Release 2022_028 (2022-11-14)

• Note that two vulnerabilities affecting sudo (CVE-2022-43995) and sqlite (CVE-2022-35737) on all platforms have been published. Fixes are available for platform versions starting with 21.05. Older platform versions will not be patched anymore. For 22.05, the fixes have been already rolled out with earlier releases.

  Even if we don’t expect them to have an immediate security impact as they require local access or massive amounts of data passed to a C API in the sqlite case, we still recommend updating as soon as possible. Please upgrade to our current platform version 22.05 or at least 21.05, which is the oldest patched version.

  If you have pinned nixpkgs in your deployments/environments, as described in User Package Management, please update these as well, also to include the fix for OpenSSL 3 from the previous 22.05 release.

Impact

• [NixOS 22.05] Matomo will be restarted.

• [NixOS 21.11] Most services will restart because of a core dependency change.

• [NixOS 21.05] Most services will restart because of a core dependency change.

NixOS 22.05 platform

• matomo: update to 4.12.3 (#PL-131051).

• Production channel URL for this release: https://hydra.flyingcircus.io/build/206047/download/1/nixexprs.tar.xz

NixOS 21.11 platform

• sqlite: fix CVE-2022-35737 (#PL-131029).

• sudo: add patch for CVE-2022-43995 (#PL-131049).

• Production channel URL for this release: https://hydra.flyingcircus.io/build/205335/download/1/nixexprs.tar.xz

NixOS 21.05 platform

• sqlite: fix CVE-2022-35737 (#PL-131029).

• sudo: add patch for CVE-2022-43995 (#PL-131049).

• Production channel URL for this release: https://hydra.flyingcircus.io/build/205431/download/1/nixexprs.tar.xz

Detailed Changes

• NixOS 22.05: platform code

• NixOS 21.11: platform code

• NixOS 21.05: platform code