Release Neo4j 5.24.1

[ericsporre]

Hello!

Adding a new colleague as maintainer, sorry about some confusion in a previous PR caused by this.

Thanks!

[tianon]

Sorry for the delay!

Looking over the diff, I'm very concerned about the OpenSSL-related changes -- I see those are related to FIPS, and limited to UBI9, which seems odd. Is there no easier way to get/enable FIPS mode for OpenSSL in UBI9 than compiling it from source yourself? Do you have a plan for updating/maintaining that over time to keep up with things like new releases, especially with relation to security updates to OpenSSL?

To be explicit/clear, I think this would be lot better if we could find some cleaner/more supported way to enable FIPS mode in the OpenSSL that's presumably already shipped in the image, or at least the one maintained by the upstream distribution. 🙈

[jennyowen]

Hi @tianon,

I totally understand the skepticism about compiling and installing OpenSSL from source in the Dockerfile. It's not great at all.

The reason for the change is that we wanted to add a feature so that anyone who needs to run Neo4j in a FIPS compatible way can do so, but that requires a FIPS certified version of OpenSSL to be installed in the image. Currently that would be OpenSSL versions 3.0.0, 3.0.8 or 3.0.9 citation.

For some reason Redhat only have 3.0.7 in their repositories (not even 3.0.0), so I can't install one of the certified versions from there sadly. I also couldn't find any official docker images that provide specific OpenSSL version builds, so there was nowhere I could just do a neat little COPY --from from 😢.
Installing from source seems to be the OpenSSL recommended way if trustworthy binaries aren't available.

That's how I ended up at the current version of our code. I 10000% agree that having some upstream provider of trustworthy OpenSSL binaries would be waaaay preferable though.

Regarding maintenance, I don't think keeping the OpenSSL installation up to date will be too much of an issue, since OpenSSL themselves don't seem to FIPS certify versions very often (3.0.9 was originally certified on 23/08/2022 citation). The latest stable version they've published on their website is 3.3.2, but the latest on rhel is a super old 3.0.7, and debian 11 uses 1.1.1f which is end of life.
Perhaps there are other factors at play (I confess I'm no security expert), but the certification cadence doesn't seem too burdensome?

That being said, I totally understand you need to maintain the quality of docker official images. If you think the code is unpublishable as an official image, then I'll revert the changes and update this PR to be a normal version bump.

[yosifkit]

-    gpg --batch --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys \
-        595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7 \
-        B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+    gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys \
+        6380DC428747F6C393FEACA59A84159D7001A4E5 \
+        A21FAB74B0088AA361152586B8EF1A6BA9DA2D5C; \

Just because this looked a little odd to me in wondering why tini doesn't fail to gpg --verify with its key being removed: 595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7 is a subkey of 6380DC428747F6C393FEACA59A84159D7001A4E5 (https://keyserver.ubuntu.com/pks/lookup?search=595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7&fingerprint=on&op=index)

---

It looks like the RedHat provided openssl-fips library is just pending certification/review: https://access.redhat.com/articles/compliance_activities_and_gov_standards. Maybe that's enough to just use that and not build the upstream OpenSSL in the image?

[jennyowen]

I would be ok with using the redhat openssl-fips library in general, but the FIPS certification is required to guarantee compliance. Having pending certification isn't enough sadly.
If it was pending with an expectation of being done in a few weeks then I'd be happy to wait before submitting these changes. However according to NIST it's been pending certification since December 2023, so I've no confidence in it being done any time soon.

Incidentally, we have to do a new bug fix release either today or tomorrow, so I'll revert these openssl changes when we update this PR. I'll have to resubmit them afterwards though, so your feedback is still very much appreciated!

[ericsporre]

Hello again! Updated the PR with the new neo4j release along with the revert of the openssl changes. Thanks!

[yosifkit]

    eval "$base_variable_name=$secret_value"

I think this might lead to some accidental evaluation of the secret (since the variable is expanded before the eval evaluates the string). I think either escaping the $ or switching to export should prevent it:

    eval "$base_variable_name=\$secret_value"
# or 
    export "$base_variable_name"="$secret_value"

The export is how we do it in the postgres images.

[github-actions]

Diff for 3a03f87:

diff --git a/_bashbrew-cat b/_bashbrew-cat
index e1ae7b4..9aa5e9a 100644
--- a/_bashbrew-cat
+++ b/_bashbrew-cat
@@ -1,4 +1,4 @@
-Maintainers: Jenny Owen <[email protected]> (@jennyowen), Gustav Lindroth <[email protected]> (@glindroth), Eric Sporre <[email protected]> (@ericsporre)
+Maintainers: Jenny Owen <[email protected]> (@jennyowen), Eric Sporre <[email protected]> (@ericsporre), Tobias Ericsson <[email protected]> (@neo-tobias)
 GitRepo: https://github.com/neo4j/docker-neo4j-publish.git
 
 Tags: 4.4.37, 4.4.37-community, 4.4, 4.4-community
@@ -11,22 +11,22 @@ Architectures: amd64, arm64v8
 GitCommit: 7422ac53238f689a26144d3c1c5aee434a07a325
 Directory: 4.4.37/bullseye/enterprise
 
-Tags: 5.23.0-community-bullseye, 5.23-community-bullseye, 5-community-bullseye, 5.23.0-community, 5.23-community, 5-community, 5.23.0-bullseye, 5.23-bullseye, 5-bullseye, 5.23.0, 5.23, 5, community-bullseye, community, bullseye, latest
+Tags: 5.24.1-community-bullseye, 5.24-community-bullseye, 5-community-bullseye, 5.24.1-community, 5.24-community, 5-community, 5.24.1-bullseye, 5.24-bullseye, 5-bullseye, 5.24.1, 5.24, 5, community-bullseye, community, bullseye, latest
 Architectures: amd64, arm64v8
-GitCommit: 8e55c5a5629327d318a63703f4f4f361c97c6293
-Directory: 5.23.0/bullseye/community
+GitCommit: b38cae5fc959dd046cfa75bc48248f0ec9d2798b
+Directory: 5.24.1/bullseye/community
 
-Tags: 5.23.0-community-ubi9, 5.23-community-ubi9, 5-community-ubi9, 5.23.0-ubi9, 5.23-ubi9, 5-ubi9, community-ubi9, ubi9
+Tags: 5.24.1-community-ubi9, 5.24-community-ubi9, 5-community-ubi9, 5.24.1-ubi9, 5.24-ubi9, 5-ubi9, community-ubi9, ubi9
 Architectures: amd64, arm64v8
-GitCommit: 8e55c5a5629327d318a63703f4f4f361c97c6293
-Directory: 5.23.0/ubi9/community
+GitCommit: b38cae5fc959dd046cfa75bc48248f0ec9d2798b
+Directory: 5.24.1/ubi9/community
 
-Tags: 5.23.0-enterprise-bullseye, 5.23-enterprise-bullseye, 5-enterprise-bullseye, 5.23.0-enterprise, 5.23-enterprise, 5-enterprise, enterprise-bullseye, enterprise
+Tags: 5.24.1-enterprise-bullseye, 5.24-enterprise-bullseye, 5-enterprise-bullseye, 5.24.1-enterprise, 5.24-enterprise, 5-enterprise, enterprise-bullseye, enterprise
 Architectures: amd64, arm64v8
-GitCommit: 8e55c5a5629327d318a63703f4f4f361c97c6293
-Directory: 5.23.0/bullseye/enterprise
+GitCommit: b38cae5fc959dd046cfa75bc48248f0ec9d2798b
+Directory: 5.24.1/bullseye/enterprise
 
-Tags: 5.23.0-enterprise-ubi9, 5.23-enterprise-ubi9, 5-enterprise-ubi9, enterprise-ubi9
+Tags: 5.24.1-enterprise-ubi9, 5.24-enterprise-ubi9, 5-enterprise-ubi9, enterprise-ubi9
 Architectures: amd64, arm64v8
-GitCommit: 8e55c5a5629327d318a63703f4f4f361c97c6293
-Directory: 5.23.0/ubi9/enterprise
+GitCommit: b38cae5fc959dd046cfa75bc48248f0ec9d2798b
+Directory: 5.24.1/ubi9/enterprise
diff --git a/_bashbrew-list b/_bashbrew-list
index 64415db..e6dd758 100644
--- a/_bashbrew-list
+++ b/_bashbrew-list
@@ -13,24 +13,24 @@ neo4j:5-enterprise
 neo4j:5-enterprise-bullseye
 neo4j:5-enterprise-ubi9
 neo4j:5-ubi9
-neo4j:5.23
-neo4j:5.23-bullseye
-neo4j:5.23-community
-neo4j:5.23-community-bullseye
-neo4j:5.23-community-ubi9
-neo4j:5.23-enterprise
-neo4j:5.23-enterprise-bullseye
-neo4j:5.23-enterprise-ubi9
-neo4j:5.23-ubi9
-neo4j:5.23.0
-neo4j:5.23.0-bullseye
-neo4j:5.23.0-community
-neo4j:5.23.0-community-bullseye
-neo4j:5.23.0-community-ubi9
-neo4j:5.23.0-enterprise
-neo4j:5.23.0-enterprise-bullseye
-neo4j:5.23.0-enterprise-ubi9
-neo4j:5.23.0-ubi9
+neo4j:5.24
+neo4j:5.24-bullseye
+neo4j:5.24-community
+neo4j:5.24-community-bullseye
+neo4j:5.24-community-ubi9
+neo4j:5.24-enterprise
+neo4j:5.24-enterprise-bullseye
+neo4j:5.24-enterprise-ubi9
+neo4j:5.24-ubi9
+neo4j:5.24.1
+neo4j:5.24.1-bullseye
+neo4j:5.24.1-community
+neo4j:5.24.1-community-bullseye
+neo4j:5.24.1-community-ubi9
+neo4j:5.24.1-enterprise
+neo4j:5.24.1-enterprise-bullseye
+neo4j:5.24.1-enterprise-ubi9
+neo4j:5.24.1-ubi9
 neo4j:bullseye
 neo4j:community
 neo4j:community-bullseye
diff --git a/neo4j_enterprise-ubi9/Dockerfile b/neo4j_enterprise-ubi9/Dockerfile
index 6d670db..44a4920 100644
--- a/neo4j_enterprise-ubi9/Dockerfile
+++ b/neo4j_enterprise-ubi9/Dockerfile
@@ -50,12 +50,12 @@ RUN set -eux; \
     microdnf remove -y git* perl* make gcc glibc-headers glibc-devel libxcrypt-devel; \
     microdnf clean all
 
-ENV NEO4J_SHA256=9311d86cfe0ace3e5f1463dd92db13117d1aae54358113a291e2ca254faec3d9 \
-    NEO4J_TARBALL=neo4j-enterprise-5.23.0-unix.tar.gz \
+ENV NEO4J_SHA256=c1b51e08cfb5d8063240656ab58ee0766264b63b27cbcdcff2d28e77f8972534 \
+    NEO4J_TARBALL=neo4j-enterprise-5.24.1-unix.tar.gz \
     NEO4J_EDITION=enterprise \
     NEO4J_HOME="/var/lib/neo4j" \
     LANG=C.UTF-8
-ARG NEO4J_URI=https://dist.neo4j.org/neo4j-enterprise-5.23.0-unix.tar.gz
+ARG NEO4J_URI=https://dist.neo4j.org/neo4j-enterprise-5.24.1-unix.tar.gz
 
 COPY ./local-package/* /startup/
 
diff --git a/neo4j_enterprise-ubi9/local-package/docker-entrypoint.sh b/neo4j_enterprise-ubi9/local-package/docker-entrypoint.sh
index d6a65f7..e7021ba 100755
--- a/neo4j_enterprise-ubi9/local-package/docker-entrypoint.sh
+++ b/neo4j_enterprise-ubi9/local-package/docker-entrypoint.sh
@@ -394,6 +394,33 @@ if running_as_root; then
     find "${NEO4J_HOME}"/conf -type f -exec chmod -R 600 {} \;
 fi
 
+## == EXTRACT SECRETS FROM FILES ===
+# These environment variables are set by using docker secrets and they override their equivalent env vars
+# They are suffixed with _FILE and prefixed by the name of the env var they should override
+# e.g. NEO4J_AUTH_FILE will override the value of the NEO4J_AUTH
+# It's best to do this first so that the secrets are available for the rest of the script
+for variable_name in $(printenv | awk -F= '{print $1}'); do
+  # Check if the variable ends with "_FILE"
+  if [[ $variable_name == *"_FILE" ]]; then
+    # Create a new variable name by removing the "_FILE" suffix
+    base_variable_name=${variable_name%_FILE}
+
+    # Get the value of the _FILE variable
+    secret_file_path="${!variable_name}"
+
+    if is_readable "${secret_file_path}"; then
+      # Read the secret value from the file
+      secret_value=$(<"$secret_file_path")
+    else
+      # File not readable
+      echo >&2 "The secret file '$secret_file_path' does not exist or is not readable. Make sure you have correctly configured docker secrets."
+      exit 1
+    fi
+    # Assign the value to the new variable
+    export "$base_variable_name"="$secret_value"
+  fi
+done
+
 # ==== CHECK LICENSE AGREEMENT ====
 
 # Only prompt for license agreement if command contains "neo4j" in it
@@ -567,6 +594,12 @@ for i in $( set | grep ^NEO4J_ | awk -F'=' '{print $1}' | sort -rn ); do
     if containsElement "$i" "${not_configs[@]}"; then
         continue
     fi
+
+    # Skip env variables with suffix _FILE, these are docker secrets
+    if [[ "$i" == *"_FILE" ]]; then
+        continue
+    fi
+
     setting=$(echo "${i}" | sed 's|^NEO4J_||' | sed 's|_|.|g' | sed 's|\.\.|_|g')
     value=$(echo "${!i}")
     # Don't allow settings with no value or settings that start with a number (neo4j converts settings to env variables and you cannot have an env variable that starts with a number)
diff --git a/neo4j_enterprise-ubi9/local-package/neo4j-plugins.json b/neo4j_enterprise-ubi9/local-package/neo4j-plugins.json
index 32c2701..704f544 100644
--- a/neo4j_enterprise-ubi9/local-package/neo4j-plugins.json
+++ b/neo4j_enterprise-ubi9/local-package/neo4j-plugins.json
@@ -21,19 +21,6 @@
       "dbms.bloom.license_file": "/licenses/bloom.license"
     }
   },
-  "graphql": {
-    "versions": "https://neo4j-graphql.github.io/neo4j-graphql/versions.json",
-    "properties": {
-      "dbms.unmanaged_extension_classes": "org.neo4j.graphql=/graphql",
-      "dbms.security.procedures.unrestricted": "graphql.*"
-    }
-  },
-  "graph-algorithms": {
-    "versions": "https://neo4j-contrib.github.io/neo4j-graph-algorithms/versions.json",
-    "properties": {
-      "dbms.security.procedures.unrestricted": "algo.*"
-    }
-  },
   "graph-data-science": {
     "versions": "https://graphdatascience.ninja/versions.json",
     "location": "/var/lib/neo4j/products/neo4j-graph-data-science-*.jar",
diff --git a/neo4j_enterprise/Dockerfile b/neo4j_enterprise/Dockerfile
index d8e5217..ffa42eb 100644
--- a/neo4j_enterprise/Dockerfile
+++ b/neo4j_enterprise/Dockerfile
@@ -2,12 +2,12 @@ FROM debian:bullseye-slim
 ENV JAVA_HOME=/opt/java/openjdk
 COPY --from=eclipse-temurin:17 $JAVA_HOME $JAVA_HOME
 ENV PATH="${JAVA_HOME}/bin:${PATH}" \
-    NEO4J_SHA256=9311d86cfe0ace3e5f1463dd92db13117d1aae54358113a291e2ca254faec3d9 \
-    NEO4J_TARBALL=neo4j-enterprise-5.23.0-unix.tar.gz \
+    NEO4J_SHA256=c1b51e08cfb5d8063240656ab58ee0766264b63b27cbcdcff2d28e77f8972534 \
+    NEO4J_TARBALL=neo4j-enterprise-5.24.1-unix.tar.gz \
     NEO4J_EDITION=enterprise \
     NEO4J_HOME="/var/lib/neo4j" \
     LANG=C.UTF-8
-ARG NEO4J_URI=https://dist.neo4j.org/neo4j-enterprise-5.23.0-unix.tar.gz
+ARG NEO4J_URI=https://dist.neo4j.org/neo4j-enterprise-5.24.1-unix.tar.gz
 
 RUN addgroup --gid 7474 --system neo4j && adduser --uid 7474 --system --no-create-home --home "${NEO4J_HOME}" --ingroup neo4j neo4j
 
diff --git a/neo4j_enterprise/local-package/docker-entrypoint.sh b/neo4j_enterprise/local-package/docker-entrypoint.sh
index d6a65f7..e7021ba 100755
--- a/neo4j_enterprise/local-package/docker-entrypoint.sh
+++ b/neo4j_enterprise/local-package/docker-entrypoint.sh
@@ -394,6 +394,33 @@ if running_as_root; then
     find "${NEO4J_HOME}"/conf -type f -exec chmod -R 600 {} \;
 fi
 
+## == EXTRACT SECRETS FROM FILES ===
+# These environment variables are set by using docker secrets and they override their equivalent env vars
+# They are suffixed with _FILE and prefixed by the name of the env var they should override
+# e.g. NEO4J_AUTH_FILE will override the value of the NEO4J_AUTH
+# It's best to do this first so that the secrets are available for the rest of the script
+for variable_name in $(printenv | awk -F= '{print $1}'); do
+  # Check if the variable ends with "_FILE"
+  if [[ $variable_name == *"_FILE" ]]; then
+    # Create a new variable name by removing the "_FILE" suffix
+    base_variable_name=${variable_name%_FILE}
+
+    # Get the value of the _FILE variable
+    secret_file_path="${!variable_name}"
+
+    if is_readable "${secret_file_path}"; then
+      # Read the secret value from the file
+      secret_value=$(<"$secret_file_path")
+    else
+      # File not readable
+      echo >&2 "The secret file '$secret_file_path' does not exist or is not readable. Make sure you have correctly configured docker secrets."
+      exit 1
+    fi
+    # Assign the value to the new variable
+    export "$base_variable_name"="$secret_value"
+  fi
+done
+
 # ==== CHECK LICENSE AGREEMENT ====
 
 # Only prompt for license agreement if command contains "neo4j" in it
@@ -567,6 +594,12 @@ for i in $( set | grep ^NEO4J_ | awk -F'=' '{print $1}' | sort -rn ); do
     if containsElement "$i" "${not_configs[@]}"; then
         continue
     fi
+
+    # Skip env variables with suffix _FILE, these are docker secrets
+    if [[ "$i" == *"_FILE" ]]; then
+        continue
+    fi
+
     setting=$(echo "${i}" | sed 's|^NEO4J_||' | sed 's|_|.|g' | sed 's|\.\.|_|g')
     value=$(echo "${!i}")
     # Don't allow settings with no value or settings that start with a number (neo4j converts settings to env variables and you cannot have an env variable that starts with a number)
diff --git a/neo4j_enterprise/local-package/neo4j-plugins.json b/neo4j_enterprise/local-package/neo4j-plugins.json
index 32c2701..704f544 100644
--- a/neo4j_enterprise/local-package/neo4j-plugins.json
+++ b/neo4j_enterprise/local-package/neo4j-plugins.json
@@ -21,19 +21,6 @@
       "dbms.bloom.license_file": "/licenses/bloom.license"
     }
   },
-  "graphql": {
-    "versions": "https://neo4j-graphql.github.io/neo4j-graphql/versions.json",
-    "properties": {
-      "dbms.unmanaged_extension_classes": "org.neo4j.graphql=/graphql",
-      "dbms.security.procedures.unrestricted": "graphql.*"
-    }
-  },
-  "graph-algorithms": {
-    "versions": "https://neo4j-contrib.github.io/neo4j-graph-algorithms/versions.json",
-    "properties": {
-      "dbms.security.procedures.unrestricted": "algo.*"
-    }
-  },
   "graph-data-science": {
     "versions": "https://graphdatascience.ninja/versions.json",
     "location": "/var/lib/neo4j/products/neo4j-graph-data-science-*.jar",
diff --git a/neo4j_latest/Dockerfile b/neo4j_latest/Dockerfile
index f29c4ad..96046d5 100644
--- a/neo4j_latest/Dockerfile
+++ b/neo4j_latest/Dockerfile
@@ -2,12 +2,12 @@ FROM debian:bullseye-slim
 ENV JAVA_HOME=/opt/java/openjdk
 COPY --from=eclipse-temurin:17 $JAVA_HOME $JAVA_HOME
 ENV PATH="${JAVA_HOME}/bin:${PATH}" \
-    NEO4J_SHA256=ba71776c80ff5882524e6a535c942776249cffdcd0036baf9e1a1a257722285f \
-    NEO4J_TARBALL=neo4j-community-5.23.0-unix.tar.gz \
+    NEO4J_SHA256=93986d1085b2e50fa1a569876b1a14e4d44b495b670767c0a12697909e8c6aa9 \
+    NEO4J_TARBALL=neo4j-community-5.24.1-unix.tar.gz \
     NEO4J_EDITION=community \
     NEO4J_HOME="/var/lib/neo4j" \
     LANG=C.UTF-8
-ARG NEO4J_URI=https://dist.neo4j.org/neo4j-community-5.23.0-unix.tar.gz
+ARG NEO4J_URI=https://dist.neo4j.org/neo4j-community-5.24.1-unix.tar.gz
 
 RUN addgroup --gid 7474 --system neo4j && adduser --uid 7474 --system --no-create-home --home "${NEO4J_HOME}" --ingroup neo4j neo4j
 
diff --git a/neo4j_latest/local-package/docker-entrypoint.sh b/neo4j_latest/local-package/docker-entrypoint.sh
index d6a65f7..e7021ba 100755
--- a/neo4j_latest/local-package/docker-entrypoint.sh
+++ b/neo4j_latest/local-package/docker-entrypoint.sh
@@ -394,6 +394,33 @@ if running_as_root; then
     find "${NEO4J_HOME}"/conf -type f -exec chmod -R 600 {} \;
 fi
 
+## == EXTRACT SECRETS FROM FILES ===
+# These environment variables are set by using docker secrets and they override their equivalent env vars
+# They are suffixed with _FILE and prefixed by the name of the env var they should override
+# e.g. NEO4J_AUTH_FILE will override the value of the NEO4J_AUTH
+# It's best to do this first so that the secrets are available for the rest of the script
+for variable_name in $(printenv | awk -F= '{print $1}'); do
+  # Check if the variable ends with "_FILE"
+  if [[ $variable_name == *"_FILE" ]]; then
+    # Create a new variable name by removing the "_FILE" suffix
+    base_variable_name=${variable_name%_FILE}
+
+    # Get the value of the _FILE variable
+    secret_file_path="${!variable_name}"
+
+    if is_readable "${secret_file_path}"; then
+      # Read the secret value from the file
+      secret_value=$(<"$secret_file_path")
+    else
+      # File not readable
+      echo >&2 "The secret file '$secret_file_path' does not exist or is not readable. Make sure you have correctly configured docker secrets."
+      exit 1
+    fi
+    # Assign the value to the new variable
+    export "$base_variable_name"="$secret_value"
+  fi
+done
+
 # ==== CHECK LICENSE AGREEMENT ====
 
 # Only prompt for license agreement if command contains "neo4j" in it
@@ -567,6 +594,12 @@ for i in $( set | grep ^NEO4J_ | awk -F'=' '{print $1}' | sort -rn ); do
     if containsElement "$i" "${not_configs[@]}"; then
         continue
     fi
+
+    # Skip env variables with suffix _FILE, these are docker secrets
+    if [[ "$i" == *"_FILE" ]]; then
+        continue
+    fi
+
     setting=$(echo "${i}" | sed 's|^NEO4J_||' | sed 's|_|.|g' | sed 's|\.\.|_|g')
     value=$(echo "${!i}")
     # Don't allow settings with no value or settings that start with a number (neo4j converts settings to env variables and you cannot have an env variable that starts with a number)
diff --git a/neo4j_latest/local-package/neo4j-plugins.json b/neo4j_latest/local-package/neo4j-plugins.json
index 32c2701..704f544 100644
--- a/neo4j_latest/local-package/neo4j-plugins.json
+++ b/neo4j_latest/local-package/neo4j-plugins.json
@@ -21,19 +21,6 @@
       "dbms.bloom.license_file": "/licenses/bloom.license"
     }
   },
-  "graphql": {
-    "versions": "https://neo4j-graphql.github.io/neo4j-graphql/versions.json",
-    "properties": {
-      "dbms.unmanaged_extension_classes": "org.neo4j.graphql=/graphql",
-      "dbms.security.procedures.unrestricted": "graphql.*"
-    }
-  },
-  "graph-algorithms": {
-    "versions": "https://neo4j-contrib.github.io/neo4j-graph-algorithms/versions.json",
-    "properties": {
-      "dbms.security.procedures.unrestricted": "algo.*"
-    }
-  },
   "graph-data-science": {
     "versions": "https://graphdatascience.ninja/versions.json",
     "location": "/var/lib/neo4j/products/neo4j-graph-data-science-*.jar",
diff --git a/neo4j_ubi9/Dockerfile b/neo4j_ubi9/Dockerfile
index 0ea348b..ba24d3b 100644
--- a/neo4j_ubi9/Dockerfile
+++ b/neo4j_ubi9/Dockerfile
@@ -50,12 +50,12 @@ RUN set -eux; \
     microdnf remove -y git* perl* make gcc glibc-headers glibc-devel libxcrypt-devel; \
     microdnf clean all
 
-ENV NEO4J_SHA256=ba71776c80ff5882524e6a535c942776249cffdcd0036baf9e1a1a257722285f \
-    NEO4J_TARBALL=neo4j-community-5.23.0-unix.tar.gz \
+ENV NEO4J_SHA256=93986d1085b2e50fa1a569876b1a14e4d44b495b670767c0a12697909e8c6aa9 \
+    NEO4J_TARBALL=neo4j-community-5.24.1-unix.tar.gz \
     NEO4J_EDITION=community \
     NEO4J_HOME="/var/lib/neo4j" \
     LANG=C.UTF-8
-ARG NEO4J_URI=https://dist.neo4j.org/neo4j-community-5.23.0-unix.tar.gz
+ARG NEO4J_URI=https://dist.neo4j.org/neo4j-community-5.24.1-unix.tar.gz
 
 COPY ./local-package/* /startup/
 
diff --git a/neo4j_ubi9/local-package/docker-entrypoint.sh b/neo4j_ubi9/local-package/docker-entrypoint.sh
index d6a65f7..e7021ba 100755
--- a/neo4j_ubi9/local-package/docker-entrypoint.sh
+++ b/neo4j_ubi9/local-package/docker-entrypoint.sh
@@ -394,6 +394,33 @@ if running_as_root; then
     find "${NEO4J_HOME}"/conf -type f -exec chmod -R 600 {} \;
 fi
 
+## == EXTRACT SECRETS FROM FILES ===
+# These environment variables are set by using docker secrets and they override their equivalent env vars
+# They are suffixed with _FILE and prefixed by the name of the env var they should override
+# e.g. NEO4J_AUTH_FILE will override the value of the NEO4J_AUTH
+# It's best to do this first so that the secrets are available for the rest of the script
+for variable_name in $(printenv | awk -F= '{print $1}'); do
+  # Check if the variable ends with "_FILE"
+  if [[ $variable_name == *"_FILE" ]]; then
+    # Create a new variable name by removing the "_FILE" suffix
+    base_variable_name=${variable_name%_FILE}
+
+    # Get the value of the _FILE variable
+    secret_file_path="${!variable_name}"
+
+    if is_readable "${secret_file_path}"; then
+      # Read the secret value from the file
+      secret_value=$(<"$secret_file_path")
+    else
+      # File not readable
+      echo >&2 "The secret file '$secret_file_path' does not exist or is not readable. Make sure you have correctly configured docker secrets."
+      exit 1
+    fi
+    # Assign the value to the new variable
+    export "$base_variable_name"="$secret_value"
+  fi
+done
+
 # ==== CHECK LICENSE AGREEMENT ====
 
 # Only prompt for license agreement if command contains "neo4j" in it
@@ -567,6 +594,12 @@ for i in $( set | grep ^NEO4J_ | awk -F'=' '{print $1}' | sort -rn ); do
     if containsElement "$i" "${not_configs[@]}"; then
         continue
     fi
+
+    # Skip env variables with suffix _FILE, these are docker secrets
+    if [[ "$i" == *"_FILE" ]]; then
+        continue
+    fi
+
     setting=$(echo "${i}" | sed 's|^NEO4J_||' | sed 's|_|.|g' | sed 's|\.\.|_|g')
     value=$(echo "${!i}")
     # Don't allow settings with no value or settings that start with a number (neo4j converts settings to env variables and you cannot have an env variable that starts with a number)
diff --git a/neo4j_ubi9/local-package/neo4j-plugins.json b/neo4j_ubi9/local-package/neo4j-plugins.json
index 32c2701..704f544 100644
--- a/neo4j_ubi9/local-package/neo4j-plugins.json
+++ b/neo4j_ubi9/local-package/neo4j-plugins.json
@@ -21,19 +21,6 @@
       "dbms.bloom.license_file": "/licenses/bloom.license"
     }
   },
-  "graphql": {
-    "versions": "https://neo4j-graphql.github.io/neo4j-graphql/versions.json",
-    "properties": {
-      "dbms.unmanaged_extension_classes": "org.neo4j.graphql=/graphql",
-      "dbms.security.procedures.unrestricted": "graphql.*"
-    }
-  },
-  "graph-algorithms": {
-    "versions": "https://neo4j-contrib.github.io/neo4j-graph-algorithms/versions.json",
-    "properties": {
-      "dbms.security.procedures.unrestricted": "algo.*"
-    }
-  },
   "graph-data-science": {
     "versions": "https://graphdatascience.ninja/versions.json",
     "location": "/var/lib/neo4j/products/neo4j-graph-data-science-*.jar",

Relevant Maintainers:

• neo4j: @jennyowen @glindroth @ericsporre