Release 2022_013 (2022-05-09)

Impact

• [NixOS 21.11] Most services will be restarted because of a core dependency change. Machines will schedule a reboot to activate the changed kernel.

• [NixOS 21.05] Networking services will be restarted and connectivity may be down for a short period of time.

NixOS 21.11 platform

• fc-agent: restructured fc-manage and fc-maintenance commands, along with improvements to command output and logging: fc-manage has new sub commands update-enc and switch. They cover the same functionality as the old (-b -c -e) commands which are still present. Service users now may sudo run fc-maintenance list/show/delete to look at and delete maintenance requests (#PL-130441).

• Fix an Apache FPM configuration issue: FPM pools would get confused and keepalive connections could block workers indefinitely. Disable FPM proxy connection reuse (#PL-130609).

• Gitlab: don’t overwrite existing certificates for the container registry anymore.

• Jitsi: update all packages to latest stable versions (jitsi-meet-2.0.7210, 2022-04-18) (#PL-130591).

• Pull upstream NixOS changes that include security fixes and other updates (#PL-130595, #PL-130610):

  • cifs-utils: fix information disclosure in logger (CVE-2022-29869)

  • cifs-utils: patch buffer-overflow in ip param handling (CVE-2022-27239)

  • docker: 20.10.13 -> 20.10.14

  • element-web: 1.10.10 -> 1.10.11

  • git: 2.33.1 -> 2.33.3 (CVE-2022-24765)

  • gitlab: 14.9.2 -> 14.9.4

  • grafana: 8.4.6 -> 8.4.7

  • gzip: 1.11 -> 1.12 (CVE-2022-1271)

  • imagemagick: 7.1.0-26 -> 7.1.0-31

  • libarchive: add patches for CVE-2022-26280, OSS Fuzz issue 38764

  • libtiff: add patches for multiple CVEs (CVE-2022-0891, CVE-2022-0865, CVE-2022-0924, CVE-2022-0907, CVE-2022-0909, CVE-2022-0908)

  • linux: 5.10.111 -> 5.10.113

  • matrix-synapse: 1.56.0 -> 1.57.0

  • nginxStable: add patch for CVE-2021-3618

  • openjdk: 11.0.12+7 -> 11.0.15.+10

  • openjdk: 17.0.1+12 -> 17.0.3.+7

  • python310: 3.10.3 -> 3.10.4

  • python39: 3.9.11 -> 3.9.12

  • ruby_2_7: 2.7.5 -> 2.7.6 (CVE-2022-28739)

  • ruby_3_0: 3.0.3 -> 3.0.4 (CVE-2022-28738, CVE-2022-28739)

• Production channel URL for this release: https://hydra.flyingcircus.io/build/157876/download/1/nixexprs.tar.xz

NixOS 21.05 platform

• Port Qemu/KVM server role to NixOS (#PL-127635).

• Nginx: the number of worker processes is determined by the number of CPU as before but limited to 12 now. The number is configurable via the new option flyingcircus.services.nginx.workerProcesses (#PL-127635).

• Production channel URL for this release: https://hydra.flyingcircus.io/build/158017/download/1/nixexprs.tar.xz

Detailed Changes

• NixOS 21.11: platform code, upstream changes

• NixOS 21.05: platform code