Release 2023_009 (2023-05-08)

Impact

• [NixOS 22.11] Most services will restarted because of a core dependency change. Machines will schedule a reboot to activate the changed kernel.

NixOS 22.11 platform

• matomo: add role matomo. Service supports external plugins and Tag Manager containers now. Migration of older Matomo installations is done automatically (PL-131353).

• Fix IPv6 networking after first boot by re-enabling automatic link-local address generation. This problem led to confusing networking problems with new machines which went away after the first reboot (PL-130011).

• Add opensearch and opensearch_dashboards roles, version 2.6.0. They are intended to replace Elasticsearch/Kibana 7.10.2 but the roles should only be used for new installations right now. We will provide a migration path from ES to OpenSearch later (PL-130611).

• Pull upstream NixOS changes, security fixes and package updates (PL-131463, PL-131472):

  • element-web: 1.11.29 -> 1.11.30 (CVE-2023-30609)

  • ghostscript: add patch for CVE-2023-28879

  • gitlab: 15.10.2 -> 15.11.2

  • grafana: 9.4.7 -> 9.4.9 (CVE-2023-1387, CVE-2023-28119)

  • imagemagick: 7.1.1-6 -> 7.1.1-8

  • keycloak: 20.0.3 -> 20.0.5 (CVE-2022-1274)

  • libtiff: add patches for many related CVEs

  • libxml2: 2.10.3 → 2.10.4 (CVE-2023-29469, CVE-2023-28484)

  • linux: 5.15.107 -> 5.15.109

  • matrix-synapse: 1.81.0 -> 1.82.0

  • php81: 8.1.17 -> 8.1.18

  • python310: 3.10.9 -> 3.10.11

  • python311: 3.11.1 -> 3.11.3

  • redis: 7.0.10 -> 7.0.11 (CVE-2023-28856)

  • screen: add patch from CVE-2023-24626

  • systemd: 251.13 -> 251.15

  • tcpdump: 4.99.1 -> 4.99.4

• Production channel URL for this release: https://hydra.flyingcircus.io/build/253806/download/1/nixexprs.tar.xz

Detailed Changes

• NixOS 22.11: platform code, upstream changes