Release 2024_004 (2024-02-05)

Impact

• [NixOS 23.11] Machines will reboot after the update to activate the changed kernel.

NixOS 23.11 platform

• mailserver: protect against SMTP smuggling attacks by setting smtpd_forbid_bare_newline = normalize as recommended by the Postfix docs (PL-132051).

• mongodb: fix telegraf metrics collection when 3.2 or 3.4 roles are enabled.

• mongodb: allow upgrades from versions before 23.11 without the need for disabling the role during the upgrade.

• mysql/percona: fix monitoring on secondary databases when using replication (PL-132034).

• slurm: use task/cgroup to enforce memory limits on jobs (PL-132161, FC-35724).

• Pull upstream NixOS changes, security fixes and package updates (PL-131814):

  • chromium: 120.0.6099.216 -> 121.0.6167.85

  • curl: apply 8.5.0 security fixes (CVE-2023-46218, CVE-2023-46219)

  • github-runner: 2.311.0 -> 2.312.0

  • gitlab-runner: 16.6.0 -> 16.7.0

  • gitlab: 16.7.3 -> 16.7.4 (CVE-2024-0402, CVE-2023-6159, CVE-2023-5933, CVE-2023-5612)

  • go: 1.21.4 -> 1.21.5

  • go_1_20: 1.20.11 -> 1.20.12

  • inetutils: 2.4 -> 2.5 (CVE-2022-39028, CVE-2019-0053)

  • jq: 1.7 -> 1.7.1

  • linux_5_15: 5.15.146 -> 5.15.148

  • mastodon: 4.2.3 -> 4.2.4

  • nss_latest: 3.96.1 -> 3.97

  • postfix: 3.8.4 -> 3.8.5

  • prometheus: 2.48.0 -> 2.49.0

  • python3Packages.pip: add patches for CVE-2023-5752

  • qemu: 8.1.3 -> 8.1.4

  • roundcube: 1.6.5 -> 1.6.6

  • vim: 9.0.2048 -> 9.0.2116

• Production channel URL for this release: https://hydra.flyingcircus.io/build/367651/download/1/nixexprs.tar.xz

Detailed Changes

• NixOS 23.11: platform code, upstream changes