Release 2026_013 (2026-04-13)

Impact

25.11

  • webgateway: TLS- or ACME-enabled vhosts that do not define a single valid hostname do not receive an automatic certificate check anymore (PL-135244)

    An evaluation warning informs about that behaviour change. The warning will be removed after 2 releases.

  • Machines will reboot to activate a changed kernel.

NixOS 25.05 platform

  • fix Nix security vulnerability CVE-2026-39860 / GHSA-g3g9-5vj6-r3gj (FC-52786)

    • nix: 2.28.5 -> 2.28.6

NixOS 25.11 platform

  • fix Nix security vulnerability CVE-2026-39860 / GHSA-g3g9-5vj6-r3gj (FC-52786)

  • webgateway: Only generate certificate checks for vhosts defining a single valid hostname (PL-135244)

  • flyingcircus.services.sensu-client.checks: Prevent illegal check names that would crash the client service (PL-135244)

  • flyingcircus.services.sensu-client.checks.<name>.enable: introduce new option to explicitly disable checks

  • Pull upstream NixOS changes, security fixes, and package updates:

    • bind: 9.20.18 -> 9.20.21

    • chromedriver: 146.0.7680.164 -> 146.0.7680.177

    • chromium: 146.0.7680.164 -> 146.0.7680.177

    • curl: 8.18.0 -> 8.19.0

    • go: 1.25.7 -> 1.25.8

    • imagemagick: 7.1.2-13 -> 7.1.2-18

    • keycloak: 26.5.6 -> 26.5.7

    • linuxKernelStable: 6.12.78 -> 6.12.80

    • linuxKernelVerify: 6.12.78 -> 6.12.80

    • mongodb: 7.0.30 -> 7.0.31

    • nix: 2.31.2 -> 2.31.4

    • nodejs: 22.22.0 -> 22.22.2

    • nodejs_22: 22.22.0 -> 22.22.2

    • python311: 3.11.14 -> 3.11.15

    • python312: 3.12.12 -> 3.12.13

    • roundcube: 1.6.14 -> 1.6.15

    • systemd: 258.3 -> 258.5

Detailed Changes