Introduction (see https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#heading--more-information for more info) These release notes for Ubuntu 24.04 LTS (Noble Numbat) provide an overview of the release and document the known issues with Ubuntu and its flavours. Support lifespan Ubuntu 24.04 LTS will be supported for 5 years until June 2029. If you need Long Term Support, we recommend you use Ubuntu 22.04 LTS 2.6k until 24.04.1 is released. Upgrades Users of Ubuntu 23.10 will be offered an automatic upgrade to 24.04 soon after the release. Users of 22.04 LTS however will be offered the automatic upgrade when 24.04.1 LTS is released, which is scheduled for the 15th of August. New features in 24.04 LTS Year 2038 support for the armhf architecture Ubuntu 24.04 LTS solves the Year 2038 problem 880 that existed on armhf. More than a thousand packages have been updated to handle time using a 64-bit value rather than a 32-bit one, making it possible to handle times up to 292 billion years in the future. Updated Packages Linux kernel :penguin: Ubuntu 24.04 LTS includes the new 6.8 Linux kernel that brings many new features. Detailed changes are reported in the Noble Kernel Release Notes post. systemd v255.4 The init system was updated to systemd v255.4. See the upstream changelog 298 for more information about individual features. Netplan v1.0 :globe_with_meridians: The network stack was updated to Netplan version 1.0 239. Supporting simultaneous WPA2 & WPA3, Mellanox VF-LAG for high-performance SR-IOV networking and VXLAN improvements. It also provides a stable libnetplan1 API 26 and a new netplan status --diff sub-command to find differences between configuration and system state. For more information please see the Introducing Netplan v1.0 227 blog post. Toolchain Upgrades :hammer_and_wrench: GCC :cow: is updated to the 14, binutils to 2.42, and glibc to 2.39. Python :snake: now defaults to version 3.12 OpenJDK :coffee: now defaults to LTS version 21 LLVM :dragon: now defaults to version 18 Rust :crab: toolchain defaults to version 1.75 Golang :rat: is updated to 1.22 .NET 8 is now default OpenJDK OpenJDK LTS 21 is the default in Ubuntu 24.04 LTS while maintaining support for versions 17, 11, and 8. OpenJDK 17 and 21 are also TCK certified, which means they adhere to Java standards and ensure interoperability with other Java platforms. A special FIPS-compliant OpenJDK 11 package is also available for Ubuntu Pro users. .NET With the introduction of .NET 8, Ubuntu is taking a significant step forward in supporting the .NET community. .NET 8 will be fully supported on Ubuntu 24.04 LTS and 22.04 LTS for the entire lifecycle of both releases. This enables developers to upgrade their applications to newer .NET versions before upgrading their Ubuntu release. Starting with 24.04 LTS the .NET support has also been extended to the IBM System Z platform. .NET 6 and .NET 7 packages with limited support are available via a PPA 58. Apport Apport added integration with systemd-coredump to handle crashes. Developers on Ubuntu can co-install systemd-coredump now and use coredumpctl to analyze crash data. Apport will continue to collect crash information and submit it to the Ubuntu Error Tracker and Launchpad. Security Improvements :lock: Unprivileged user namespace restrictions In combination with the apparmor package, the Ubuntu kernel now restricts the use of unprivileged user namespaces. This affects all programs on the system that are unprivileged and unconfined. A default AppArmor profile is provided that allows the use of user namespaces for unprivileged and unconfined applications but will deny the subsequent use of any capabilities within the user namespace. A common use-case for unprivileged user namespaces is applications that construct their own sandboxes or work with styles of container workloads. As such, AppArmor profiles that allow the use of unprivileged user namespaces are also provided for common applications and frameworks that come from the Ubuntu archive, as well as popular third party applications like Google Chrome, Discord and others. This is a subsequent step towards trying to mitigate the larger attack surface presented by unprivileged user namespaces (the first being the introduction of this feature in Ubuntu 23.10 where it was not enabled by default). Whilst significant effort has been expended to try and identify all applications that may require such profiles, it is expected that there may be cases where additional profiles are required. In this case, there are several options if you run into problems: Confine your applications with an AppArmor profile. Because this can be potentially onerous, a new unconfined profile mode/flag has been added to AppArmor. This designates the profile to essentially act like the unconfined mode for AppArmor where an application is not restricted, and it allows additional permissions to be added, such as the userns, permission. Such profile for, e.g. Google Chrome 41, would look like the following, and it would be located within the /etc/apparmor.d/chrome file: abi , include /opt/google/chrome/chrome flags=(unconfined) { userns, # Site-specific additions and overrides. See local/README for details. include if exists } Alternatively, a complete AppArmor profile for the application can be created (see the AppArmor 95 documentation). Launch your application in a way that doesn’t use unprivileged user namespaces, e.g. google-chrome-stable --no-sandbox. However, since this disables the use of an internal security feature within the application, this is not recommended. Instead, use the unconfined profile mode described above instead. Disable this restriction on the entire system for one boot by executing echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns. This setting is lost on reboot. This similar to the previous behaviour, but it does not mitigate against kernel exploits that abuse the unprivileged user namespaces feature. Disable this restriction using a persistent setting by adding a new file (/etc/sysctl.d/60-apparmor-namespace.conf) with the following contents: kernel.apparmor_restrict_unprivileged_userns=0 Reboot. This is similar to the previous behaviour, but it does not mitigate against kernel exploits that abuse the unprivileged user namespaces feature. TLS 1.0, 1.1 and DTLS 1.0 are forcefully disabled for software using openssl this was the case since 20.04 for software using gnutls, this is now enforced (with openconnect being a notable exception) More consistent application of openssl and gnutls system configurations Some libraries do not raise errors when their configuration is not accessible; this could happen when apparmor does not allow access to the configuration files. Due to how widespread openssl and gnutls are, the apparmor rules now grant access to their configuration files by default. Their system-wide configuration will therefore be followed better. Deprecation and disablement of 1024-bit RSA APT repository signing keys APT in 24.04 requires repositories to be signed with the RSA keys no smaller than 2048 bits, Ed25519, or Ed448. As work to resign old Launchpad PPAs with a stronger keys is still ongoing for some weeks, this is initially only a warning. Once Launchpad PPAs have been resigned, you will need to manually migrate any affected PPAs to new signing keys by removing and re-adding them to quiesce the warning. The final APT 2.8.0 release that converts the warning to an error should be published as a stable release update some time after the resigning is complete. pptpd removed pptpd and bcrelay have been removed 272 OpenSSH with reduced dependencies As per the XZ-utils backdoor, openssh in ubuntu does not depends anymore in libsystemd, reducing the number of dependencies and making it less prone to future security issues. Package security-hardening improvements Packages are now built with security-hardening features which stop many undiscovered security vulnerabilities, rendering them unexploitable. The gcc compiler 35 and dpkg now defaults to -D_FORTIFY_SOURCE=3 instead of -D_FORTIFY_SOURCE=2 which greatly increases buffer overflow detection and mitigation. dpkg now defaults to use -mbranch-protection=standard which mitigates code reuse attacks on arm64.