Release 2021_009 (2021-03-22)

Impact

• [NixOS 20.09] Many services will be restarted due to binutils and openssl update.

• [NixOS 20.09] VM will schedule a reboot to activate the kernel update

NixOS 20.09 platform

• Gitlab: update to 13.8.6 (#PL-129734).

• Only run ACME/Letsencrypt cert renewal client when the certificate needs a refresh. This reduces the need to contact the Letsencrypt API which is sometimes slow or has outages. Also reduces the number of Nginx reloads that are triggered by the renewal code (#PL-129706).

• Merge upstream NixOS changes that include security fixes and other updates (#PL-129728):

  • binutils: fix CVE-2018-20623, CVE-2018-20651, CVE-2018-20671, CVE-2020-35493, CVE-2020-35494, CVE-2020-35495, CVE-2020-35496, CVE-2020-35497

  • ffmpeg: 4.3.1 -> 4.3.2 (CVE-2020-35964, CVE-2020-35965)

  • git: 2.29.2 -> 2.29.3 (CVE-2021-21300)

  • grafana: 7.4.1 -> 7.4.3

  • linux: 5.4.100 -> 5.4.104

  • openssl: 1.1.1i -> 1.1.1j (CVE-2021-23839, CVE-2021-23840, CVE-2021-23841)

  • python27: fix CVE-2021-3177

  • python36: 3.6.12 -> 3.6.13

  • python37: 3.7.9 -> 3.7.10

  • python38: 3.8.5 -> 3.8.6

  • python39: 3.9.1 -> 3.9.2

  • pythonPackages.pyyaml: fix CVE-2020-1434

  • re2c: fix CVE-2018-21232

Detailed Changes

• NixOS 20.09: platform code, nixpkgs/upstream changes