Release 2021_021 (2021-06-14)

Impact

• [NixOS 21.05] Most services will be restarted due to a core dependency change. VMs will schedule a reboot to activate the new kernel version.

• [NixOS 20.09] Most services will be restarted due to a core dependency change.

NixOS 21.05 platform

• Removed RabbitMQ 3.6.x roles and packages. Upgrade to RabbitMQ 3.8 before upgrading to NixOS 21.05 (#PL-129907).

• Provide optional PHP 8.0 for LAMP role (#PL-129902).

• Update tideways daemon and PHP modules to support PHP 8.0.

• Fix warning about duplicate /var/log line when rebuilding the system with fc-manage (#PL-129854).

• Redis: add options flyingcircus.services.redis.maxmemory and flyingcircus.services.redis.maxmemory-policy. Memory used by Redis is limited to 80% by default (#PL-115928).

• Telegraf: restart service after fc-manage when config in /etc/local/telegraf changes. Before, telegraf had to be restarted separately (#PL-129831).

• Merge upstream NixOS changes that include security fixes and other updates (#PL-129908):

  • gitlab: 13.12.0 -> 13.12.2

  • linux: 5.10.37 -> 5.10.40

  • lz4: patch CVE-2021-3520 and null pointer dereference

  • matrix-synapse: 1.34.0 -> 1.35.1

  • nix: 2.3.11 -> 2.3.12

  • php74: 7.4.18 -> 7.4.20

  • php80: 8.0.5 -> 8.0.7

  • phpPackages.composer: 2.1.0 -> 2.1.1

  • polkit: Fix authentication bypass vulnerability (CVE-2021-3560)

• Production channel URL for this release: https://hydra.flyingcircus.io/build/93226/download/1/nixexprs.tar.xz

NixOS 20.09 platform

• Merge upstream NixOS changes that include security fixes and other updates (#PL-129901):

  • cacert: 3.57 -> 3.66

  • imagemagick: 7.0.11-12 -> 7.0.11.13

  • lz4: patch CVE-2021-3520 and null pointer dereference

  • nginx: Fix off-by-one in DNS resolver heap write (CVE-2021-23017)

  • nss_latest: 3.63 -> 3.64

  • openvpn: 2.4.9 -> 2.4.11 (CVE-2020-15078)

  • php74.extensions.iconv: fix error signalling

  • polkit: Fix local privilege escalation vulnerability (CVE-2021-3560)

  • python3Packages.websockets: add patch for CVE-2018-1000518-redux

  • redis: 6.0.11 -> 6.0.13 (CVE-2021-29477, CVE-2021-29478)

  • samba: 4.12.14 -> 4.12.15 (CVE-2021-20254)

• Production channel URL for this release: https://hydra.flyingcircus.io/build/93404/download/1/nixexprs.tar.xz

Detailed Changes

• NixOS 21.05: platform code, upstream changes

• NixOS 20.09: platform code, nixpkgs/upstream changes