Release 2023_018 (2023-08-01)

Impact

  • [NixOS 23.05] Most services will be restarted because of a core dependency change. Machines will schedule a reboot to activate the changed kernel.

  • [NixOS 22.11] PHP-FPM services will be restarted. Machines will schedule a reboot to activate the changed kernel.

NixOS 23.05 platform

  • ssh: remove diffie-hellman-group-exchange-sha256 key exchange algorithm because of a bug in openssh which weakens security. The algorithm can be added again by setting services.openssh.settings.KexAlgorithms = [ "diffie-hellman-group-exchange-sha256" ]; if old clients should require it. This also adds the diffie-hellman-group16-sha512 and diffie-hellman-group18-sha512 kex algorithms (PL-131620).

  • agent: improve scheduling of maintenance activities for system updates and VM property changes (memory, CPU cores). The main change is that activities can be merged/updated now. As a result, the number of reboots is reduced and multiple pending updates can be applied faster. Activities can be cancelled if they are no longer effective, for example if a memory change is requested in error and reset to the previous value some time later. Reboots for kernel updates now happen directly after system updates, avoiding scheduling another maintenance for the reboot. We also fixed the long-standing bug that delayed activities could be executed outside of maintenance windows. Activities that are overdue (more than 30min after planned time) are postponed for at least 8 hours and scheduled again (PL-129777).

  • agent: handle special exit codes of maintenance enter commands (defined by flyingcircus.agent.maintenance.enter.*) correctly. They can now use EXIT_POSTPONE (69) or EXIT_TEMPFAIL (75) to stop execution before maintenance requests are run, typically when pre-conditions are not met. This is currently not used by platform code but will be useful to prevent redundant machines from having service interruptions caused by automated maintenance at the same time (PL-130625).

  • python: re-enable the crypt module for obsolete Python version 2.7 to fix compatibility with legacy applications (PL-131527).

  • Enable and configure fail2ban to reduce the impact of brute force attacks against SSH (PL-131632).

  • Pull upstream NixOS changes, security fixes and package updates (PL-131648, PL-131663):

    • asterisk: apply patch for pjsip (CVE-2023-27585)

    • docker: 20.10.23 -> 20.10.25 (CVE-2023-28841, CVE-2023-28840, CVE-2023-28842)

    • docker: starting containers with a local connection with the CLI

    • element-web: 1.11.35 -> 1.11.36 (CVE-2023-37259)

    • ghostscript: 10.01.1 -> 10.01.2 (CVE-2023-36664)

    • github-runner: 2.305.0 -> 2.306.0

    • grafana: 9.5.5 -> 9.5.6

    • imagemagick: 7.1.1-12 -> 7.1.1-14

    • iperf: 3.13 -> 3.14 (CVE-2023-38403)

    • keycloak: 21.1.1 -> 21.1.2

    • linux: 6.1.37 -> 6.1.41

    • mastodon: 4.1.3 -> 4.1.4

    • matrix-synapse: 1.86.0 -> 1.88.0

    • openssh: 9.3p1 -> 9.3p2

    • qemu: 8.0.0 -> 8.0.2

    • redis: 7.0.11 -> 7.0.12 (CVE-2022-24834, CVE-2023-36824)

  • Production channel URL for this release: https://hydra.flyingcircus.io/build/284243/download/1/nixexprs.tar.xz

NixOS 22.11 platform

  • Pull upstream NixOS changes, security fixes and package update (PL-131648):

    • imagemagick: 7.1.1-11 -> 7.1.1-12

    • linux: 5.15.118 -> 5.15.119

  • python: re-enable the crypt module for obsolete Python version 2.7 to fix compatibility with legacy applications (PL-131527).

  • Production channel URL for this release: https://hydra.flyingcircus.io/build/284041/download/1/nixexprs.tar.xz

Detailed Changes