From 990ab0e638e9f54b23b08c3ba6bb2f4b672ce0c8 Mon Sep 17 00:00:00 2001
From: Oliver Schmidt <os@flyingcircus.io>
Date: Thu, 28 Nov 2024 14:55:44 +0100
Subject: [PATCH] Collect changelog fragments

---
 ..._PL-133125-ssl-cert-check-timeout_scriv.md | 18 -----
 ...-PL-133007_nginx-dheat-mitigation_scriv.md | 22 -------
 ...l-FC-41933_update-mailserver-docs_scriv.md | 19 ------
 ...C-41917_fix-rabbitmq-cookie-logic_scriv.md | 21 ------
 ...03-2405-update-nixpkgs-2024-11-25_scriv.md | 48 --------------
 ...cs\\-FC-41948-rotate-cs-root-key_scriv.md" | 21 ------
 .../20241128_094013_fc-24.05-dev_scriv.md     | 22 -------
 ...33180-agent-fix-cold-reboot-merge_scriv.md | 19 ------
 changelog.d/CHANGELOG.md                      | 65 +++++++++++++++++++
 9 files changed, 65 insertions(+), 190 deletions(-)
 delete mode 100644 changelog.d/20241106_115939_PL-133125-ssl-cert-check-timeout_scriv.md
 delete mode 100644 changelog.d/20241112_110807_phil-PL-133007_nginx-dheat-mitigation_scriv.md
 delete mode 100644 changelog.d/20241119_093402_phil-FC-41933_update-mailserver-docs_scriv.md
 delete mode 100644 changelog.d/20241121_111554_phil-FC-41917_fix-rabbitmq-cookie-logic_scriv.md
 delete mode 100644 changelog.d/20241125_205222_PL-133203-2405-update-nixpkgs-2024-11-25_scriv.md
 delete mode 100644 "changelog.d/20241126_180343_cs\\-FC-41948-rotate-cs-root-key_scriv.md"
 delete mode 100644 changelog.d/20241128_094013_fc-24.05-dev_scriv.md
 delete mode 100644 changelog.d/20241128_114826_PL-133180-agent-fix-cold-reboot-merge_scriv.md

diff --git a/changelog.d/20241106_115939_PL-133125-ssl-cert-check-timeout_scriv.md b/changelog.d/20241106_115939_PL-133125-ssl-cert-check-timeout_scriv.md
deleted file mode 100644
index 5b45c461d..000000000
--- a/changelog.d/20241106_115939_PL-133125-ssl-cert-check-timeout_scriv.md
+++ /dev/null
@@ -1,18 +0,0 @@
-<!--
-
-A new changelog entry.
-
-Delete placeholder items that do not apply. Empty sections will be removed
-automatically during release.
-
-Leave the XX.XX as is: this is a placeholder and will be automatically filled
-correctly during the release and helps when backporting over multiple platform
-branches.
-
--->
-
-
-### NixOS XX.XX platform
-
-- Increase SSL validation check timeout to better distinguish DNS resolution
-  errors and other causes of timeouts. (PL-133125)
diff --git a/changelog.d/20241112_110807_phil-PL-133007_nginx-dheat-mitigation_scriv.md b/changelog.d/20241112_110807_phil-PL-133007_nginx-dheat-mitigation_scriv.md
deleted file mode 100644
index 5b1c2de01..000000000
--- a/changelog.d/20241112_110807_phil-PL-133007_nginx-dheat-mitigation_scriv.md
+++ /dev/null
@@ -1,22 +0,0 @@
-<!--
-
-A new changelog entry.
-
-Delete placeholder items that do not apply. Empty sections will be removed
-automatically during release.
-
-Leave the XX.XX as is: this is a placeholder and will be automatically filled
-correctly during the release and helps when backporting over multiple platform
-branches.
-
--->
-
-### Impact
-
-- There is a small but non-zero potential that some clients may experience connectivity issues with nginx.
-  Multiple connectivity testing tools showed no change for clients and/or libraries but cannot cover every single implementation out there.
-
-### NixOS XX.XX platform
-
-- Restrict a class of key agreement protocols, called Diffie-Hellman Elliptic Curves, enabled in Nginx to mitigate a DoS attack vector
-  described in CVE-2024-41996. The curves for ECDHE ciphers are then restricted to x25519, secp256r1, and x448.
diff --git a/changelog.d/20241119_093402_phil-FC-41933_update-mailserver-docs_scriv.md b/changelog.d/20241119_093402_phil-FC-41933_update-mailserver-docs_scriv.md
deleted file mode 100644
index 7770f889c..000000000
--- a/changelog.d/20241119_093402_phil-FC-41933_update-mailserver-docs_scriv.md
+++ /dev/null
@@ -1,19 +0,0 @@
-<!--
-
-A new changelog entry.
-
-Delete placeholder items that do not apply. Empty sections will be removed
-automatically during release.
-
-Leave the XX.XX as is: this is a placeholder and will be automatically filled
-correctly during the release and helps when backporting over multiple platform
-branches.
-
--->
-
-### Impact
-
-
-### NixOS XX.XX platform
-
-- Update the mailserver role documentation with an example nix configuration
diff --git a/changelog.d/20241121_111554_phil-FC-41917_fix-rabbitmq-cookie-logic_scriv.md b/changelog.d/20241121_111554_phil-FC-41917_fix-rabbitmq-cookie-logic_scriv.md
deleted file mode 100644
index 9f651ec01..000000000
--- a/changelog.d/20241121_111554_phil-FC-41917_fix-rabbitmq-cookie-logic_scriv.md
+++ /dev/null
@@ -1,21 +0,0 @@
-<!--
-
-A new changelog entry.
-
-Delete placeholder items that do not apply. Empty sections will be removed
-automatically during release.
-
-Leave the XX.XX as is: this is a placeholder and will be automatically filled
-correctly during the release and helps when backporting over multiple platform
-branches.
-
--->
-
-### Impact
-
-
-### NixOS XX.XX platform
-
-- Fix permissions for some platform logic that creates a `.erlang.cookie` for rabbitmq which would previously cause a failure when starting the service.
-  The problem was caused due to insufficient write permissions when attempting to write the cookie after rabbitmq's first startup.
-  During first startup, rabbimq generates a random cookie, writes it to the appropriate file and sets that file to be read-only.
diff --git a/changelog.d/20241125_205222_PL-133203-2405-update-nixpkgs-2024-11-25_scriv.md b/changelog.d/20241125_205222_PL-133203-2405-update-nixpkgs-2024-11-25_scriv.md
deleted file mode 100644
index e5c1b5f03..000000000
--- a/changelog.d/20241125_205222_PL-133203-2405-update-nixpkgs-2024-11-25_scriv.md
+++ /dev/null
@@ -1,48 +0,0 @@
-<!--
-
-A new changelog entry.
-
-Delete placeholder items that do not apply. Empty sections will be removed
-automatically during release.
-
-Leave the XX.XX as is: this is a placeholder and will be automatically filled
-correctly during the release and helps when backporting over multiple platform
-branches.
-
--->
-
-### Impact
-
-- services using an updated package will be restarted
-
-
-### NixOS XX.XX platform
-
-- Pull upstream NixOS changes, security fixes and package updates (PL-133203):
-    - chromium: 130.0.6723.69 -> 130.0.6723.116 (CVE-2024-10826, CVE-2024-10827, CVE-2024-10487, CVE-2024-10488)
-    - element-web: 1.11.82 -> 1.11.85
-    - firefox: 132.0 -> 132.0.2
-    - ghostscript: 10.03.1 -> 10.04.0
-    - git: 2.44.1 -> 2.44.2
-    - github-runner: 2.320.0 -> 2.321.0
-    - gitlab: 17.2.9 -> 17.3.7
-    - go_1_22: 1.22.6 -> 1.22.8
-    - go_1_22: 1.22.6 -> 1.22.8, (#345953)
-    - grafana: 10.4.11 -> 10.4.12
-    - imagemagick: 7.1.1-38 -> 7.1.1-39
-    - libtiff: patch for CVE-2023-52356 & CVE-2024-7006
-    - matrix-synapse: 1.118.0 -> 1.119.0
-    - nodejs_18: 18.20.4 -> 18.20.5
-    - nodejs_22: 22.8.0 -> 22.10.0, (#349157)
-    - nspr: 4.35 -> 4.36
-    - nss_latest: 3.105 -> 3.106
-    - postgresql_12: 12.20 -> 12.21
-    - postgresql_13: 13.16 -> 13.17
-    - postgresql_14: 14.13 -> 14.14
-    - postgresql_15: 15.8 -> 15.9
-    - postgresql_16: 16.4 -> 16.5
-    - python311: 3.11.9 -> 3.11.10
-    - python312: 3.12.5 -> 3.12.6
-    - redis: 7.2.4 -> 7.2.6 (CVE-2024-31449, CVE-2024-31227, CVE-2024-31228)
-    - unzip: apply patch for CVE-2021-4217
-    - vim: 9.1.0707 -> 9.1.0765 (CVE-2024-47814)
diff --git "a/changelog.d/20241126_180343_cs\\-FC-41948-rotate-cs-root-key_scriv.md" "b/changelog.d/20241126_180343_cs\\-FC-41948-rotate-cs-root-key_scriv.md"
deleted file mode 100644
index 89cd6d543..000000000
--- "a/changelog.d/20241126_180343_cs\\-FC-41948-rotate-cs-root-key_scriv.md"
+++ /dev/null
@@ -1,21 +0,0 @@
-<!--
-
-A new changelog entry.
-
-Delete placeholder items that do not apply. Empty sections will be removed
-automatically during release.
-
-Leave the XX.XX as is: this is a placeholder and will be automatically filled
-correctly during the release and helps when backporting over multiple platform
-branches.
-
--->
-
-### Impact
-
-
-
-
-### NixOS XX.XX platform
-
-- Scheduled rotation of CS' root ssh key
diff --git a/changelog.d/20241128_094013_fc-24.05-dev_scriv.md b/changelog.d/20241128_094013_fc-24.05-dev_scriv.md
deleted file mode 100644
index f02760339..000000000
--- a/changelog.d/20241128_094013_fc-24.05-dev_scriv.md
+++ /dev/null
@@ -1,22 +0,0 @@
-<!--
-
-A new changelog entry.
-
-Delete placeholder items that do not apply. Empty sections will be removed
-automatically during release.
-
-Leave the XX.XX as is: this is a placeholder and will be automatically filled
-correctly during the release and helps when backporting over multiple platform
-branches.
-
--->
-
-### Impact
-
-- Activate DDoS SSH rules in fail2ban for production machines.
-
-### NixOS XX.XX platform
-
-- Activate DDoS SSH rules in fail2ban for all machines as protection against SSH DHeat attacks. (PL-132477)
-  This may have impact if you have multiple unauthenticated SSH connections in a short time.
-  We tested this change on non-production machines over the last 3 weeks and got no reports of problems.
diff --git a/changelog.d/20241128_114826_PL-133180-agent-fix-cold-reboot-merge_scriv.md b/changelog.d/20241128_114826_PL-133180-agent-fix-cold-reboot-merge_scriv.md
deleted file mode 100644
index b9c352947..000000000
--- a/changelog.d/20241128_114826_PL-133180-agent-fix-cold-reboot-merge_scriv.md
+++ /dev/null
@@ -1,19 +0,0 @@
-<!--
-
-A new changelog entry.
-
-Delete placeholder items that do not apply. Empty sections will be removed
-automatically during release.
-
-Leave the XX.XX as is: this is a placeholder and will be automatically filled
-correctly during the release and helps when backporting over multiple platform
-branches.
-
--->
-
-### Impact
-
-
-### NixOS 24.05 platform
-
-- agent: fix merging cold boot activities into warm reboots. We noticed maintenance requests that have been postponed multiple times on some machines, causing repeated maintenance notification mails. (PL-133180).
diff --git a/changelog.d/CHANGELOG.md b/changelog.d/CHANGELOG.md
index a84c33be7..eceb6d55e 100644
--- a/changelog.d/CHANGELOG.md
+++ b/changelog.d/CHANGELOG.md
@@ -1,3 +1,68 @@
+# Release 2024_034
+
+## Impact
+
+- There is a small but non-zero potential that some clients may experience connectivity issues with nginx.
+  Multiple connectivity testing tools showed no change for clients and/or libraries but cannot cover every single implementation out there.
+
+- services using an updated package will be restarted
+
+- Activate DDoS SSH rules in fail2ban for production machines.
+
+## NixOS 24.05 platform
+
+- agent: fix merging cold boot activities into warm reboots. We noticed maintenance requests that have been postponed multiple times on some machines, causing repeated maintenance notification mails. (PL-133180).
+
+## NixOS XX.XX platform
+
+- Increase SSL validation check timeout to better distinguish DNS resolution
+  errors and other causes of timeouts. (PL-133125)
+
+- Restrict a class of key agreement protocols, called Diffie-Hellman Elliptic Curves, enabled in Nginx to mitigate a DoS attack vector
+  described in CVE-2024-41996. The curves for ECDHE ciphers are then restricted to x25519, secp256r1, and x448.
+
+- Update the mailserver role documentation with an example nix configuration
+
+- Fix permissions for some platform logic that creates a `.erlang.cookie` for rabbitmq which would previously cause a failure when starting the service.
+  The problem was caused due to insufficient write permissions when attempting to write the cookie after rabbitmq's first startup.
+  During first startup, rabbimq generates a random cookie, writes it to the appropriate file and sets that file to be read-only.
+
+- Pull upstream NixOS changes, security fixes and package updates (PL-133203):
+    - chromium: 130.0.6723.69 -> 130.0.6723.116 (CVE-2024-10826, CVE-2024-10827, CVE-2024-10487, CVE-2024-10488)
+    - element-web: 1.11.82 -> 1.11.85
+    - firefox: 132.0 -> 132.0.2
+    - ghostscript: 10.03.1 -> 10.04.0
+    - git: 2.44.1 -> 2.44.2
+    - github-runner: 2.320.0 -> 2.321.0
+    - gitlab: 17.2.9 -> 17.3.7
+    - go_1_22: 1.22.6 -> 1.22.8
+    - go_1_22: 1.22.6 -> 1.22.8, (#345953)
+    - grafana: 10.4.11 -> 10.4.12
+    - imagemagick: 7.1.1-38 -> 7.1.1-39
+    - libtiff: patch for CVE-2023-52356 & CVE-2024-7006
+    - matrix-synapse: 1.118.0 -> 1.119.0
+    - nodejs_18: 18.20.4 -> 18.20.5
+    - nodejs_22: 22.8.0 -> 22.10.0, (#349157)
+    - nspr: 4.35 -> 4.36
+    - nss_latest: 3.105 -> 3.106
+    - postgresql_12: 12.20 -> 12.21
+    - postgresql_13: 13.16 -> 13.17
+    - postgresql_14: 14.13 -> 14.14
+    - postgresql_15: 15.8 -> 15.9
+    - postgresql_16: 16.4 -> 16.5
+    - python311: 3.11.9 -> 3.11.10
+    - python312: 3.12.5 -> 3.12.6
+    - redis: 7.2.4 -> 7.2.6 (CVE-2024-31449, CVE-2024-31227, CVE-2024-31228)
+    - unzip: apply patch for CVE-2021-4217
+    - vim: 9.1.0707 -> 9.1.0765 (CVE-2024-47814)
+
+- Scheduled rotation of CS' root ssh key
+
+- Activate DDoS SSH rules in fail2ban for all machines as protection against SSH DHeat attacks. (PL-132477)
+  This may have impact if you have multiple unauthenticated SSH connections in a short time.
+  We tested this change on non-production machines over the last 3 weeks and got no reports of problems.
+
+
 # Release 2024_031
 
 ## Impact