Release 2023_033_1 (2023-12-18)¶
Impact¶
[NixOS 23.05] VMs will reboot after the update to activate the changed kernel.
NixOS 23.11 platform¶
This is the first production release of the 23.11 platform. The default for new production VMs is still 23.05 which will be changed in the coming weeks.
See Platform Upgrades & What’s New for things to consider before upgrading, significant changes and new package versions
We rolled out the upgrade to most of the customer staging systems on Thursday, 2023-12-05.
The following changes were added after the staging roll-out:
[hotfix] openssh: update to 9.6p1 to fix SSH vulnerability „Terrapin“. This was released on 2023-12-20 as hotfix to staging/production (PL-132033).
agent: increase file descriptor limit for system builds. We have seen crashes of the
fc-update-channel
service on a single customer VM with a high number of Letsencrypt certificates (PL-131964).devhost: Add new feature to use VMs instead of containers. The new feature is not enabled by default (PL-131470).
lamp: Enable the PHP-FPM slowlog by default (PL-131946).
mailserver the role now requires TLS versions 1.2 and later both when acting as an SMTP server and SMTP client. Encryption is still optional by default (PL-131937).
webgateway/nginx: add warnings for deprecated features which are planned for removal with the 24.05 platform version:
masterUser = "root"
, JSON config in/etc/local/nginx
and thelistenAddress
/listenAddress6
options (PL-131984).webgateway/nginx: add an option
flyingcircus.services.nginx.logPerVirtualHost
to enable per-vhost access and error logs in nginx under/var/log/nginx/access-<vhost-name>.log
and/var/log/nginx/error-<vhost-name>.log
respectively. This is the new default behavior (PL-131947).webproxy: Added multi-host functionality via
flyingcircus.services.varnish
(PL-131840).Pull upstream NixOS changes, security fixes and package updates (PL-131990):
chromedriver: 119.0.6045.105 -> 120.0.6099.71
chromium: 119.0.6045.199 -> 120.0.6099.71
element-web: 1.11.50 -> 1.11.51
gitlab-container-registry: 3.85.0 -> 3.86.2
gitlab: 16.5.1 -> 16.5.3
keycloak: 22.0.5 -> 23.0.0
linux_5_15: 5.15.140 -> 5.15.142
mastodon: 4.2.1 -> 4.2.3
opensearch: 2.11.0 -> 2.11.1
qemu: 8.1.2 -> 8.1.3
python312: 3.12.0 -> 3.12.1 (CVE-2023-6507)
tomcat10: 10.1.15 -> 10.1.16
tomcat9: 9.0.82 -> 9.0.83
webkitgtk: 2.42.2 → 2.42.3 (CVE-2023-42916, CVE-2023-42917)
Production channel URL for this release: https://hydra.flyingcircus.io/build/346984/download/1/nixexprs.tar.xz
NixOS 23.05 platform¶
[hotfix] openssh: update to 9.6p1 to fix SSH vulnerability „Terrapin“. This was released on 2023-12-20 as hotfix to staging/production (PL-132033).
Pull upstream NixOS changes, security fixes and package updates (PL-131990):
chromedriver: 119.0.6045.105 -> 120.0.6099.71
chromium: 119.0.6045.159 -> 120.0.6099.71
element-web: 1.11.47 -> 1.11.51
gitlab-container-registry: 3.85.0 -> 3.86.2
gitlab: 16.5.1 -> 16.5.3
linux_5_15: 5.15.139 -> 5.15.142
mastodon: 4.1.10 -> 4.1.11
nss_latest: 3.94 -> 3.95
webkitgtk: 2.42.2 → 2.42.3
Production channel URL for this release: https://hydra.flyingcircus.io/build/347002/download/1/nixexprs.tar.xz
Detailed Changes¶
NixOS 23.05: platform code, upstream changes