Release 2024_021 (2024-07-15)¶

Impact¶

This is the first production release of the 24.05 platform. The default for new VMs is still 23.11 which will be changed in the coming weeks.

See Platform Upgrades & What’s New for things to consider before upgrading, significant changes and new package versions

openssh: apply patches for CVE-2024-6387
- already released as a hotfix ahead of schedule on 2024-07-01
- fixes a remote code execution vulnerability https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
- additionally also backport a fix for a minor logic error in ObscureKeystrokeTiming
Production channel URL for this release: https://hydra.flyingcircus.io/build/450243/download/1/nixexprs.tar.xz

openssh: apply patches for CVE-2024-6387
- already released as a hotfix ahead of schedule on 2024-07-01
- fixes a remote code execution vulnerability https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
- additionally also backport a fix for a minor logic error in ObscureKeystrokeTiming
Production channel URL for this release: https://hydra.flyingcircus.io/build/456547/download/1/nixexprs.tar.xz

Fix statically configured time server (NTP) names.
Production channel URL for this release: https://hydra.flyingcircus.io/build/458782/download/1/nixexprs.tar.xz

Fix statically configured time server (NTP) names.
openssh: apply patches for https://github.com/advisories/GHSA-2x8c-95vh-gfv4, default package used changes 9.0p1 -> 9.6p1. This was already released as a hotfix on 2024-07-05. Also fixes a remote code execution vulnerability https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt. Note that this only updates the openssh_9_6 package, which is used by the in-path ssh command and the sshd.service of the platform. This might affect the defaults for cryptographic algorithms, see the openssh release notes for details.
Production channel URL for this release: https://hydra.flyingcircus.io/build/457389/download/1/nixexprs.tar.xz