Release 2023_033_1 (2023-12-18)#
Impact#
[NixOS 23.05] VMs will reboot after the update to activate the changed kernel.
NixOS 23.11 platform#
This is the first production release of the 23.11 platform. The default for new production VMs is still 23.05 which will be changed in the coming weeks.
See Platform Upgrades & What’s New for things to consider before upgrading, significant changes and new package versions
We rolled out the upgrade to most of the customer staging systems on Thursday, 2023-12-05.
The following changes were added after the staging roll-out:
[hotfix] openssh: update to 9.6p1 to fix SSH vulnerability “Terrapin”. This was released on 2023-12-20 as hotfix to staging/production (PL-132033).
agent: increase file descriptor limit for system builds. We have seen crashes of the
fc-update-channel
service on a single customer VM with a high number of Letsencrypt certificates (PL-131964).devhost: Add new feature to use VMs instead of containers. The new feature is not enabled by default (PL-131470).
lamp: Enable the PHP-FPM slowlog by default (PL-131946).
mailserver the role now requires TLS versions 1.2 and later both when acting as an SMTP server and SMTP client. Encryption is still optional by default (PL-131937).
webgateway/nginx: add warnings for deprecated features which are planned for removal with the 24.05 platform version:
masterUser = "root"
, JSON config in/etc/local/nginx
and thelistenAddress
/listenAddress6
options (PL-131984).webgateway/nginx: add an option
flyingcircus.services.nginx.logPerVirtualHost
to enable per-vhost access and error logs in nginx under/var/log/nginx/access-<vhost-name>.log
and/var/log/nginx/error-<vhost-name>.log
respectively. This is the new default behavior (PL-131947).webproxy: Added multi-host functionality via
flyingcircus.services.varnish
(PL-131840).Pull upstream NixOS changes, security fixes and package updates (PL-131990):
chromedriver: 119.0.6045.105 -> 120.0.6099.71
chromium: 119.0.6045.199 -> 120.0.6099.71
element-web: 1.11.50 -> 1.11.51
gitlab-container-registry: 3.85.0 -> 3.86.2
gitlab: 16.5.1 -> 16.5.3
keycloak: 22.0.5 -> 23.0.0
linux_5_15: 5.15.140 -> 5.15.142
mastodon: 4.2.1 -> 4.2.3
opensearch: 2.11.0 -> 2.11.1
qemu: 8.1.2 -> 8.1.3
python312: 3.12.0 -> 3.12.1 (CVE-2023-6507)
tomcat10: 10.1.15 -> 10.1.16
tomcat9: 9.0.82 -> 9.0.83
webkitgtk: 2.42.2 → 2.42.3 (CVE-2023-42916, CVE-2023-42917)
Production channel URL for this release: https://hydra.flyingcircus.io/build/346984/download/1/nixexprs.tar.xz
NixOS 23.05 platform#
[hotfix] openssh: update to 9.6p1 to fix SSH vulnerability “Terrapin”. This was released on 2023-12-20 as hotfix to staging/production (PL-132033).
Pull upstream NixOS changes, security fixes and package updates (PL-131990):
chromedriver: 119.0.6045.105 -> 120.0.6099.71
chromium: 119.0.6045.159 -> 120.0.6099.71
element-web: 1.11.47 -> 1.11.51
gitlab-container-registry: 3.85.0 -> 3.86.2
gitlab: 16.5.1 -> 16.5.3
linux_5_15: 5.15.139 -> 5.15.142
mastodon: 4.1.10 -> 4.1.11
nss_latest: 3.94 -> 3.95
webkitgtk: 2.42.2 → 2.42.3
Production channel URL for this release: https://hydra.flyingcircus.io/build/347002/download/1/nixexprs.tar.xz
Detailed Changes#
NixOS 23.05: platform code, upstream changes