Release 2024_005 (2024-02-12)

Impact

• [NixOS 23.11] Many services will restart due to a core dependency change.

• [NixOS 23.05] Many services will restart due to a core dependency change.

NixOS 23.11 platform

• nginx/webgateway: set default rate and add connection limiting to further improve protections against the rapid reset HTTP/2 vulnerability (https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487) (PL-131836).

• Pull upstream NixOS changes, security fixes and package updates (PL-132173, PL-132184):

  • chromium: 121.0.6167.85 -> 121.0.6167.139

  • containerd: 1.7.11 -> 1.7.13 (CVE-2024-21626)

  • imagemagick: 7.1.1-25 -> 7.1.1-26

  • gitlab: 16.7.4 -> 16.7.5 (CVE-2023-6840, CVE-2023-6386, CVE-2024-1066)

  • gitlab-container-registry: 3.88.0 -> 3.88.1

  • keycloak: 23.0.4 -> 23.0.6

  • mastodon: 4.2.4 -> 4.2.5 (CVE-2024-23832)

  • monitoring-plugins: 2.3.0 -> 2.3.5

  • mysql80: 8.0.35 -> 8.0.36

  • qemu: 8.1.4 -> 8.1.5

  • qemu: add patch for CVE-2023-6693

  • redis: 7.2.3 -> 7.2.4 (7.2.3 -> 7.2.4)

  • ruby_3_2: 3.2.2 -> 3.2.3

  • runc: 1.1.10 -> 1.1.12 (CVE-2024-21626)

  • security wrappers (setuid binaries): limit argv0 length as mitigation for a glibc vulnerability (CVE-2023-6246).

  • strace: 6.6 -> 6.7

  • varnish: 7.4.1 -> 7.4.2 (CVE-2023-44487)

• Production channel URL for this release: https://hydra.flyingcircus.io/build/372861/download/1/nixexprs.tar.xz

NixOS 23.05 platform

• glibc: update to 2.37-64 to fix a vulnerability which may lead to local privilege escalation (CVE-2023-6246, CVE-2023-6779, CVE-2023-6780), add patch for qsort mem corruption (PL-132173).

• Production channel URL for this release: https://hydra.flyingcircus.io/build/372757/download/1/nixexprs.tar.xz

Detailed Changes

• NixOS 23.11: platform code, upstream changes

• NixOS 23.05: platform code, upstream changes