Release 2024_029 (2024-10-09)

Impact

  • 24.05:

    • most core services will be restarted

    • some machines receive a new kernel and will schedule a maintenance reboot

NixOS 24.05 platform

  • postgresql: the script for verifying/updating collation versions on service start now works correctly with special database names that need “quoting” in SQL statements (PL-133030).

  • webproxy: The default.vcl configuration mechanism for varnish is here to stay. We decided to un-deprecate this as it is useful and we will be integrating it with the newer mechanism in the near future (PL-132174).

  • This platform release includes a very new Linux kernel release (6.11) that gets activated in our DEV and WHQ locations as well as on all non-production VMs. Selected production VMs will be updated as well . However, customers affected by this on a production VM will be notified individually with an in-depth briefing. This Linux release includes a fix for a bug that has been stopping us from updating past the 5.15 LTS branch since last year – but 5.15 is considered ancient by now. The upstream developers are confident that this release fixes the bug and will provide a backport to an LTS release at a later point. However, due to the shy nature of the bug our part in fixing it is to help gather evidence that this bug does not reappear. We expect to be running this for at least 4-8 weeks for valid evidence (PL-132972).

  • Pull upstream NixOS changes, security fixes and package updates (PL-133043):

    • asterisk: 20.9.2 -> 20.9.3

    • cacert: 3.101 -> 3.104

    • calibre: add patches for CVE-2024-6781, CVE-2024-6782, CVE-2024-7008, CVE-2024-7009

    • chromedriver: 129.0.6668.58 -> 129.0.6668.70

    • clamav: 1.3.1 -> 1.3.2

    • curl: apply patch for CVE-2024-8096

    • element-web: 1.11.77 -> 1.11.79

    • grafana: 10.4.8 -> 10.4.9 (CVE-2024-8118)

    • k3s_1_28: 1.28.12+k3s1 -> 1.28.13+k3s1

    • k3s_1_29: 1.29.7+k3s2 -> 1.29.8+k3s1

    • k3s_1_30: 1.30.3+k3s1 -> 1.30.4+k3s1

    • k3s_1_31: init 1.31.0+k3s1

    • mastodon: 4.2.12 -> 4.2.13

    • matrix-synapse: 1.114.0 -> 1.116.0

    • nss_latest: 3.104 -> 3.105

    • php81: 8.1.29 -> 8.1.30 (CVE-2024-8927, CVE-2024-9026, CVE-2024-8925)

    • php82: 8.2.23 -> 8.2.24 (CVE-2024-8927, CVE-2024-9026, CVE-2024-8925)

    • php83: 8.3.11 -> 8.3.12 (CVE-2024-8927, CVE-2024-9026, CVE-2024-8925)

    • python39: 3.9.19 -> 3.9.20

    • python310: 3.10.14 -> 3.10.15

    • python312: 3.12.4 -> 3.12.5

    • python3Packages.urllib3: 2.2.1 -> 2.2.2

    • ruby: 3.3.4 -> 3.3.5

    • runc: 1.1.12 -> 1.1.14

    • slurm: 23.11.9.1 -> 23.11.10.1

    • strace: 6.10 -> 6.11

    • tcpdump: 4.99.4 -> 4.99.5

    • unifi7: mark insecure due to CVE-2024-42025

    • unifi8: 8.1.127 -> 8.4.62

    • vim: 9.1.0377 -> 9.1.0707

  • The default.vcl configuration mechanism for varnish is here to stay. We decided to un-deprecate this as it is useful and we will be integrating it with the newer mechanism in the near future. (PL-132174)

Detailed Changes