

    5. Add nomodeset to the GRUB config file, /etc/default/grub, like the example below:

      GRUB_CMDLINE_LINUX="nomodeset"

    6. Finally, make the change take effect:

      sudo update-grub

  • flatpak is failing to install applications due to missing or incorrect apparmor rules in the profile for fusermount3. Please see Bug #2122161 “[SRU] error: Failed to install org.gnome.Platform:...” : Bugs : Release Notes for Ubuntu for details.

Linux kernel

Ubuntu Desktop

  • Screen reader support is present with the new desktop installer, but is incomplete (LP: #2061015, LP: #2061018, LP: #2036962, LP: #2061021)

  • You will perhaps experience crashes trying to use the snap-store on Qualcomm Snapdragon X Elite hardware (LP: #2127161)

  • OEM installs are not supported yet (LP: #2048473)

  • GTK4 apps (including the desktop wallpaper) do not display correctly with VirtualBox or VMWare with 3D Acceleration (LP: #2061118).

  • Incompatibility between TPM-backed Full Disk Encryption and Absolute: TPM-backed Full Disk Encryption (FDE) has been introduced to enhance data security. However, it’s important to note that this feature is incompatible with Absolute (formerly Computrace) security software. If Absolute is enabled on your system, the machine will not boot post-installation when TPM-backed FDE is also enabled. Therefore, disabling Absolute from the BIOS is recommended to avoid booting issues.

  • Hardware-Specific Kernel Module Requirements for TPM-backed Full Disk Encryption: TPM-backed Full Disk Encryption (FDE) requires a specific kernel snap which may not include certain kernel modules necessary for some hardware functionalities. A notable example is the vmd module required for NVMe RAID configurations. In scenarios where such specific kernel modules are indispensable, the hardware feature may need to be disabled in the BIOS (such as RAID) to ensure the continued availability of the affected hardware post-installation. If disabling in the BIOS is not an option, the related hardware will not be available post-installation with TPM-backed FDE enabled.

  • FDE specific bug reports.

  • Installing ubuntu-fonts-classic results in a non-Ubuntu font being displayed (LP#2083683). To resolve this, install gnome-tweaks and set ‘Interface Text’ to ‘Ubuntu’.

  • Wayland desktop performance using the Nvidia driver is still suboptimal. Work is underway to resolve this in 26.04 (LP#2081140).

Ubuntu Server

rabbitmq-server

Certain version hops may be unsupported due to feature flags, raising questions about how Ubuntu will maintain this package moving forward. We are currently exploring the use of snaps as a potential solution to enable smoother upgrades. For more information please read LP: #2074309.

Openstack

Currently, Nova Compute is non-functional because of a python3.13 incompatiblity (LP:#2103413).
The Openstack team and Upstream work on it and it will be resolved via an SRU later.

The Ubuntu Cloud Archive is not affected by this bug.

Installer

On systems booting via U-Boot, U-Boot should be updated to the current Plucky version before installation as subiquity does not run flash-kernel and grub-update during the installation. So for first boot the device-tree from U-Boot will be used.

  • In some situations, it is acceptable to proceed with an offline installation when the mirror is inaccessible. In this scenario, it is advised to use:
apt:
  fallback: offline-install

  • Network interfaces left unconfigured at install time are assumed to be configured via dhcp4. If this doesn’t happen (for example, because the interface is physically not connected) the boot process will block and wait for a few minutes (LP: #2063331). This can be fixed by removing the extra interfaces from /etc/netplan/50-cloud-init.conf or by marking them as optional: true. Cloud-init is disabled on systems installed from ISO images, so settings will persist.

  • Installing to a remote NVMe drive using NVMe over TCP firmware support can result in an unbootable system. A workaround exists using an autoinstall directive. Alternatively, the configuration on the target system can be manually fixed post installation before rebooting to the target system. More information at LP: #2127072.

Raspberry Pi

  • The new gnome-initial-setup has issues preventing it from working properly:

  • During boot on the server image, if your cloud-init configuration (in user-data on the boot partition) relies upon networking (importing SSH keys, installing packages, etc.) you must ensure that at least one network interface is required (optional: false) in network-config on the boot partition. This is due to netplan changes to the wait-online service (LP: #2060311)

  • The seeded totem video player will not prompt users to install missing codecs when attempting to play a video requiring them (LP: #2060730)

  • With the removal of the crda package in 22.04, the method of setting the wifi regulatory domain (editing /etc/default/crda) no longer operates. On server images, use the regulatory-domain option in the Netplan configuration. On desktop images, append cfg80211.ieee80211_regdom=GB (substituting GB for the relevant country code) to the kernel command line in the cmdline.txt file on the boot partition (LP: #1951586).

  • The power LED on the Raspberry Pi 2B, 3B, 3A+, 3B+, and Zero 2W currently goes off and stays off once the Ubuntu kernel starts booting (LP: #2060942)

  • Colours appear incorrectly in the Ubuntu App Centre (LP: #2076919)

  • On server images, re-authentication to WiFi APs when regulatory domain is set result in dmesg spam to the console (LP: #2063365)

  • On the Pi Zero 2W, the release image contains a bug in the Bluetooth components of the firmware package. This is due to be fixed in an SRU (LP: #2127041)

Google Compute Platform

Nothing yet.

Microsoft Azure

  • When inspecting system logs with journalctl, users may encounter a denied log entry relating to systemd-detect-virt. There is no known impact on functionality (LP:#2124958).
  • Ubuntu images on Microsoft Azure now include azure-vm-utils package, which provides consistent disk naming across SCSI and NVMe devices, improved handling for accelerated networking (MANA and Mellanox), and removes the need for custom udev or Netplan configurations.

AWS

Nothing yet.

s390X

  • During upgrade from Ubuntu Server 25.04 (Plucky Puffin) to Ubuntu 25.10 (Questing Quokka) one may notice the following error with kdump-tools:
    “Errors were encountered while processing:
    kdump-tools”
    This is likely due to a race condition.
    One may proceed and complete the upgrade, but at the end of the process the system needs to be manually rebooted. The bug is tracked here: LP: #2126934

Official flavours

Find the release notes for the official flavours at the following links:

More information

Reporting bugs

Your comments, bug reports, patches and suggestions help fix bugs and improve the quality of future releases. Please report bugs using the tools provided. If you want to help with bugs, the Bug Squad is always looking for help.

What happens if there is a high or critical priority CVE during release day?

Server, Desktop and Cloud plan to release in lockstep on release day, but there are some exceptions.

In the unlikely event that a critical or high-priority CVE is announced on release day, the release team have agreed on the following plan of action:

  • For critical priority CVEs, the release of Server, Desktop and Cloud will be blocked until new images can be built addressing the CVE.

  • For high-priority CVEs, the decision to block release will be made on a per-product (Server, Desktop and Cloud) basis and will depend on the nature of the CVE, which might result in images not being released on the same day.

This was discussed in the ubuntu–release mailing list March/April 2023.

The mailing list thread also confirmed there is no technical or policy reason why a package cannot be pushed to the Updates or Security pocket to address high or critical-priority CVEs prior to the release.

Participate in Ubuntu

If you would like to help shape Ubuntu, look at the list of ways you can participate at community.ubuntu.com/contribute.

More about Ubuntu

You can find out more about Ubuntu on the Ubuntu website.

To sign up for future Ubuntu development announcements, subscribe to Ubuntu’s development announcement list at ubuntu-devel-announce.

5 Likes