Release 2023_021 (2023-08-29)

Impact

• [NixOS 23.05] Machines will reboot after the update to activate the changed kernel.

• [NixOS 21.05] Machines will schedule a reboot to activate the changed kernel.

NixOS 23.05 platform

• Pull upstream NixOS changes, security fixes and package updates: (PL-131687, PL-131688)

  • cacert: 3.90 -> 3.92

  • element-web: 1.11.36 -> 1.11.38

  • gitlab-container-registry: 3.77.0 -> 3.79.0

  • go_1_19: 1.19.10 -> 1.19.12 (CVE-2023-29409)

  • go_1_20: 1.20.6 -> 1.20.7 (CVE-2023-29409)

  • linux: 6.1.43 -> 6.1.45

    • Fixes Inception (AMD) and Downfall (Intel) CPU vulnerabilities.

  • matrix-synapse: 1.89.0 -> 1.90.0

  • nix: 2.13.3 -> 2.13.5

  • nodejs_16: 16.20.1 -> 16.20.2 (CVE-2023-32002, CVE-2023-32006, CVE-2023-32559)

  • nodejs_18: 18.61.1 -> 18.17.1 (CVE-2023-32002, CVE-2023-32006, CVE-2023-32559)

  • nodejs_20: 20.3.1 -> 20.5.1 (CVE-2023-32002, CVE-2023-32004, CVE-2023-32006, CVE-2023-32558, …)

  • openssl: 3.0.9 -> 3.0.10 (CVE-2023-3817, CVE-2023-3446, CVE-2023-2975)

  • php82: 8.2.7 -> 8.2.9

  • postgresql_11: 11.20 -> 11.21 (CVE-2023-39417)

  • postgresql_12: 12.15 -> 12.16 (CVE-2023-39417)

  • postgresql_13: 13.11 -> 13.12 (CVE-2023-39417)

  • postgresql_14: 14.8 -> 14.9 (CVE-2023-39417)

  • postgresql_15: 15.3 -> 15.4 (CVE-2023-39417, CVE-2023-3941)

  • Note for all postgresql versions: If you use BRIN indexes to look up NULL values, you will need to reindex them after upgrading to this release.

  • qemu: 8.0.2 -> 8.0.3

  • sysstat: add patch for CVE-2023-33204

• Production channel URL for this release: https://hydra.flyingcircus.io/build/291513/download/1/nixexprs.tar.xz

NixOS 21.05 platform

• Patch Inception (AMD) and Downfall (Intel) CPU vulnerabilities on virtualization hosts and VMs (PL-131687, PL-131688).

• Production channel URL for this release: https://hydra.flyingcircus.io/build/291577/download/1/nixexprs.tar.xz

Detailed Changes

• NixOS 23.05: platform code, upstream changes

• NixOS 21.05: platform code