As you may have heard, for a short period of time back in October, our download site was serving a malicious zip file instead of the torrents users expected to download.
This was caused by a malicious actor gaining access by brute forcing a vulnerable component of the WordPress installation that Canonical maintains for the team. Once they had access, they were able to inject the code that changed the download links.
Timeline of Events
The compromise was first reported on October 15, and Canonical’s infrastructure and security teams were alerted shortly afterward. The site was immediately locked down and the downloads page disabled, and an investigation began.
Between October 15 and October 19, the Canonical team worked to:
Identify the method used to obtain unauthorized access,
Remove all malicious code and injected files,
Roll back the affected pages to a verified clean state, and
Harden the WordPress instance to safeguard against further intrusion.
By October 19, community members confirmed that the malicious zip file had been removed and that the site was considered clean.
On November 11, Canonical provided the Xubuntu team with an incident summary confirming that the exploit path had been addressed, the system had been hardened, and that download access had been restored in a controlled, read-only mode to allow migration to a new static site.
Conclusion
To be perfectly clear: this only impacted our website, and the torrent links provided there.
If you downloaded or opened a file named “Xubuntu-Safe-Download.zip” from the Xubuntu downloads page during this period, you should assume it was malicious. We strongly recommend scanning your computer with a trusted antivirus or anti-malware solution and deleting the file immediately.
Nothing on cdimages.ubuntu.com or any of the other official Ubuntu repositories was impacted, and our mirrors remained safe as long as they were also mirroring from official resources.
None of the build systems, packages, or other components of Xubuntu itself were impacted.
Your currently installed version of Xubuntu was never at risk.
Still, this is obviously a serious breach of trust, and all of us on the Xubuntu team are incredibly sorry for the impact it caused. We took this all very seriously and have taken a close look at how we manage our online presence and what steps we can take as a team to prevent this sort of thing in the future.
Steps Forward
The biggest announcement is that we’ve decided to switch to Hugo, a static site generator which will completely eliminate the type of attack vector taken advantage of. This migration to a static site generator has actually been in the works for some time as our reliance upon the dynamic features of WordPress naturally reduced, but this situation compelled the team to get it completed. We will launch soon! The new static site has been launched and you are currently using it!
We’d also like to thank the Xubuntu community for how many of you responded to this situation. It was quickly reported in multiple places (Reddit, Matrix, IRC…) and multiple tickets ended up being raised with Canonical. From there, you helped each other: the ubuntu.com image locations were shared, advice was given on using checksums to verify downloads, and we saw an outpouring of support and reassurance from many people who were doing what they could to keep us all safe from malicious downloads. Thank you! This is the community we all love being a part of, and it helps the Xubuntu development team stay engaged and continue to bring Xubuntu to you, release after release.
It was also noted that Xubuntu itself cannot accept donations, but our developers can benefit from donations made via the Xfce project. Several of you did during this time, and we’re grateful for that.
As we launch our new website and close in on our next Long-Term Support (LTS) release in a few months, we’re excited to see our project continue to move forward with your support. And if you’re looking for a way to contribute, please bring your energy and skills to our contribute page to learn more about opportunities to join the team, we always need more contributors:
https://xubuntu.org/contribute/
Signed, Elizabeth K. Joseph, Pasi Lallinaho, and Sean Davis
The Xubuntu team is happy to announce the immediate release of Xubuntu 25.10.
Xubuntu 25.10, codenamed Questing Quokka, is a regular release and will be supported for 9 months, until July 2026.
Xubuntu 25.10, featuring the latest updates from Xfce 4.20 and GNOME 49.
Xubuntu 25.10 features the latest Xfce 4.20 and GNOME 49 updates. Xfce 4.20 updates feature stability improvements and enhanced Wayland support, for those adventurous enough to use it. GNOME 49 apps have received further polish and are well-suited for Xubuntu. MATE 1.26 apps are still included to round out Xubuntu’s office suite.
The final release images for Xubuntu Desktop and Xubuntu Minimal are available as torrents and direct downloads from [xubuntu.org/download/].
As the main server might be busy the first few days after the release, we recommend using the torrents if possible.
We want to thank everybody who contributed to this release of Xubuntu!
Highlights and Known Issues
Highlights
Xfce 4.20 components have received several stability improvements. Minor integration issues persist in Xubuntu 25.10 and will be addressed for 26.04, scheduled for release in April.
GNOME 49 apps are further refined with new features and usability improvements.
Known Issues
Some missing icons mean that libadwaita apps (modern GNOME style) have graphical glitches. Notably, the window close icons are blank (LP: #2125025), and Document Scanner is missing an icon for the scanner options (LP: #2127071).
The graphical SSH agent is unavailable due to a change in the GNOME Keyring Daemon (LP: #2125549).
Flatpak packages will refuse to install due to a conflict between AppArmor and libfuse (LP: #2122161). A fix is in progress.
Please refer to the Xubuntu Release Notes for more obscure known issues, information on affecting bugs, bug fixes, and a list of new package versions.
The main Ubuntu Release Notes cover many other packages we carry and more generic issues.
Support
For support with the release, navigate to Help & Support for a complete list of methods to get help.
The Xubuntu team is happy to announce the immediate release of Xubuntu 25.04.
Xubuntu 25.04, codenamed Plucky Puffin, is a regular release and will be supported for 9 months, until January 2026.
Xubuntu 25.04, featuring the latest updates from Xfce 4.20 and GNOME 48.
Xubuntu 25.04 features the latest Xfce 4.20, GNOME 48, and MATE 1.26 updates. Xfce 4.20 features many bug fixes and minor improvements, modernizing the Xubuntu desktop while maintaining a familiar look and feel. GNOME 48 apps are tightly integrated and have full support for dark mode. Users of QEMU and KVM will be delighted to find new stability with the desktop session—the long-running X server crash has been resolved in Xubuntu 25.04 and backported to all supported Xubuntu releases.
The final release images for Xubuntu Desktop and Xubuntu Minimal are available as torrents and direct downloads from [xubuntu.org/download/].
As the main server might be busy the first few days after the release, we recommend using the torrents if possible.
We want to thank everybody who contributed to this release of Xubuntu!
Highlights and Known Issues
Highlights
Xfce 4.20, released in December 2024, is included and contains many new features. Early Wayland support has been added, but is not available in Xubuntu.
GNOME 48 apps, including Font Viewer (gnome-font-viewer) and Mines (gnome-mines), include a refreshed appearance and usability improvements.
Known Issues
The shutdown prompt may not be displayed at the end of the installation. Instead you might just see a Xubuntu logo, a black screen with an underscore in the upper left hand corner, or just a black screen. Press Enter and the system will reboot into the installed environment. (LP: #1944519)
You may experience choppy audio or poor system performance while playing audio, but only in some virtual machines (observed in VMware and VirtualBox)
OEM installation options are not currently supported or available, but will be included for Xubuntu 24.04.1
For more obscure known issues, information on affecting bugs, bug fixes, and a list of new package versions, please refer to the Xubuntu Release Notes.
The main Ubuntu Release Notes cover many of the other packages we carry and more generic issues.
Support
For support with the release, navigate to Help & Support for a complete list of methods to get help.
The Xubuntu team is happy to announce the immediate release of Xubuntu 24.10.
Xubuntu 24.10, codenamed Oracular Oriole, is a regular release and will be supported for 9 months, until July 2025.
Xubuntu 24.10, featuring the latest updates from Xfce 4.19 and GNOME 47.
Xubuntu 24.10 features the latest updates from Xfce 4.19, GNOME 47, and MATE 1.26. For Xfce enthusiasts, you’ll appreciate the new features and improved hardware support found in Xfce 4.19. Xfce 4.19 is the development series for the next release, Xfce 4.20, due later this year. As pre-release software, you may encounter more bugs than usual. Users seeking a stable, well-supported environment should opt for Xubuntu 24.04 “Noble Numbat” instead.
The final release images for Xubuntu Desktop and Xubuntu Minimal are available as torrents and direct downloads from [xubuntu.org/download/].
As the main server might be busy in the first few days after the release, we recommend using the torrents if possible.
We’d like to thank everybody who contributed to this release of Xubuntu!
Highlights and Known Issues
Highlights
Xfce 4.19 is included as a development preview of the upcoming Xfce 4.20. Among several new features, it features early Wayland support and improved scaling.
GNOME 47 apps, including Disk Usage Analyzer (baobab) and Sudoku (gnome-sudoku), include a refreshed appearance and usability improvements
Known Issues
The shutdown prompt may not be displayed at the end of the installation. Instead you might just see a Xubuntu logo, a black screen with an underscore in the upper left hand corner, or just a black screen. Press Enter and the system will reboot into the installed environment. (LP: #1944519)
Xorg crashes and the user is logged out after logging in or switching users on some virtual machines, including GNOME Boxes. (LP: #1861609)
You may experience choppy audio or poor system performance while playing audio, but only in some virtual machines (observed in VMware and VirtualBox)
OEM installation options are not currently supported or available, but will be included for Xubuntu 24.04.1
For more obscure known issues, information on affecting bugs, bug fixes, and a list of new package versions, please refer to the Xubuntu Release Notes.
The main Ubuntu Release Notes cover many of the other packages we carry and more generic issues.
Support
For support with the release, navigate to Help & Support for a complete list of methods to get help.
The Xubuntu team is happy to announce the immediate release of Xubuntu 24.04.
Xubuntu 24.04, codenamed Noble Numbat, is a long-term support (LTS) release and will be supported for 3 years, until 2027.
Xubuntu 24.04, featuring the latest updates from Xfce 4.18 and GNOME 46.
Xubuntu 24.04 features the latest updates from Xfce 4.18, GNOME 46, and MATE 1.26. For new users and those coming from Xubuntu 22.04, you’ll appreciate the performance, stability, and improved hardware support found in Xubuntu 24.04. Xfce 4.18 is stable, fast, and full of user-friendly features. Enjoy frictionless bluetooth headphone connections and out-of-the-box touchpad support. Updates to our icon theme and wallpapers make Xubuntu feel fresh and stylish.
The final release images for Xubuntu Desktop and Xubuntu Minimal are available as torrents and direct downloads from xubuntu.org/download/.
As the main server might be busy in the first few days after the release, we recommend using the torrents if possible.
We’d like to thank everybody who contributed to this release of Xubuntu!
Highlights and Known Issues
Highlights
Xfce 4.18 is included and well-polished since it’s initial release in December 2022
Xubuntu Minimal is included as an officially supported subproject
GNOME Software has been replaced by Snap Store and GDebi
Snap Desktop Integration is now included for improved snap package support
Firmware Updater has been added to enable firmware updates in Xubuntu is included to support firmware updates from the Linux Vendor Firmware Service (LVFS)
Thunderbird is now distributed as a Snap package
Ubiquity has been replaced by the Flutter-based Ubuntu Installer to provide fast and user-friendly installation
Pipewire (and wireplumber) are now included in Xubuntu
Improved hardware support for bluetooth headphones and touchpads
Color emoji is now included and supported in Firefox, Thunderbird, and newer Gtk-based apps
Significantly improved screensaver integration and stability
Known Issues
The shutdown prompt may not be displayed at the end of the installation. Instead you might just see a Xubuntu logo, a black screen with an underscore in the upper left hand corner, or just a black screen. Press Enter and the system will reboot into the installed environment. (LP: #1944519)
Xorg crashes and the user is logged out after logging in or switching users on some virtual machines, including GNOME Boxes. (LP: #1861609)
You may experience choppy audio or poor system performance while playing audio, but only in some virtual machines (observed in VMware and VirtualBox)
OEM installation options are not currently supported or available, but will be included for Xubuntu 24.04.1
For more obscure known issues, information on affecting bugs, bug fixes, and a list of new package versions, please refer to the Xubuntu Release Notes.
The main Ubuntu Release Notes cover many of the other packages we carry and more generic issues.
Support
For support with the release, navigate to Help & Support for a complete list of methods to get help.
