Release 2023_033_1 (2023-12-18)#

Impact#

  • [NixOS 23.05] VMs will reboot after the update to activate the changed kernel.

NixOS 23.11 platform#

This is the first production release of the 23.11 platform. The default for new production VMs is still 23.05 which will be changed in the coming weeks.

See Platform Upgrades & What’s New for things to consider before upgrading, significant changes and new package versions

We rolled out the upgrade to most of the customer staging systems on Thursday, 2023-12-05.

The following changes were added after the staging roll-out:

  • [hotfix] openssh: update to 9.6p1 to fix SSH vulnerability “Terrapin”. This was released on 2023-12-20 as hotfix to staging/production (PL-132033).

  • agent: increase file descriptor limit for system builds. We have seen crashes of the fc-update-channel service on a single customer VM with a high number of Letsencrypt certificates (PL-131964).

  • devhost: Add new feature to use VMs instead of containers. The new feature is not enabled by default (PL-131470).

  • lamp: Enable the PHP-FPM slowlog by default (PL-131946).

  • mailserver the role now requires TLS versions 1.2 and later both when acting as an SMTP server and SMTP client. Encryption is still optional by default (PL-131937).

  • webgateway/nginx: add warnings for deprecated features which are planned for removal with the 24.05 platform version: masterUser = "root", JSON config in /etc/local/nginx and the listenAddress/listenAddress6 options (PL-131984).

  • webgateway/nginx: add an option flyingcircus.services.nginx.logPerVirtualHost to enable per-vhost access and error logs in nginx under /var/log/nginx/access-<vhost-name>.log and /var/log/nginx/error-<vhost-name>.log respectively. This is the new default behavior (PL-131947).

  • webproxy: Added multi-host functionality via flyingcircus.services.varnish (PL-131840).

  • Pull upstream NixOS changes, security fixes and package updates (PL-131990):

    • chromedriver: 119.0.6045.105 -> 120.0.6099.71

    • chromium: 119.0.6045.199 -> 120.0.6099.71

    • element-web: 1.11.50 -> 1.11.51

    • gitlab-container-registry: 3.85.0 -> 3.86.2

    • gitlab: 16.5.1 -> 16.5.3

    • keycloak: 22.0.5 -> 23.0.0

    • linux_5_15: 5.15.140 -> 5.15.142

    • mastodon: 4.2.1 -> 4.2.3

    • opensearch: 2.11.0 -> 2.11.1

    • qemu: 8.1.2 -> 8.1.3

    • python312: 3.12.0 -> 3.12.1 (CVE-2023-6507)

    • tomcat10: 10.1.15 -> 10.1.16

    • tomcat9: 9.0.82 -> 9.0.83

    • webkitgtk: 2.42.2 → 2.42.3 (CVE-2023-42916, CVE-2023-42917)

  • Production channel URL for this release: https://hydra.flyingcircus.io/build/346984/download/1/nixexprs.tar.xz

NixOS 23.05 platform#

  • [hotfix] openssh: update to 9.6p1 to fix SSH vulnerability “Terrapin”. This was released on 2023-12-20 as hotfix to staging/production (PL-132033).

  • Pull upstream NixOS changes, security fixes and package updates (PL-131990):

    • chromedriver: 119.0.6045.105 -> 120.0.6099.71

    • chromium: 119.0.6045.159 -> 120.0.6099.71

    • element-web: 1.11.47 -> 1.11.51

    • gitlab-container-registry: 3.85.0 -> 3.86.2

    • gitlab: 16.5.1 -> 16.5.3

    • linux_5_15: 5.15.139 -> 5.15.142

    • mastodon: 4.1.10 -> 4.1.11

    • nss_latest: 3.94 -> 3.95

    • webkitgtk: 2.42.2 → 2.42.3

  • Production channel URL for this release: https://hydra.flyingcircus.io/build/347002/download/1/nixexprs.tar.xz

Detailed Changes#