movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-12 04:35:41 +03:00
Code Issues Projects Releases Packages Wiki Activity
nixpkgs/nixos/doc/manual/release-notes/rl-2411.section.md
Thomas Gerbet ef6fea2d86 openssh: move Kerberos support into a dedicated package 
The `openssh` and `openssh_hpn` packages are now built without
the Kerberos support by default in an effort to reduce the attack surface.

The Kerberos support is likely used only by a fraction of the total users
(I'm guessing mainly users integrating SSH in an Active Directory env) so
dropping it should not impact too many users. It should also be noted that
the Kerberos/GSSAPI auth is disabled by default in the configuration.
`opensshWithKerberos` and `openssh_hpnWithKerberos` are added in order
to provide an easy migration path for users needing this support.

The `openssh_gssapi` package is kept untouched.
2024-06-05 19:45:31 +10:00

3.2 KiB
Raw Blame History

Release 24.11 (“Vicuña”, 2024.11/??)

Highlights

  • Create the first release note entry in this section!

New Services

Backward Incompatibilities

  • nginx package no longer includes gd and geoip dependencies. For enabling it, override nginx package with the optionals withImageFilter and withGeoIP.

  • openssh and openssh_hpn are now compiled without Kerberos 5 / GSSAPI support in an effort to reduce the attack surface of the components for the majority of users. Users needing this support can use the new opensshWithKerberos and openssh_hpnWithKerberos flavors (e.g. programs.ssh.package = pkgs.openssh_gssapi).

  • nvimpager was updated to version 0.13.0, which changes the order of user and nvimpager settings: user commands in -c and --cmd now override the respective default settings because they are executed later.

  • The Invoiceplane module now only accepts the structured settings option. extraConfig is now removed.

  • Legacy package stalwart-mail_0_6 was dropped, please note the manual upgrade process before changing the package to pkgs.stalwart-mail in services.stalwart-mail.package.

  • The stalwart-mail module now uses RocksDB as the default storage backend for stateVersion ≥ 24.11. (It was previously using SQLite for structured data and the filesystem for blobs).

  • zx was updated to v8, which introduces several breaking changes. See the v8 changelog for more information.

  • The portunus package and service do not support weak password hashes anymore. If you installed Portunus on NixOS 23.11 or earlier, upgrade to NixOS 24.05 first to get support for strong password hashing. Then, follow the instructions on the upstream release notes to upgrade all existing user accounts to strong password hashes. If you need to upgrade to 24.11 without having completed the migration, consider the security implications of weak password hashes on your user accounts, and add the following to your configuration:

    services.portunus.package      = pkgs.portunus.override { libxcrypt = pkgs.libxcrypt-legacy; };
services.portunus.ldap.package = pkgs.openldap.override { libxcrypt = pkgs.libxcrypt-legacy; };

Other Notable Changes

  • To facilitate dependency injection, the imgui package now builds a static archive using vcpkg' CMake rules. The derivation now installs "impl" headers selectively instead of by a wildcard. Use imgui.src if you just want to access the unpacked sources.