Release 2024_001 (2024-01-08)¶
Impact¶
[NixOS 23.11] Machines will reboot after the update to activate the changed kernel.
[NixOS 23.05] Machines will reboot after the update to activate the changed kernel.
NixOS 23.11 platform¶
Make 23.11 the default platform version. New VMs created via the customer self-service portal are now running 23.11.
Pull upstream NixOS changes, security fixes and package updates (PL-132050):
chromedriver: 120.0.6099.71 -> 120.0.6099.129
chromium: 120.0.6099.71 -> 120.0.6099.129
consul: 1.16.3 -> 1.16.4
containerd: 1.7.9 -> 1.7.11
gitlab: 16.5.3 -> 16.5.4
grafana: 10.2.0 -> 10.2.2
grub: apply fixes for CVE-2023-4692 and CVE-2023-4693
jicofo: 1.0-1050 -> 1.0-1057
jitsi-meet: 1.0.7531 -> 1.0.7629
jitsi-videobridge: 2.3-59-g5c48e421 -> 2.3-61-g814bffd6
keycloak: 23.0.0 -> 23.0.3
linux_5_15: 5.15.142 -> 5.15.145
matrix-synapse: 1.97.0 -> 1.98.0
nss_latest: 3.95 -> 3.96.1
pdns: 4.8.3 -> 4.8.4
php81: 8.1.26 -> 8.1.27
php82: 8.2.13 -> 8.2.14
postfix: 3.8.3 -> 3.8.4 (CVE-2023-51764)
Security: this adds options for full SMTP smuggling attack protection which are disabled by default. Many forms of the attack are already prevented by default settings of our platform. See https://www.postfix.org/smtp-smuggling.html#long for more information.
slurm: 23.02.6.1 -> 23.02.7.1 (CVE-2023-49935, CVE-2023-49936, CVE-2023-49937, CVE-2023-49938, CVE-2023-49933)
webkitgtk: 2.42.3 → 2.42.4
Introduce Maximilian Bosch as new global admin (FC-34774).
Improve the reliability of NFS during machine startup, both for clients and servers. As the network may not be 100% reliable during startup (e.g. name resolution not yet fully functional) we retry both export registration as well as mounts (PL-131563, PL-130113).
openssh: update to 9.6p1 to fix SSH vulnerability „Terrapin“. This was released on 2023-12-20 as hotfix to staging/production (PL-132033).
Production channel URL for this release: https://hydra.flyingcircus.io/build/352371/download/1/nixexprs.tar.xz
NixOS 23.05 platform¶
This is the last release with regular updates from upstream NixOS. We will still patch critical security issues ourselves but recommend upgrading to the 23.11 platform version to keep packages up-to-date.
Pull upstream NixOS changes, security fixes and package updates (PL-132050):
asterisk: 20.2.1 -> 20.5.1 (CVE-2023-49294, CVE-2023-49786, CVE-2022-23537)
cacert: 3.92 -> 3.95
chromedriver: 120.0.6099.71 -> 120.0.6099.129
chromium: 120.0.6099.71 -> 120.0.6099.129
ghostscript: 10.02.0 -> 10.02.1
grafana: 9.5.13 -> 9.5.15
grub: apply fixes for CVE-2023-4692 and CVE-2023-4693
linux_5_15: 5.15.142 -> 5.15.145
nss_latest: 3.95 -> 3.96
postfix: 3.8.2 -> 3.8.4 (CVE-2023-51764)
Security: this adds options for full SMTP smuggling attack protection which are disabled by default. Many forms of the attack are already prevented by default settings of our platform. See https://www.postfix.org/smtp-smuggling.html#long for more information.
python3Packages.urllib3: revert upstream commit to fix jupyter-server
slurm: 23.02.6.1 -> 23.02.7.1 (CVE-2023-49935, CVE-2023-49936, CVE-2023-49937, CVE-2023-49938, CVE-2023-49933)
webkitgtk: 2.42.3 → 2.42.4
Add (no-op) option
flyingcircus.services.nginx.logPerVirtualHost
to allow smooth updates between 23.05 and 23.11.Introduce Maximilian Bosch as new global admin (FC-34774).
openssh: update to 9.6p1 to fix SSH vulnerability „Terrapin“. This was released on 2023-12-20 as hotfix to staging/production (PL-132033).
Production channel URL for this release: https://hydra.flyingcircus.io/build/352539/download/1/nixexprs.tar.xz
NixOS 22.11 platform¶
Introduce Philipp Herzog as new global admin (FC-27885).
Introduce Maximilian Bosch as new global admin (FC-34774).
Production channel URL for this release: https://hydra.flyingcircus.io/build/352267/download/1/nixexprs.tar.xz
Documentation¶
Add Maximilian Bosch as administrator (FC-34774).
Chat: add link to curated list of Matrix clients (PL-131976).
Detailed Changes¶
NixOS 23.11: platform code, upstream changes
NixOS 23.05: platform code, upstream changes
NixOS 22.11: platform code