Release 2024_035 (2024-12-16)

Impact

24.05

  • Most services that use updated packages are restarted.

  • Machines schedule a reboot to activate the changed kernel.

NixOS 21.05 platform

Bemerkung

This is an internal release not available to customer VMs. As this release powers the Flying Circus infrastructure, changes resulting in customer-facing behaviour are included here nonetheless.

  • S3 users are now managed automatically and can be viewed and managed via our customer portal. (PL-133084)

  • Fix systemd units managing flooding suppression and MAC learning configuration so that settings are restored to their defaults when the units are stopped. (PL-133202)

  • Add sensu check on routers to monitor whether flooding suppression is correctly configured on gateway interfaces. (PL-133202)

  • kvm_host: fix fc-qemu-scrub timer which was not properly activating after boot. (PL-133211)

  • Updated Nix to 2.3.18 to be able to download zstd-compressed paths from our Hydra. It will switch from xz to zstd to increase its throughput.

  • Production channel for this release: https://hydra.flyingcircus.io/build/4308842/download/1/nixexprs.tar.xz

NixOS 24.05 platform

  • Internal: Introduce automatic nixpkgs update workflow (PL-133100)

  • The fc-postgresql command now supports upgrades of databases with preinstalled extensions:

    • When upgrading manually with fc-postgresql, add --extension-names ext1 --extension-names ext2 to the command line. ext1/ext2 must be the package names of the extensions without the postgresqlPackages.-prefix. Usually it’s the packages in services.postgresql.extraPlugins.

    • When using automatic upgrades (flyingcircus.services.postgresql.autoUpgrade.enable ), existing extensions will be discovered automatically. You don’t have to do anything in this case.

  • Fix a bug in the reload script for the varnish service that only occurs when there are cold VCLs to be discarded. An error in the templating would lead to attempting to run a varnish admin instruction (vcl.discard in this case) as a shell command. (PL-133251)

  • Update nixpkgs from e8368806d2c792603b4c47afe0e3709a51d232a2 to ebcc9ab51d9d5495508eb5c520eb188aecd7f799

    • chrome, chromium: 130.0.6723.116 -> 131.0.6778.108 (CVE-2024-12053, CVE-2024-11395, CVE-2024-11110, CVE-2024-11111, CVE-2024-11112, CVE-2024-11113, CVE-2024-11114, CVE-2024-11115, CVE-2024-11116, CVE-2024-11117)

    • firefox: 132.0.2 -> 133.0 (CVE-2024-11691, CVE-2024-11692, CVE-2024-11701, CVE-2024-11694, CVE-2024-11695, CVE-2024-11696, CVE-2024-11697, CVE-2024-11704, CVE-2024-11698, CVE-2024-11705, CVE-2024-11706, CVE-2024-11708, CVE-2024-11699)

    • percona80: (CVE-2024-21171, CVE-2024-21177, CVE-2024-21163, CVE-2024-21173, CVE-2024-21179, CVE-2024-21127, CVE-2024-21129, CVE-2024-21125, CVE-2024-21130, CVE-2024-21162, CVE-2024-21165, CVE-2024-21142, CVE-2024-21134)

    • php81: 8.1.30 -> 8.1.31 (CVE-2024-8932, CVE-2024-8929, CVE-2024-11236, CVE-2024-11234, CVE-2024-11233, GHSA-4w77-75f9-2c8w)

    • php83: 8.3.13 -> 8.3.14 (CVE-2024-8932, CVE-2024-8929, CVE-2024-11236, CVE-2024-11234, CVE-2024-11233, GHSA-4w77-75f9-2c8w)

    • rclone: apply patch for CVE-2024-52522

    • zoneminder: 1.36.34 -> 1.36.35 (GHSA-rqxv-447h-g7jx)

  • Pull upstream NixOS changes, security fixes and package updates:

    • chromedriver: 130.0.6723.116 -> 131.0.6778.108

    • chromium: 130.0.6723.116 -> 131.0.6778.108

    • element-web: 1.11.85 -> 1.11.87

    • firefox: 132.0.2 -> 133.0

    • gitlab-container-registry: 4.13.0 -> 4.14.0

    • gitlab-ee: 17.3.7 -> 17.5.3

    • gitlab: 17.3.7 -> 17.5.3

    • grafana: 10.4.12 -> 10.4.13

    • imagemagick7: 7.1.1-39 -> 7.1.1-40

    • imagemagick: 7.1.1-39 -> 7.1.1-40

    • linuxKernelStable: 5.15.172 -> 5.15.173

    • mastodon: 4.2.13 -> 4.2.14

    • matrix-synapse: 1.119.0 -> 1.120.2

    • mysql80: 8.0.39 -> 8.0.40

    • nss_latest: 3.106 -> 3.107

    • openjdk: 8u362-ga -> 8u412-ga

    • percona80: 8.0.37-29 -> 8.0.39-30

    • php81: 8.1.30 -> 8.1.31

    • php82: 8.2.24 -> 8.2.26

    • php82: 8.2.25 -> 8.2.26

    • php83: 8.3.13 -> 8.3.14

    • rclone: apply patch for CVE-2024-52522

    • strace: 6.11 -> 6.12

    • zoneminder: 1.36.34 -> 1.36.35

  • Production channel for this release: https://hydra.flyingcircus.io/build/4308696/download/1/nixexprs.tar.xz

Detailed Changes