Release 2024_012 (2024-04-08)

Impact

  • [NixOS 23.11] Machines will reboot after the update to activate the changed kernel.

NixOS 23.11 platform

  • Pull upstream NixOS changes, security fixes and package updates (PL-132333):

    • chromedriver: 122.0.6261.94 -> 123.0.6312.86

    • chromium: 122.0.6261.111 -> 123.0.6312.86

    • element-web: 1.11.59 -> 1.11.61

    • firefox: 123.0.1 -> 124.0.1

    • github-runner: 2.314.1 -> 2.315.0

    • gitlab-runner: 16.7.0 -> 16.9.1

    • gitlab-container-registry: 3.90.0 -> 3.91.0

    • gitlab: 16.7.7 -> 16.9.3

    • grafana: 10.2.4 -> 10.2.6 (CVE-2024-1442)

    • jetty: 12.0.5 -> 12.0.7

    • jicofo: 1.0-1059 -> 1.0-1075

    • jitsi-meet: 1.0.7712 -> 1.0.7790

    • jitsi-videobridge: 2.3-64-g719465d1 -> 2.3-92-g64f9f34f

    • linux_5_15: 5.15.151 -> 5.15.152

    • matrix-synapse: 1.102.0 -> 1.103.0

    • nss_latest: 3.98 -> 3.99

    • php82: 8.2.16 -> 8.2.17

    • prometheus: 2.49.0 -> 2.49.1

    • python38: 3.8.18 -> 3.8.19 (CVE-2023-52425, CVE-2024-0450, CVE-2023-6597)

    • python39: 3.9.18 -> 3.9.19 (CVE-2023-52425, CVE-2024-0450, CVE-2023-6597)

    • strace: 6.7 -> 6.8

    • tomcat10: 10.1.18 -> 10.1.20

    • tomcat9: 9.0.85 -> 9.0.87

    • varnish: 7.4.2 -> 7.4.3 (CVE-2023-44487)

  • mailserver, rspamd: fix duplicate and syntactically wrong header settings (PL-132289).

  • webgateway/nginx, with modsecurity activated: Fix rotation of audit log files. Log files matching the pattern /var/log/nginx/modsec_*.log are now rotated via copying and then truncating the open log. All nginx modsecurity logfiles need to follow the naming scheme modsec_* to not accidentally grow unrotated. This is the naming convention suggested by our nginx modsecurity configuration examples. A small amount of log entries written at the time of rotation might be lost (PL-132296).

  • Production channel URL for this release: https://hydra.flyingcircus.io/build/402189/download/1/nixexprs.tar.xz

Detailed Changes