Release 2024_001 (2024-01-08)

Impact

  • [NixOS 23.11] Machines will reboot after the update to activate the changed kernel.

  • [NixOS 23.05] Machines will reboot after the update to activate the changed kernel.

NixOS 23.11 platform

  • Make 23.11 the default platform version. New VMs created via the customer self-service portal are now running 23.11.

  • Pull upstream NixOS changes, security fixes and package updates (PL-132050):

    • chromedriver: 120.0.6099.71 -> 120.0.6099.129

    • chromium: 120.0.6099.71 -> 120.0.6099.129

    • consul: 1.16.3 -> 1.16.4

    • containerd: 1.7.9 -> 1.7.11

    • gitlab: 16.5.3 -> 16.5.4

    • grafana: 10.2.0 -> 10.2.2

    • grub: apply fixes for CVE-2023-4692 and CVE-2023-4693

    • jicofo: 1.0-1050 -> 1.0-1057

    • jitsi-meet: 1.0.7531 -> 1.0.7629

    • jitsi-videobridge: 2.3-59-g5c48e421 -> 2.3-61-g814bffd6

    • keycloak: 23.0.0 -> 23.0.3

    • linux_5_15: 5.15.142 -> 5.15.145

    • matrix-synapse: 1.97.0 -> 1.98.0

    • nss_latest: 3.95 -> 3.96.1

    • pdns: 4.8.3 -> 4.8.4

    • php81: 8.1.26 -> 8.1.27

    • php82: 8.2.13 -> 8.2.14

    • postfix: 3.8.3 -> 3.8.4 (CVE-2023-51764)

      • Security: this adds options for full SMTP smuggling attack protection which are disabled by default. Many forms of the attack are already prevented by default settings of our platform. See https://www.postfix.org/smtp-smuggling.html#long for more information.

    • slurm: 23.02.6.1 -> 23.02.7.1 (CVE-2023-49935, CVE-2023-49936, CVE-2023-49937, CVE-2023-49938, CVE-2023-49933)

    • webkitgtk: 2.42.3 → 2.42.4

  • Introduce Maximilian Bosch as new global admin (FC-34774).

  • Improve the reliability of NFS during machine startup, both for clients and servers. As the network may not be 100% reliable during startup (e.g. name resolution not yet fully functional) we retry both export registration as well as mounts (PL-131563, PL-130113).

  • openssh: update to 9.6p1 to fix SSH vulnerability “Terrapin”. This was released on 2023-12-20 as hotfix to staging/production (PL-132033).

  • Production channel URL for this release: https://hydra.flyingcircus.io/build/352371/download/1/nixexprs.tar.xz

NixOS 23.05 platform

  • This is the last release with regular updates from upstream NixOS. We will still patch critical security issues ourselves but recommend upgrading to the 23.11 platform version to keep packages up-to-date.

  • Pull upstream NixOS changes, security fixes and package updates (PL-132050):

    • asterisk: 20.2.1 -> 20.5.1 (CVE-2023-49294, CVE-2023-49786, CVE-2022-23537)

    • cacert: 3.92 -> 3.95

    • chromedriver: 120.0.6099.71 -> 120.0.6099.129

    • chromium: 120.0.6099.71 -> 120.0.6099.129

    • ghostscript: 10.02.0 -> 10.02.1

    • grafana: 9.5.13 -> 9.5.15

    • grub: apply fixes for CVE-2023-4692 and CVE-2023-4693

    • linux_5_15: 5.15.142 -> 5.15.145

    • nss_latest: 3.95 -> 3.96

    • postfix: 3.8.2 -> 3.8.4 (CVE-2023-51764)

      • Security: this adds options for full SMTP smuggling attack protection which are disabled by default. Many forms of the attack are already prevented by default settings of our platform. See https://www.postfix.org/smtp-smuggling.html#long for more information.

    • python3Packages.urllib3: revert upstream commit to fix jupyter-server

    • slurm: 23.02.6.1 -> 23.02.7.1 (CVE-2023-49935, CVE-2023-49936, CVE-2023-49937, CVE-2023-49938, CVE-2023-49933)

    • webkitgtk: 2.42.3 → 2.42.4

  • Add (no-op) option flyingcircus.services.nginx.logPerVirtualHost to allow smooth updates between 23.05 and 23.11.

  • Introduce Maximilian Bosch as new global admin (FC-34774).

  • openssh: update to 9.6p1 to fix SSH vulnerability “Terrapin”. This was released on 2023-12-20 as hotfix to staging/production (PL-132033).

  • Production channel URL for this release: https://hydra.flyingcircus.io/build/352539/download/1/nixexprs.tar.xz

NixOS 22.11 platform

Documentation

  • Add Maximilian Bosch as administrator (FC-34774).

  • Chat: add link to curated list of Matrix clients (PL-131976).

Detailed Changes