This is 23.10 with initrd copied from 24.04 New features in 23.10 Updated Packages add-apt-repository now adds PPAs as deb822 .sources files (Improvements to PPA management in 23.10 729). Linux kernel :penguin: Ubuntu 23.10 includes the new 6.5 Linux kernel that brings many new features. Notable upstream changes: Intel’s “Topology Aware Register and PM Capsule Interface” (interface that provides better power-management features). arm64 permission-indirection extension (technology to set special memory permissions). RISC-V now supports ACPI. The Loongarch architecture now supports simultaneous multi-threading (SMT). Support for unaccepted memory (protocol by which secure guest systems accept memory allocated by the host - Seeking an acceptable unaccepted memory policy 54. The io_uring subsystem can now store the rings and submission queue in user-space memory. Ability to mount a file system underneath an existing mount on the same mount point; useful in container scenarios (Merge tag ‘v6.5/vfs.mount’ of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs 106). New cachestat() system call (query the page-cache state of files and directories). Usual set of changes to support new hardware. Notable Ubuntu-specific changes: zstd compressed modules (LP: #2028568 79) to shorten boot time. New Apparmor/Stacking LSM patch set. Updated shiftfs patch set. Enabled multi-gen LRU page reclaiming by default (LP: #2023629 17). .config tuning of the low-latency kernel for desktop-oriented tasks (LP: #2028568 45). New zfs 2.2.0~rc3. Ceph support for idmapped mounts. systemd v253.5 The init system was updated to systemd v253.5. See the upstream changelog 174 for more information about individual features. Netplan v0.107 The network stack was updated to Netplan v0.107 144, introducing support for dummy and veth devices in addition to providing Python bindings to libnetplan in the python3-netplan package. Toolchain Upgrades :hammer_and_wrench: GCC was updated to the 13.2.0 release, binutils to 2.41, and glibc to 2.38. Python :snake: now defaults to version 3.11.6, and 3.12.0 is available in the archive. Perl :camel: at version 5.36.0. LLVM now defaults to version 16, and 17 is available in the archive. Rust :crab: toolchain defaults to version 1.71. OpenJDK In addition to OpenJDK 17, OpenJDK 21 is now provided (but not used for package builds). .NET .NET 7 packages were updated to 7.0.110, and .NET 6 packages were updated to 6.0.121 golang Go was updated to version 1.21. See the upstream release notes 51 for all the changes. Security Improvements :lock: The Ubuntu kernel now has the ability to require programs to have an AppArmor profile in order to use unprivileged user namespaces (unprivileged_userns_restriction 57). This restriction is not currently enabled by default but when enabled affects all programs on the system that are unprivileged and unconfined. This affects programs that construct sandboxes (LP: #2017980 10) or work with some styles of container workloads. This is the first step towards trying to mitigate the larger attack surface presented by unprivileged user namespaces. To enable this new restriction: Enable this restriction on the entire system for one boot by executing echo 1 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns. This setting is lost on reboot. Enable this restriction using a persistent setting by adding a new file (/etc/sysctl.d/60-apparmor-namespace.conf) with the following contents: kernel.apparmor_restrict_unprivileged_userns=1 Reboot. There are several options if you run into problems: Confine your applications with an AppArmor profile. Because this can be potentially onerous, a new unconfined profile mode/flag has been added to AppArmor. This designates the profile to essentially act like the unconfined mode for AppArmor where an application is not restricted, and it allows additional permissions to be added, such as the userns, permission. Such profile for, e.g. Google Chrome 19, would look like the following, and it would be located within the /etc/apparmor.d/opt.google.chrome.chrome file: abi , include /opt/google/chrome/chrome flags=(unconfined) { userns, # Site-specific additions and overrides. See local/README for details. include if exists } Alternatively, a complete AppArmor profile for the application can be created (see the AppArmor 51 documentation). Launch your application in a way that doesn’t use unprivileged user namespaces, e.g. google-chrome-stable --no-sandbox. This is not recommended. Use the unconfined profile mode described above instead. Disable this restriction on the entire system for one boot by executing echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns. This setting is lost on reboot. This similar to the previous behaviour, but it does not mitigate against kernel exploits that abuse the unprivileged user-namespaces feature. Disable this restriction using a persistent setting by adding a new file (/etc/sysctl.d/60-apparmor-namespace.conf) with the following contents: kernel.apparmor_restrict_unprivileged_userns=0 Reboot. This is similar to the previous behaviour, but it does not mitigate against kernel exploits that abuse the unprivileged user-namespaces feature.