Release 2022_013 (2022-05-09)

Impact

  • [NixOS 21.11] Most services will be restarted because of a core dependency change. Machines will schedule a reboot to activate the changed kernel.

  • [NixOS 21.05] Networking services will be restarted and connectivity may be down for a short period of time.

NixOS 21.11 platform

  • fc-agent: restructured fc-manage and fc-maintenance commands, along with improvements to command output and logging: fc-manage has new sub commands update-enc and switch. They cover the same functionality as the old (-b -c -e) commands which are still present. Service users now may sudo run fc-maintenance list/show/delete to look at and delete maintenance requests (#PL-130441).

  • Fix an Apache FPM configuration issue: FPM pools would get confused and keepalive connections could block workers indefinitely. Disable FPM proxy connection reuse (#PL-130609).

  • Gitlab: don’t overwrite existing certificates for the container registry anymore.

  • Jitsi: update all packages to latest stable versions (jitsi-meet-2.0.7210, 2022-04-18) (#PL-130591).

  • Pull upstream NixOS changes that include security fixes and other updates (#PL-130595, #PL-130610):

    • cifs-utils: fix information disclosure in logger (CVE-2022-29869)

    • cifs-utils: patch buffer-overflow in ip param handling (CVE-2022-27239)

    • docker: 20.10.13 -> 20.10.14

    • element-web: 1.10.10 -> 1.10.11

    • git: 2.33.1 -> 2.33.3 (CVE-2022-24765)

    • gitlab: 14.9.2 -> 14.9.4

    • grafana: 8.4.6 -> 8.4.7

    • gzip: 1.11 -> 1.12 (CVE-2022-1271)

    • imagemagick: 7.1.0-26 -> 7.1.0-31

    • libarchive: add patches for CVE-2022-26280, OSS Fuzz issue 38764

    • libtiff: add patches for multiple CVEs (CVE-2022-0891, CVE-2022-0865, CVE-2022-0924, CVE-2022-0907, CVE-2022-0909, CVE-2022-0908)

    • linux: 5.10.111 -> 5.10.113

    • matrix-synapse: 1.56.0 -> 1.57.0

    • nginxStable: add patch for CVE-2021-3618

    • openjdk: 11.0.12+7 -> 11.0.15.+10

    • openjdk: 17.0.1+12 -> 17.0.3.+7

    • python310: 3.10.3 -> 3.10.4

    • python39: 3.9.11 -> 3.9.12

    • ruby_2_7: 2.7.5 -> 2.7.6 (CVE-2022-28739)

    • ruby_3_0: 3.0.3 -> 3.0.4 (CVE-2022-28738, CVE-2022-28739)

  • Production channel URL for this release: https://hydra.flyingcircus.io/build/157876/download/1/nixexprs.tar.xz

NixOS 21.05 platform

  • Port Qemu/KVM server role to NixOS (#PL-127635).

  • Nginx: the number of worker processes is determined by the number of CPU as before but limited to 12 now. The number is configurable via the new option flyingcircus.services.nginx.workerProcesses (#PL-127635).

  • Production channel URL for this release: https://hydra.flyingcircus.io/build/158017/download/1/nixexprs.tar.xz

Detailed Changes