Release 2021_040 (2021-12-16)

Impact

  • [NixOS 21.05] Postgresql, Elasticsearch and Grafana will be restarted.

  • [NixOS 21.05] Jitsi will be restarted and running conferences will be interrupted for some seconds.

  • [NixOS 20.09] Elasticsearch will be restarted.

NixOS 21.05 platform

  • [hotfix] graylog: update to 3.3.15 which contains the log4j2 fix for CVE-2021-44228. Systems using Graylog are already protected by the "-Dlog4j2.formatMsgNoLookups=true" setting we have rolled out (#PL-130250).

  • Improve backup restore utilities to allow restore operations while backups are running (#PL-129786).

  • Improve backup restore utilities memory usage to allow single file restore working on extremely large multi-terabyte volumes (#PL-130044).

  • Jitsi: update package versions to latest stable release and tune video stream settings to improve quality and stability. Add an option to activate the pre-join page which allows users to check their audio/video and change settings before the conference starts (#PL-130249).

  • Elasticsearch: fix log4j2 CVE-2021-44228 by setting -Dlog4j2.formatMsgNoLookups=true. Without this, Elasticsearch is susceptible to a minor information leak about the system environment. Remote code execution was never possible via Elasticsearch (#PL-130251).

  • Pull upstream NixOS changes that include security fixes and other updates (#PL-130255):

    • nss: 3.64 -> 3.68.1

    • nss_latest: 3.71 -> 3.73

    • nspr: 4.30 -> 4.32

    • strace: 5.14 -> 5.15

    • grafana: 7.5.11 -> 7.5.12 (CVE-2021-43813)

  • Production channel URL for this release: https://hydra.flyingcircus.io/build/121678/download/1/nixexprs.tar.xz

NixOS 20.09 platform

  • Elasticsearch: fix log4j2 CVE-2021-44228 by setting -Dlog4j2.formatMsgNoLookups=true. Without this, Elasticsearch is susceptible to a minor information leak about the system environment. Remote code execution was never possible via Elasticsearch (#PL-130251).

  • Production channel URL for this release: https://hydra.flyingcircus.io/build/121594/download/1/nixexprs.tar.xz

Detailed Changes