Release 2023_033_1 (2023-12-18)

Impact

  • [NixOS 23.05] VMs will reboot after the update to activate the changed kernel.

NixOS 23.11 platform

This is the first production release of the 23.11 platform. The default for new production VMs is still 23.05 which will be changed in the coming weeks.

See Platform Upgrades & What’s New for things to consider before upgrading, significant changes and new package versions

We rolled out the upgrade to most of the customer staging systems on Thursday, 2023-12-05.

The following changes were added after the staging roll-out:

  • [hotfix] openssh: update to 9.6p1 to fix SSH vulnerability “Terrapin”. This was released on 2023-12-20 as hotfix to staging/production (PL-132033).

  • agent: increase file descriptor limit for system builds. We have seen crashes of the fc-update-channel service on a single customer VM with a high number of Letsencrypt certificates (PL-131964).

  • devhost: Add new feature to use VMs instead of containers. The new feature is not enabled by default (PL-131470).

  • lamp: Enable the PHP-FPM slowlog by default (PL-131946).

  • mailserver the role now requires TLS versions 1.2 and later both when acting as an SMTP server and SMTP client. Encryption is still optional by default (PL-131937).

  • webgateway/nginx: add warnings for deprecated features which are planned for removal with the 24.05 platform version: masterUser = "root", JSON config in /etc/local/nginx and the listenAddress/listenAddress6 options (PL-131984).

  • webgateway/nginx: add an option flyingcircus.services.nginx.logPerVirtualHost to enable per-vhost access and error logs in nginx under /var/log/nginx/access-<vhost-name>.log and /var/log/nginx/error-<vhost-name>.log respectively. This is the new default behavior (PL-131947).

  • webproxy: Added multi-host functionality via flyingcircus.services.varnish (PL-131840).

  • Pull upstream NixOS changes, security fixes and package updates (PL-131990):

    • chromedriver: 119.0.6045.105 -> 120.0.6099.71

    • chromium: 119.0.6045.199 -> 120.0.6099.71

    • element-web: 1.11.50 -> 1.11.51

    • gitlab-container-registry: 3.85.0 -> 3.86.2

    • gitlab: 16.5.1 -> 16.5.3

    • keycloak: 22.0.5 -> 23.0.0

    • linux_5_15: 5.15.140 -> 5.15.142

    • mastodon: 4.2.1 -> 4.2.3

    • opensearch: 2.11.0 -> 2.11.1

    • qemu: 8.1.2 -> 8.1.3

    • python312: 3.12.0 -> 3.12.1 (CVE-2023-6507)

    • tomcat10: 10.1.15 -> 10.1.16

    • tomcat9: 9.0.82 -> 9.0.83

    • webkitgtk: 2.42.2 → 2.42.3 (CVE-2023-42916, CVE-2023-42917)

  • Production channel URL for this release: https://hydra.flyingcircus.io/build/346984/download/1/nixexprs.tar.xz

NixOS 23.05 platform

  • [hotfix] openssh: update to 9.6p1 to fix SSH vulnerability “Terrapin”. This was released on 2023-12-20 as hotfix to staging/production (PL-132033).

  • Pull upstream NixOS changes, security fixes and package updates (PL-131990):

    • chromedriver: 119.0.6045.105 -> 120.0.6099.71

    • chromium: 119.0.6045.159 -> 120.0.6099.71

    • element-web: 1.11.47 -> 1.11.51

    • gitlab-container-registry: 3.85.0 -> 3.86.2

    • gitlab: 16.5.1 -> 16.5.3

    • linux_5_15: 5.15.139 -> 5.15.142

    • mastodon: 4.1.10 -> 4.1.11

    • nss_latest: 3.94 -> 3.95

    • webkitgtk: 2.42.2 → 2.42.3

  • Production channel URL for this release: https://hydra.flyingcircus.io/build/347002/download/1/nixexprs.tar.xz

Detailed Changes