Release 2024_034 (2024-12-02)

Impact

24.05

  • There is a small but non-zero potential that some clients may experience connectivity issues with nginx. Multiple connectivity testing tools showed no change for clients and/or libraries but cannot cover every single implementation out there.

  • services using an updated package will be restarted

  • Activate DDoS SSH rules in fail2ban for production machines.

NixOS 21.05 platform

Note

This is an internal release not available to customer VMs. As this release powers the Flyingcircus Infrastructure, changes resulting in customer-facing behaviour are included here nonetheless.

  • fc-luks: fix rekeying to use the specified encryption parameters. We accidentally fell back to defaults before. (PL-133174)

  • router: the ISC DHCP server, which is end-of-life, has been replaced with its successor implementation, Kea. (PL-133205)

  • pkgs: fix the monitoring script for the IPv4 underlay network to correctly handle next hop addresses sent by Nokia SR Linux switches. (PL-133199)

  • router: fix radvd config generation to use the correct derived interface name. (PL-133201)

NixOS 23.11 platform

NixOS 24.05 platform

  • agent: fix merging cold boot activities into warm reboots. We noticed maintenance requests that have been postponed multiple times on some machines, causing repeated maintenance notification mails. (PL-133180).

  • Increase SSL validation check timeout to better distinguish DNS resolution errors and other causes of timeouts. (PL-133125)

  • Restrict a class of key agreement protocols, called Diffie-Hellman Elliptic Curves, enabled in Nginx to mitigate a DoS attack vector described in CVE-2024-41996. The curves for ECDHE ciphers are then restricted to x25519, secp256r1, and x448.

  • Update the mailserver role documentation with an example nix configuration

  • Fix permissions for some platform logic that creates a .erlang.cookie for rabbitmq which would previously cause a failure when starting the service. The problem was caused due to insufficient write permissions when attempting to write the cookie after rabbitmq’s first startup. During first startup, rabbimq generates a random cookie, writes it to the appropriate file and sets that file to be read-only.

  • Pull upstream NixOS changes, security fixes and package updates (PL-133203):

    • chromium: 130.0.6723.69 -> 130.0.6723.116 (CVE-2024-10826, CVE-2024-10827, CVE-2024-10487, CVE-2024-10488)

    • element-web: 1.11.82 -> 1.11.85

    • firefox: 132.0 -> 132.0.2

    • ghostscript: 10.03.1 -> 10.04.0

    • git: 2.44.1 -> 2.44.2

    • github-runner: 2.320.0 -> 2.321.0

    • gitlab: 17.2.9 -> 17.3.7

    • go_1_22: 1.22.6 -> 1.22.8

    • go_1_22: 1.22.6 -> 1.22.8, (#345953)

    • grafana: 10.4.11 -> 10.4.12

    • imagemagick: 7.1.1-38 -> 7.1.1-39

    • libtiff: patch for CVE-2023-52356 & CVE-2024-7006

    • matrix-synapse: 1.118.0 -> 1.119.0

    • nodejs_18: 18.20.4 -> 18.20.5

    • nodejs_22: 22.8.0 -> 22.10.0, (#349157)

    • nspr: 4.35 -> 4.36

    • nss_latest: 3.105 -> 3.106

    • postgresql_12: 12.20 -> 12.21

    • postgresql_13: 13.16 -> 13.17

    • postgresql_14: 14.13 -> 14.14

    • postgresql_15: 15.8 -> 15.9

    • postgresql_16: 16.4 -> 16.5

    • python311: 3.11.9 -> 3.11.10

    • python312: 3.12.5 -> 3.12.6

    • redis: 7.2.4 -> 7.2.6 (CVE-2024-31449, CVE-2024-31227, CVE-2024-31228)

    • unzip: apply patch for CVE-2021-4217

    • vim: 9.1.0707 -> 9.1.0765 (CVE-2024-47814)

  • Scheduled rotation of CS’ root ssh key

  • Activate DDoS SSH rules in fail2ban for all machines as protection against SSH DHeat attacks. (PL-132477) This may have impact if you have multiple unauthenticated SSH connections in a short time. We tested this change on non-production machines over the last 3 weeks and got no reports of problems.

  • Production channel for this release: https://hydra.flyingcircus.io/build/3725196/download/1/nixexprs.tar.xz

Detailed Changes

Detailed Changes