Release 2022_023 (2022-09-26)

Impact

• [NixOS 22.05] PostgreSQL, matrix-synapse, nextcloud and Gitlab will be restarted. Machines will schedule a reboot to activate the changed kernel.

NixOS 22.05 platform

• webgateway/nginx: set HTTP version to 1.1 (before: 1.0) and timeouts to 60s (before: 90s) in recommendedProxySettings which are enabled by default. The timeout can be changed via the new services.nginx.proxyTimeout option. The switch to HTTP/1.1 fixes HTTP 413 responses from haproxy when Nginx passes a GET requests with a request body. haproxy stopped to accept these requests via HTTP/1.0 starting with version 2.5 because they could be a security risk. You may want to check plain nginx config in /etc/local/nginx and change these settings accordingly or remove them to use the defaults (#PL-130875).

• Fix a logrotate config check failure when extraRules are defined but no separateFacilities (#PL-130890).

• Improve init process for new machines which fixes an issue with unusable machines bootstrapped on 22.05 in production. The changes also increase reliability of the process and shortens the time until a VM reaches desired states. SSH access to new machines now works earlier (using an IP address, DNS may still take some time for new machines) (#PL-130893).

• Write state version (currently equal to the platform version: 22.05) to /etc/local/nixos/state_version. This has no effect for now but allows us to manage platform upgrades better in the future (#PL-130893).

• Fix broken httpd.service and nginx.service unit files when the services are not enabled. This caused confusing (“has a bad unit file setting”) error messages (#PL-130503).

• Pull upstream NixOS changes that include security fixes and other updates (#PL-130892):

  • element-web: 1.11.4 -> 1.11.5

  • gcc12: 12.1.0 -> 12.2.0

  • git: 2.36.0 -> 2.36.2, fix CVE-2022-29187

  • github-runner: 2.295.0 -> 2.296.2

  • gitlab: 15.2.2 -> 15.3.3

  • go_1_17: 1.17.10 -> 1.17.13

  • go_1_18: 1.18.2 -> 1.18.6

  • grafana: 8.5.9 -> 8.5.11 (CVE-2022-31176)

  • imagemagick: 7.1.0-46 -> 7.1.0-48

  • inetutils: add patch for CVE-2022-39028

  • k3s: 1.23.6+k3s1 -> 1.23.10+k3s1

  • libtiff: patch CVE-2022-{2867,2868,2869}

  • linux: 5.10.136 -> 5.10.143

  • matrix-synapse: 1.65.0 -> 1.67.0

  • nextcloud24: 24.0.4 -> 24.0.5

  • nss_latest: 3.81 -> 3.82

  • podman: 4.1.1 -> 4.2.0

  • postgresql_10: 10.21 -> 10.22

  • postgresql_11: 11.16 -> 11.17

  • postgresql_12: 12.11 -> 12.12

  • postgresql_13: 13.7 -> 13.8

  • postgresql_14: 14.4 -> 14.5

  • qemu: add patch for CVE-2020-14394

  • qemu: add patches for CVE-2022-0216

  • rsync: 3.2.3 -> 3.2.5

  • samba: 4.15.5 -> 4.15.9

  • vim: 8.2.5172 -> 9.0.0244, fix CVE-2022-25{22,71,8{0,1},98}

• Production channel URL for this release: https://hydra.flyingcircus.io/build/190932/download/1/nixexprs.tar.xz

NixOS 21.11 platform

• Write state version (currently equal to the platform version: 21.11) to /etc/local/nixos/state_version. This has no effect for now but allows us to manage platform upgrades better in the future (#PL-130893).

• Production channel URL for this release: https://hydra.flyingcircus.io/build/190759/download/1/nixexprs.tar.xz

Detailed Changes

• NixOS 22.05: platform code, upstream changes

• NixOS 21.11: platform code