Skip to content
This repository has been archived by the owner on Jan 21, 2022. It is now read-only.

Releases: cloudfoundry-attic/cf-release

v247

18 Nov 19:59
v247
0f31531
Compare
Choose a tag to compare
v247

The cf-release v247 was released on November 17, 2016.

Contents:

CC and Service Broker APIs

Contains CAPI release v1.11.0. Release notes for v1.11.0

Identity

Updated to UAA 3.9.0

Routing

No changes

Loggregator

This release includes support for gRPC which enables TLS. For notes about setting up certs see: https://github.com/cloudfoundry/loggregator#generating-tls-certificates

Buildpacks and Stacks

stacks

updated to 1.90.0 (from 1.89.0)

1.90.0

Notably, this release addresses:

USN-3116-1: DBus vulnerabilities Ubuntu Security Notice USN-3116-1:

  • CVE-2015-0245: D-Bus 1.4.x through 1.6.x before 1.6.30, 1.8.x before 1.8.16, and 1.9.x before 1.9.10 does not validate the source of ActivationFailure signals, which allows local users to cause a denial of service (activation failure error returned) by leveraging a race condition involving sending an ActivationFailure signal before systemd responds.

USN-3117-1: GD library vulnerabilities Ubuntu Security Notice USN-3117-1:

  • CVE-2016-6911: invalid read in gdImageCreateFromTiffPtr()
  • CVE-2016-7568: Integer overflow in the gdImageWebpCtx function in gd_webp.c in the GD Graphics Library (aka libgd) through 2.2.3, as used in PHP through 7.0.11, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted imagewebp and imagedestroy calls.
  • CVE-2016-8670: Stack Buffer Overflow in GD dynamicGetbuf

USN-3119-1: Bind vulnerability Ubuntu Security Notice USN-3119-1:

  • CVE-2016-8864: A problem handling responses containing a DNAME answer can lead to an assertion failure

USN-3123-1: curl vulnerabilities Ubuntu Security Notice USN-3123-1:

  • CVE-2016-7141: curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420.
  • CVE-2016-7167: Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow.
  • CVE-2016-8615: cookie injection for other servers
  • CVE-2016-8616: case insensitive password comparison
  • CVE-2016-8617: OOB write via unchecked multiplication
  • CVE-2016-8618: double-free in curl_maprintf
  • CVE-2016-8619: double-free in krb5 code
  • CVE-2016-8620: glob parser write/read out of bounds
  • CVE-2016-8621: curl_getdate read out of bounds
  • CVE-2016-8622: URL unescape heap overflow via integer truncation
  • CVE-2016-8623: Use-after-free via shared cookies
  • CVE-2016-8624: invalid URL parsing with '#'

dotnet-core-buildpack

v1.0.5

CF v247 is the first CF release to include the .NET Core buildpack. This buildpack adds support for .NET Core apps on the cflinuxfs2 stack.

DEA-Warden-HM9000 Runtime

This section will be updated soon. If this section is not yet up-to-date, please reach out for information:

Internal Components

postgres-release (includes postgres job)

No changes.

etcd-release (includes etcd and etcd_metrics_server jobs)

  • Bumped from v77 to v85. Functional changes:
    • Bump golang to 1.7.3 details
    • Properly set ulimit for the etcd process details
    • Make bind addresses configurable for etcd and proxy details
    • Fix submodule URL in etcd_metrics_server details

consul-release (includes consul_agent job)

  • Bumped from v133 to v135. Functional changes:
    • Properly set ulimit for consul process details

nats-release (includes nats and nats_stream_forwarder jobs)

  • No changes.

Recommended Versions of Additional Releases

These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release.

Although it's still considered experimental, we have started to test CF against the new netman release. It's not recommended for production, but for those deploying it, here is the information for netman-release:

Job Spec Changes

  • Add etcd.client_ip and etcd.peer_ip to allow specifying the bind address for the etcd server details
  • Add etcd_proxy.ip to allow specifying the bind address the the etcd proxy server details

Recommended BOSH Stemcell Versions

  • real IaaS: 3309
  • BOSH-Lite: 3309

Note: For AWS you should use the Xen-HVM stemcells rather than Xen.

These are soft recommendations; several di...

Read more
Assets 2
Loading

v246

07 Nov 17:55
v246
fa42860
Compare
Choose a tag to compare
v246

The cf-release v246 was released on November 03, 2016.

IMPORTANT

  • With this release UAA defaults to enforcing signature validation on Incoming SAML Assertions. Please make sure any SAML Identity configured for UAA is sending only signed SAML assertions

Contents:

CC and Service Broker APIs

Contains CAPI release v1.10.0. Release notes for v1.8.0, v1.9.0, and v1.10.0

Identity

Updated to UAA Release 3.8.0
Spec changes can be found here

Routing

Routing-release bumped to 0.141.0

Loggregator

No changes.

Buildpacks and Stacks

stacks

updated to 1.89.0 (from 1.86.0)

1.89.0

No CVEs present. Notably, this release introduces the libsasl2-dev package.

1.88.0

No CVEs present.

1.87.0

No CVEs present.

binary-buildpack

updated to v1.0.5 (from v1.0.4)

v1.0.5

go-buildpack

updated to v1.7.14 (from v1.7.13)

v1.7.14

Default binary versions: go 1.6.3

java-buildpack

updated to v3.10 (from v3.9)

v3.10

I'm pleased to announce the release of the java-buildpack, version 3.10. This release updates the Dynatrace frameworks.

For a more detailed look at the changes in 3.10, please take a look at the commit log. Packaged versions of the buildpack, suitable for use with create-buildpack and update-buildpack, can be found attached to this release.

nodejs-buildpack

updated to v1.5.22 (from v1.5.21)

v1.5.22

  • Add node 6.9.0 and 6.8.1, remove node 6.6.0 and 6.7.0
  • Add node 0.10.48, remove node 0.10.46
  • Add node 0.12.17, remove node 0.12.15
  • Add node 4.6.1, remove node 4.5.0
  • Address USN-3087-1: OpenSSL vulnerabilities with node 6.8.1 and 6.9.0
  • NOTICE: Node.js 0.10 will be removed after October 31, 2016 due to end of LTS

Default binary versions: node 4.6.0

php-buildpack

updated to v4.3.21 (from v4.3.20)

v4.3.21

  • Address USN-3095-1 and associated CVEs with PHP 5.6.27 and 7.0.12
  • Add support for rdkafka in PHP 7
  • Add php 5.6.26 and 5.6.27, remove php 5.6.24 and 5.6.25
  • Add php 7.0.11 and 7.0.12, remove php 7.0.9 and 7.0.10
  • Add nginx 1.11.5, remove nginx 1.11.4
  • Add nginx 1.10.2, remove nginx 1.10.1

Default binary versions: php 5.5.38, composer 1.2.1, httpd 2.4.23, newrelic 6.3.0.161, nginx 1.11.5

python-buildpack

updated to v1.5.11 (from v1.5.10)

v1.5.11

Default binary versions: python 2.7.12

ruby-buildpack

updated to v1.6.27 (from v1.6.26)

v1.6.27

  • Add node 4.6.1, remove node 4.6.0
  • Add bundler 1.13.5, remove bundler 1.13.1

Default binary versions: ruby 2.3.1, node 4.6.1

staticfile-buildpack

updated to v1.3.12 (from v1.3.11)

v1.3.12

DEA-Warden-HM9000 Runtime

  • Fixed container startup issues with Linux 4.4
  • Improved HM9000 actual state processing time for large number of instances (> 10k)
  • Reduced connection count to etcd on start when there is a stampede on start ( 35k -> 65)

Internal Components

postgres-release (includes postgres job)

  • No changes.

etcd-release (includes etcd and etcd_metrics_server jobs)

  • Bumped from v73 to v77. Functional changes:
  • Add network diagnostics logging to etcd job details

consul-release (includes consul_agent job)

  • Bumped from v126 to v133. Functional changes:
  • consul_agent job only drains when in server mode, not in client mode. details
  • Set performance raft_multiplier to 1 for Consul process. details
  • Change default value of consul.agent.dns_config.allow_stale to true and consul.agent.dns_config.max_stale to 30s in consul_agent job. details
  • consul_agent job running in mode: server no longer needs to be configured with consul.agent_cert or consul.agent_key properties. details

nats-release (includes nats and nats_stream_forwarder jobs)

  • Bumped from v11 to v14. Functional changes: bump to golang 1.7, enables forwarding of nats logs to a syslog drain

Recommended Versions of Additional Releases

These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release.

Job Spec Changes

Read more
Assets 2
Loading

v245

11 Oct 18:33
v245
1a84cd7
Compare
Choose a tag to compare
v245

The cf-release v245 was released on October 09, 2016.

IMPORTANT

  • This release fixes a critical security vulnerability pertaining to command injection. Please see the mailing list thread on CVE 2016-6655 for more details. Operators are strongly encouraged to update to this latest version of cf-release.
  • This release includes a significant migration of the CCDB that is the first step to releasing the CC V3 API. Please see the release notes for CAPI v1.6.0 for details.
  • CVE-2016-6658: The Cloud Controller in CF-245 contains a fix for a medium CVE where apps using custom buildpack urls could contain credentials. This fix ensures that urls containing credentials are either encrypted or stored in an obfuscated format at rest. This is a continuation of CVE-2016-6638 originally reported fixed in CF-241.

KNOWN ISSUES

  • The included version of CAPI Release contains an issue staging Python buildpack based apps and apps using any buildpack that doesn't return process types in the staging result. We've prioritized this bug at the top of our backlog. Workaround is to add a Procfile containing any command, e.g. web: foo.

Contents:

CC and Service Broker APIs

Contains CAPI release v1.7.0. Release notes for v1.6.0 and v1.7.0

Identity

No Changes

Routing

Routing-release bumped to 0.140.0

Loggregator

No Changes

Buildpacks and Stacks

stacks

updated to 1.86.0 (from 1.84.0)

1.86.0

Notably, this release addresses USN-3096-1: NTP vulnerabilities Ubuntu Security Notice USN-3096-1. As cflinuxfs2 only includes the ntpdate package, many of these CVEs may not apply.

  • CVE-2015-7973: Deja Vu: Replay attack on authenticated broadcast mode
  • CVE-2015-7974: NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key."
  • CVE-2015-7975: ntpq buffer overflow
  • CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames
  • CVE-2015-7977: reslist NULL pointer dereference
  • CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list
  • CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode
  • CVE-2015-8138: Zero Origin Timestamp Bypass, AKA: Additional KoD Checks
  • CVE-2015-8158: Potential Infinite Loop in ntpq
  • CVE-2016-0727: NTP statsdir cleanup cronjob insecure
  • CVE-2016-1547: Validate crypto-NAKs, AKA: nak-dos
  • CVE-2016-1548: Interleave-pivot
  • CVE-2016-1550: Improve NTP security against buffer comparison timing attacks, authdecrypt-timing, AKA: authdecrypt-timing
  • CVE-2016-2516: Duplicate IPs on unconfig directives will cause an assertion botch
  • CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC
  • CVE-2016-4954: The process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication.
  • CVE-2016-4955: ntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers to cause a denial of service (peer-variable clearing and association outage) by sending (1) a spoofed crypto-NAK packet or (2) a packet with an incorrect MAC value at a certain time.
  • CVE-2016-4956: ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (interleaved-mode transition and time change) via a spoofed broadcast packet. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-1548.

1.85.0

Notably, this release addresses USN-3088-1: Bind vulnerability Ubuntu Security Notice USN-3088-1:

nodejs-buildpack

updated to v1.5.21 (from v1.5.20)

v1.5.21

  • Address USN-3087-1: OpenSSL vulnerabilities by updating node.
    The new versions of node included in this buildpack are built
    against the patched version of OpenSSL
    (https://www.pivotaltracker.com/story/show/130945067)
  • Updated node: 0.10.47, 0.12.16, 4.6.0, 6.7.0

Default binary versions: node 4.6.0

ruby-buildpack

updated to v1.6.26 (from v1.6.25)

v1.6.26

Default binary versions: ruby 2.3.1, node 4.6.0

DEA-Warden-HM9000 Runtime

This section will be updated soon. If this section is not yet up-to-date, please reach out for information:

Internal Components

postgres-release (includes postgres job)

  • Bumped from v5 to v6. No functional changes.

etcd-release (includes etcd and etcd_metrics_server jobs)

  • Bumped from v66 to v73. Functional changes:
    • Added -debug flag to uses of etcdtcl CLI to improve debuggability. details
    • Added etcd_consistency_checker process to etcd job. details
    • Added etcd network diagnostics logging to etcd job. details

consul-release (includes consul_agent job)

  • Bumped from v125 to v126. Functional changes:
    • consul_agent job will now use sed instead of awk -W in agent_ctl script. details

nats-release (includes nats and nats_stream_forwarder jobs)

  • No change, still at v11.

Recommended Versions of Additional Releases

These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release.

Read more
Assets 2
Loading

v244

29 Sep 18:09
v244
99d41c7
Compare
Choose a tag to compare
v244

The cf-release v244 was released on September 28, 2016.

IMPORTANT

  • From this release onwards, Loggregator is no longer registering it legacy logging_endpoint with the router. This makes the legacy endpoints on Traffic Controller unaccessible.

Contents:

CC and Service Broker APIs

No Change

Identity

Updated to UAA Release 3.7.4

Routing

No changes

Loggregator

  • Metron attempts initial reconnection to etcd using exponential backoff strategy up to 15 times instead of panicking immediately.
  • Property name changes in loggregator_trafficcontroller/spec
    • doppler.uaa_client_id replaces loggregator.uaa.client
    • uaa.clients.doppler.secret replaces loggregator.uaa.client_secret
    • doppler.outgoing_port replaces loggregator.doppler_port
  • Property name changes in metron_agent/spec
    • metron_agent.listening_port replacesmetron_agent.dropsonde_incoming_port
  • The Loggregator Consumer endpoint no longer gets a route registered in this release. This makes the Loggregator Consumer endpoint inaccessible in this release. The loggregator_consumer library is deprecated in favor of noaa which makes use of the new endpoints as described here.

Buildpacks and Stacks

stacks

updated to 1.84.0 (from 1.80.0)

1.84.0

Notably, this release addresses USN-3087-2: OpenSSL regression.

USN-3087-2 is a fix for a regression introduced by USN-3087-1, which was included in cflinuxfs2 1.83.0.

1.83.0

Notably, this release addresses USN-3087-1: OpenSSL vulnerabilities Ubuntu Security Notice USN-3087-1:

  • CVE-2016-2177: OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-bufferboundary checks, which might allow remote attackers to cause a denial ofservice (integer overflow and application crash) or possibly haveunspecified other impact by leveraging unexpected malloc behavior, relatedto s3_srvr.c, ssl_sess.c, and t1_lib.c.
  • CVE-2016-2178: The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through1.0.2h does not properly ensure the use of constant-time operations, whichmakes it easier for local users to discover a DSA private key via a timingside-channel attack.
  • CVE-2016-2179: The DTLS implementation in OpenSSL before 1.1.0 does not properly restrictthe lifetime of queue entries associated with unused out-of-order messages,which allows remote attackers to cause a denial of service (memoryconsumption) by maintaining many crafted DTLS sessions simultaneously,related to d1_lib.c, statem_dtls.c, statem_lib.c, and statem_srvr.c.
  • CVE-2016-2180: The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public KeyInfrastructure Time-Stamp Protocol (TSP) implementation in OpenSSL through1.0.2h allows remote attackers to cause a denial of service (out-of-boundsread and application crash) via a crafted time-stamp file that ismishandled by the "openssl ts" command.
  • CVE-2016-2181: The Anti-Replay feature in the DTLS implementation in OpenSSL before 1.1.0mishandles early use of a new epoch number in conjunction with a largesequence number, which allows remote attackers to cause a denial of service(false-positive packet drops) via spoofed DTLS records, related torec_layer_d1.c and ssl3_record.c.
  • CVE-2016-2182: The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 doesnot properly validate division results, which allows remote attackers tocause a denial of service (out-of-bounds write and application crash) orpossibly have unspecified other impact via unknown vectors.
  • CVE-2016-2183: The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSecprotocols and other protocols and products, have a birthday bound ofapproximately four billion blocks, which makes it easier for remoteattackers to obtain cleartext data via a birthday attack against along-duration encrypted session, as demonstrated by an HTTPS session usingTriple DES in CBC mode, aka a "Sweet32" attack.
  • CVE-2016-6302: The tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1.0does not consider the HMAC size during validation of the ticket length,which allows remote attackers to cause a denial of service via a ticketthat is too short.
  • CVE-2016-6303: Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c inOpenSSL before 1.1.0 allows remote attackers to cause a denial of service(out-of-bounds write and application crash) or possibly have unspecifiedother impact via unknown vectors.
  • CVE-2016-6304: OCSP Status Request extension unbounded memory growth
  • CVE-2016-6306: In ssl3_get_client_certificate, ssl3_get_server_certificate andssl3_get_certificate_request check we have enough roombefore reading a length.

1.82.0

To address RFC #36, this release upgrades Ruby from 2.2.4 to 2.3.1.

This release also addresses USN-3085-1: GDK-PixBuf vulnerabilities Ubuntu Security Notice USN-3085-1:

  • CVE-2015-7552: Heap-based buffer overflow in the gdk_pixbuf_flip function in gdk-pixbuf-scale.c in gdk-pixbuf 2.30.x allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted BMP file.
  • CVE-2015-8875: Multiple integer overflows in the (1) pixops_composite_nearest, (2)pixops_composite_color_nearest, and (3) pixops_process functions in pixops/pixops.c in gdk-pixbuf before 2.33.1 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted image, which triggers a heap-based buffer overflow.
  • CVE-2016-6352: Write out-of-bounds

1.81.0

No CVEs present.

binary-buildpack

updated to v1.0.4 (from v1.0.3)

v1.0.4

Highlights:

  • Updated various buildpack development dependencies

go-buildpack

updated to v1.7.13 (from v1.7.12)

v1.7.13

Highlights:

  • Add go 1.7.1

Default binary versions: go 1.6.3

nodejs-buildpack

updated to v1.5.20 (from v1.5.19)

v1.5.20

Highlights:

  • WARNING: This buildpack is vulnerable to high CVE 2016-6304. Please upgrade to 1.5.21 ASAP.
  • Add node 6.6.0, remove node 6.4.0

Default binary versions: node 4.5.0

php-buildpack

updated to v4.3.20 (from v4.3.19)

v4.3.20

Highlights:

  • Enable mssql and pdo-dblib support for PHP
  • Update modules: cassandra, xdebug, yaf, twig, php-protobuf
  • Updated dependencies: nginx, composer

Default binary versions: php 5.5.38, composer 1.2.1, httpd 2.4.23, newrelic 6.3.0.161, nginx 1.11.4

python-buildpack

updated to v1.5.10 (from v1.5.9)

v1.5.10

  • Lock version of conda to 4.1.11

Default binary versions: python 2.7.12

ruby-buildpack

updated to v1.6.25 (from v1.6.24)

v1.6.25

  • WARNING: This buildpack is vulnerable to high CVE 2016-6304. Please upgrade to 1.6.26 ASAP.
  • Remove vendored libyaml
  • Update bundler

Default binary versions: ruby 2.3.1, node 4.5.0

staticfile-buildpack

updated to v1.3.11 (from v1.3.10)

v1.3.11

  • Update nginx
  • Redact credentials from URLs in a cached and uncached buildpack output

DEA-Warden-HM9000 Runtime

No changes

Read more
Assets 2
Loading

v243

22 Sep 02:44
v243
dbdf0b4
Compare
Choose a tag to compare
v243

The cf-release v243 was released on September 21, 2016.

IMPORTANT

Contents:

CC and Service Broker APIs

No Change

Identity

This release includes UAA 3.7.3
This is a security release which addresses CVE-2016-6651 Privilege Escalation in UAA

Routing

Routing-release bumped to 0.138.0

Loggregator

No changes

Buildpacks and Stacks

java-buildpack

updated to v3.9 (from v3.8.1)

v3.9

I'm pleased to announce the release of the java-buildpack, version 3.9. This release has no theme per se, but has a number of important updates collected within it.

For a more detailed look at the changes in 3.9, please take a look at the commit log.

DEA-Warden-HM9000 Runtime

No Change

Internal Components

postgres-release (includes postgres job)

  • No changes, still at v5.

etcd-release (includes etcd and etcd_metrics_server jobs)

  • No changes, still at v66.

consul-release (includes consul_agent job)

  • No changes, still at v110.

nats-release (includes nats and nats_stream_forwarder jobs)

  • No changes, still at v11.

Recommended Versions of Additional Releases

These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release.

Job Spec Changes

Recommended BOSH Stemcell Versions

  • real IaaS: 3262.14
  • BOSH-Lite: 3262.2

Note: For AWS you should use the Xen-HVM stemcells rather than Xen.

These are soft recommendations; several different versions of the stemcells are likely to work fine with this version of cf-release and the corresponding versions of the additional releases listed above.

Assets 2
Loading

v242

13 Sep 23:59
v242
ef70b3f
Compare
Choose a tag to compare
v242

The cf-release v242 was released on September 13, 2016.

IMPORTANT

  • Starting with this release the format for bootstrapping UAA Users and Groups has been switched from a Pipe format to a struct format.

    The previous format for uaa.scim.users was:

      - marissa|koala|[email protected]|Marissa|Bloggs|scim.write,scim.read,openid

    The new format for uaa.scim.users is:

     - name: marissa
 password: koala
 email: [email protected]
 firstName: Marissa
 lastName: Bloggs
 groups:
  - scim.write
  - scim.read
  - openid

    The previous format for uaa.scim.groups was:

    group1,group2,group3

    The new format is for uaa.scim.groups is:

    group1: 'My test group description'
group2: 'My other test group description'
group3: 'My next group description'

Contents:

CC and Service Broker APIs

Contains CAPI release v1.5.0. Release notes for v1.4.0 and v1.5.0

Identity

Updated to UAA 3.7.0

Routing

No change.

Loggregator

  • Loggregator Traffic Controllers now run consul_agent template to be discoverable via consul DNS.
  • dea_logging_agent now lives in its own repository. It is now submoduled within loggregator for backward compatibility. However, the intention is to move it directly under cf-release and out of Loggregator.
  • Loggregator components are now packaged with golang1.7
  • DopplerServer.sentMessagesFirehose no longer appends the subscription_id to the metric name, instead it adds subscription_id as a tag.
  • No longer supporting message aggregation of HttpStart and HttpStop messages in Metron Agent.

Buildpacks and Stacks

stacks

updated to 1.80.0 (from 1.78.0)

1.80.0

Minor curl and ISC DHCP updates. No CVEs present.

1.79.0

Minor Linux kernel header upgrade. No CVEs present.

go-buildpack

updated to v1.7.12 (from v1.7.11)

v1.7.12

Highlights:

Default binary versions: go 1.6.3

nodejs-buildpack

updated to v1.5.19 (from v1.5.18)

v1.5.19

Highlights:

Default binary versions: node 4.5.0

php-buildpack

updated to v4.3.19 (from v4.3.17)

v4.3.19

Highlights:

Default binary versions: php 5.5.38, composer 1.2.0, httpd 2.4.23, newrelic 6.3.0.161, nginx 1.11.3

v4.3.18

Highlights:

Default binary versions: php 5.5.38, composer 1.2.0, httpd 2.4.23, newrelic 6.3.0.161, nginx 1.11.3

ruby-buildpack

updated to v1.6.24 (from v1.6.21)

v1.6.24

Default binary versions: ruby 2.3.1, node 4.5.0

v1.6.23

Highlights:

Default binary versions: ruby 2.3.1, node 4.5.0

v1.6.22

Highlights:

Default binary versions: ruby 2.3.1, node 4.5.0

DEA-Warden-HM9000 Runtime

No changes

Internal Components

postgres-release (includes postgres job)

  • No changes.

etcd-release (includes etcd and etcd_metrics_server jobs)

  • No changes.

consul-release (includes consul_agent job)

  • Bumped from v108 to v110. No major functional changes, but several implementation changes from pull request to support consul_agent job on BOSH Windows stemcells.

nats-release (includes nats and nats_stream_forwarder jobs)

  • Bumped from v8 to v11. Functional changes:
    • Introduce BOSH links for nats.user, nats.password, nats.port (and implicitly, nats.machines) properties on nats job, including adding default value of 4222 to nats.port property. details

Recommended Versions of Additional Releases

These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release.

Job Spec Changes

Recommended BOSH Stemcell Versions

  • real IaaS: 3262.12
  • BOSH-Lite: 3262.2

Note: For AWS you should use the Xen-HVM stemcells rather than Xen.

These are soft recommendations; several different versions of the stemcells are likely to work fine with this version of cf-release and the corresponding versions of the additional releases listed above.

Assets 2
Loading

v241

29 Aug 21:54
v241
ae0aca4
Compare
Choose a tag to compare
v241

The cf-release v241 was released on August 29, 2016.

IMPORTANT

  • UPDATE 2016-09-02 17:06 UTC - MySQL implicitly ends transactions before (and often after) certain statement including DDL statements. A Cloud Controller database migration in CF-241 is encrypting the specified buildpack of an application as this column could contain a Git url containing a username and password. To perform this migration, it creates new columns, encrypts the existing buildpack data and saves it to the new columns, then deletes the old column. This results in a period of time where Cloud Controllers running the code from a previous release can potentially write data to the old column, which is about to be deleted, when an app is pushed with a specified buildpack. While these sort of migrations are uncommon, this is not the first time Cloud Controller has made this sort of migration. Operators that are particularly sensitive to this can always scale their Cloud Controller to a single instance in order to take downtime while the migration is performed. The CAPI team intends to explore how we can make migrations on MySQL better in the future.
  • UPDATE 2016-09-01 21:36 UTC - The underlying Sequel gem automatically runs migrations in a transaction for RDBMs that support transactions for DDL statements. This means PostgreSQL will run the entire migration in a transaction, but MySQL will not. We are still determining the proper steps to take for MySQL.
  • UPDATE 2016-09-01 17:25 UTC - The Cloud Controller database migration in CF-241 is not wrapped in a transaction. During a rolling deploy of Cloud Controllers, API requests to Cloud Controllers with the previous code could result in data inconsistencies. We will update these release notes when we determine the proper resolution.
  • CVE-2016-6638: The Cloud Controller in CF-241 contains a database migration to encrypt an app's specified buildpack at rest. Although it is not recommended, a user could specify a git buildpack url containing a username and password. This migration will cause /v2/apps API (or any API call that returns app resource data through inline-relations-depth or summary endpoints) to fail during the rolling deploy as the migration is performed before the updated Cloud Controller(s) are deployed.
  • This release updates the version of PostgreSQL used in the postgres job to 9.4.9 from 9.4.6. This also drops support for being able to upgrade from PostgreSQL 9.4.2. Before upgrading to this or later versions of cf-release, you must first upgrade to v226 or higher.
  • This release introduces official support for running the etcd cluster (shared by several components such as Routing API and the loggregator subsystem, but not Diego which uses its own secure cluster) in secure TLS mode. Upgrading an existing deployment with an insecure etcd cluster to a secure one with minimal downtime is non-trivial. Instructions and additional information for this procedure can be found here. If you are using the manifest generation scripts included within the cf-release repo to generate manifests, you're strongly recommended to upgrade to a secure etcd cluster at this point. The instructions above assume you are upgrading to a secure etcd cluster from a pre-v241 Cloud Foundry deployment and will not apply as smoothly if you later attempt to upgrade a post-v241 non-TLS etcd cluster to a TLS cluster within the Cloud Foundry deployment.

Contents:

CC and Service Broker APIs

Contains CAPI release v1.3.0. Release notes for v1.2.0 and v1.3.0

Identity

No Changes

Routing

Routing release bumped to 0.137.0 - Release Notes

Loggregator

  • Loggregator now provides metron_agent_windows so you can run the Metron Agent on Microsoft Windows Diego Cells.
  • Loggregator now supports dynamic IPs after fixing this issue.

Buildpacks and Stacks

stacks

updated to 1.78.0 (from 1.72.0)

1.78.0

USN-3067-1: HarfBuzz vulnerabilities Ubuntu Security Notice USN-3067-1:

  • CVE-2015-8947: hb-ot-layout-gpos-table.hh in HarfBuzz before 1.0.5 allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted data, a different vulnerability than CVE-2016-2052.
  • CVE-2016-2052: Multiple unspecified vulnerabilities in HarfBuzz before 1.0.6, as used in Google Chrome before 48.0.2564.82, allow attackers to cause a denial of service or possibly have other impact via crafted data, as demonstrated by a buffer over-read resulting from an inverted length check in hb-ot-font.cc, a different issue than CVE-2015-8947.

USN-3068-1: Libidn vulnerabilities Ubuntu Security Notice USN-3068-1:

  • CVE-2015-2059: The stringprep_utf8_to_ucs4 function in libin before 1.31, as used in jabberd2, allows context-dependent attackers to read system memory and possibly have other unspecified impact via invalid UTF-8 characters in a string, which triggers an out-of-bounds read.
  • CVE-2015-8948: Solve out-of-bounds-read when reading one zero byte as input
  • CVE-2016-6261: out-of-bounds stack read in idna_to_ascii_4i
  • CVE-2016-6262: Solve out-of-bounds-read when reading one zero byte as input
  • CVE-2016-6263: stringprep_utf8_nfkc_normalize reject invalid UTF-8

1.77.0

USN-3064-1: GnuPG vulnerability Ubuntu Security Notice USN-3064-1:

USN-3065-1: Libgcrypt vulnerability Ubuntu Security Notice USN-3065-1:

1.76.0

USN-3063-1: Fontconfig vulnerability Ubuntu Security Notice USN-3063-1:

  • CVE-2016-5384: fontconfig before 2.12.1 does not validate offsets, which allows localusers to trigger arbitrary free calls and consequently conduct double freeattacks and execute arbitrary code via a crafted cache file.

1.75.0

USN-3061-1: OpenSSH vulnerabilities Ubuntu Security Notice USN-3061-1:

  • CVE-2016-6210: User enumeration via covert timing channel
  • CVE-2016-6515: The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3does not limit password lengths for password authentication, which allowsremote attackers to cause a denial of service (crypt CPU consumption) via along string.

1.74.0

USN-3060-1: GD library vulnerabilities Ubuntu Security Notice USN-3060-1:

1.73.0

USN-3048-1: curl vulnerabilities Ubuntu Security Notice USN-3048-1:

python-buildpack

updated to v1.5.9 (from v1.5.8)

v1.5.9

Highlight...

Read more
Assets 2
Loading

v240

15 Aug 17:11
v240
1b88d9e
Compare
Choose a tag to compare
v240

The cf-release v240 was released on August 09, 2016.

Contents:

CC and Service Broker APIs

Contains CAPI release v1.1.0. Release notes for v1.1.0

DEA-Warden-HM9000 Runtime

  • No changes

Buildpacks and Stacks

stacks

updated to 1.72.0 (from 1.69.0)

1.72.0

1.71.0

1.70.0

binary-buildpack

updated to v1.0.3 (from v1.0.2)

v1.0.3

go-buildpack

updated to v1.7.11 (from v1.7.8)

v1.7.11

v1.7.10

v1.7.9

nodejs-buildpack

updated to v1.5.18 (from v1.5.15)

v1.5.18

v1.5.17

v1.5.16

php-buildpack

updated to v4.3.17 (from v4.3.14)

v4.3.17

v4.3.16

v4.3.15

python-buildpack

updated to v1.5.8 (from v1.5.7)

v1.5.8

ruby-buildpack

updated to v1.6.20 (from v1.6.19)

v1.6.20

staticfile-buildpack

updated to v1.3.10 (from v1.3.9)

v1.3.10

Identity

Updated to UAA release 3.4.2

Routing

Routing release bumped to 0.136.0 - Release Notes

  • Authors of components that use route-registrar can now provide a route_service_url so that requests to the route are proxied to the route service details
  • route-registrar process is no longer run as root details
  • route-registrar source has been moved to routing-release and is symlinked in cf-release details, more details

Loggregator

Internal Components

postgres-release (includes postgres job)

  • Extracted this release out of cf-release into its own separate release (with no functional changes). [repo][bosh.io][details]

etcd-release (includes etcd and etcd_metrics_server jobs)

  • Bumped from v58 to v63. Functional changes:
    • Bumped version of Golang used by this release from 1.6.1 to 1.6.3 details

consul-release (includes consul_agent job)

  • Bumped from v92 to v101. Functional changes:
    • Fix consul_agent job when running on BOSH VMs with multiple dynamic networks. details
    • Bumped version of Golang used by this release from 1.6.1 to 1.6.3 details
    • BOSH manifest configuration for consul_agent job only requires certificates and keys necessary for the configured mode of operation, i.e. in "server" mode, client certificate and signing key does not need to be configured, and in "client" mode, server certificate and key does not need to be configured. details
    • The consul_agent job in server mode is now resilient to job name changes, to support transitioning from a "BOSH 1.0"-style deployment to a "BOSH 2.0"-style deployment that is likely to collapse multiple jobs across AZs into a single instance group using the migrated_from and azs features. details

nats-release (includes nats and nats_stream_forwarder jobs)

  • Bumped from 219e93bd to 6c1a563b. Functional changes:
    • Bumped version of Golang used by this release from 1.6.1 to 1.6.3 details

Job Spec Changes

  • Added cc.run_prestart_migrations (default true) that can be disabled on deployments where the CCDB is collocated with the Cloud Controller and is unavailable during pre-start.

Recommended BOSH Stemcell Versions

  • real IaaS: 3262.4
  • BOSH-Lite: 3262.2

Note: For AWS you should use the Xen-HVM stemcells rather than Xen.

These are soft recommendations; several different versions of the stemcells are likely to work fine with this version of cf-release and the corresponding versions of the additional releases listed below.

Recommended Versions of Additional Releases

These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release.

Assets 2
Loading

v239

15 Jul 20:13
v239
8da019e
Compare
Choose a tag to compare
v239

The cf-release v239 was released on July 13, 2016.

IMPORTANT

  • Known issue: The WebDAV blobstore and Cloud Controller API / Clock / Worker jobs are unable to start after a VM restart because creation of the run directory for each process, /var/vcap/data/sys/run/*, was moved to the bosh pre-start script. The jobs are unable to start because /var/vcap/data/sys/run is mounted on a temporary file-system and the bosh pre-start script is not executed on VM restart, only deployment. A fix is in the pipeline for CF-240. To workaround this issue, operators can do a bosh deploy, which will recognize the failing jobs and properly create the run directory.
  • In an effort to not run processes as a privileged user, the WebDAV blobstore must now run on unprivileged ports. By default, internal access has been moved to port 4443 and the external access to port 8080. As the WebDAV blobstore is a SPOF, internal components using the blobstore will not be able to reach the blobstore until all processes have been reconfigured to use the new internal port. This will cause limited downtime in the sense that anything needing to reach the blobstore will fail until the deployment is complete, including app pushes, app restaging, and app restarting. This will happen automatically for users of CF manifest generation scripts. See Job Spec Changes.
  • Cloud Foundry now defaults to run containers on Diego in unprivileged mode. One known incompatibility is running applications that use FUSE file system support. See Job Spec Changes for instructions on how to continue running containers in privileged mode.
  • The noaa library for connecting to the firehose has a number of reliability improvements. If you use it, it is recommended that you upgrade to the latest version.

Contents:

CC and Service Broker APIs

CC API Version: 2.58.0

Service Broker API Version: 2.9

CAPI Release

  • As an operator, I expect all CF processes to run as least privileged user details
  • As a CF operator, I would like to be able to configure whether or not Diego / Garden creates privileged containers for LRPs and Tasks details
  • Monit hangs when nfs is not available details
  • As a CF user, I would like Diego to validate the SHA checksum of my droplet before running it details

Cloud Controller

  • operator should be able to use a manifest property to seed a shared domain and associate it with a TCP router group on deploy of cf-release details
  • operator should be able to use manifest property to configure reservable route port quota for initial deploys details
  • As an admin, I expect to be able to disable access to /v2/apps/:guid/env and /v3/apps/:guid/env for all users with a feature flag details
  • As an Operator, I would like files in my S3 blobstore to be encrypted at rest using SSE-S3 details
  • app_stop, app_start are potentially not locking properly, especially when iterating over processes details
  • Users can remove themselves from Orgs and Spaces details
  • Authentication failures should not show as api errors in new relic details
  • Docker apps should not be pushable by admin when diego_docker is turned off. details

TPS

  • As a CF user, I expect to see an uptime of 0 and no container metrics for crashed app instances on Diego details
Pull Requests and Issues

DEA-Warden-HM9000 Runtime

DEA

  • Fix order of magnitude in CPU consumption reported by cf app details
  • DEA is guaranteed to heartbeat during evacuation details
  • Update ruby to version 2.3.1

Warden

  • Warden containers' dns_servers can be specified details
  • Update ruby version to 2.3.1

HM9000

  • when an evacuating heartbeat is received send a start message for each app instance details
  • Start messages to Cloud Controller are over HTTPS
  • Evacuator now sends start messages after creation details
  • Sender now sends stop messages over http details
  • All messages from HM9000 to Cloud Controller are over HTTPS

Buildpacks and Stacks

stacks

updated to 1.69.0 (from 1.67.0)

1.69.0

1.68.0

java-buildpack

updated to v3.8.1 (from v3.7.1)

v3.8.1

v3.8

python-buildpack

updated to v1.5.7 (from v1.5.6)

v1.5.7

Identity

No Changes

Routing

  • Update router manifest properties, see below details
  • Manifest generation will now set the property uaa.zones.internal.hostnames to ["uaa.service.cf.internal"] if no stub overrides that value. This is in support of routing components contacting UAA over its internal TLS port. details
  • Fix issue where GoRouter was not sending logs to syslog. details
  • Thanks to Jonty Wareing from the UK Government Digital Service, Gorouter now supports the PROXY protocol details
    • Warning: An issue was found with PROXY protocol support where, when enabled, the Gorouter is unable to accept concurrent connections. PROXY protocol support is disabled by default.

Loggregator

  • The noaa library for connecting to the firehose has a number of reliability improvements. If you use it, it is recommended that you upgrade to the latest version.
  • Expose Metron URL Through Bosh 2.0 Links details
  • Fix the race condition in NOAA details
  • Manage logs endpoint auth token lifecycle (was:cloudfoundry/noaa #14: Reconnection token failed) details
  • Remove AZ property from Traffic Controller details

Internal Components

consul

No changes.

etcd and etcd_metrics_server

  • etcd-release was bumped from v57 to v58. Significant changes:
    • Improved how operators configure etcd_metrics_server to work with a secure TLS etcd cluster. details

postgres

  • All long-running processes in postgres job now run as vcap instead of root. details

nats and nats_stream_forwarder

No changes.

Job Spec Changes

  • Added etcd_metrics_server.etcd.dns_suffix property to etcd_metrics_server job to support configuring the job to talk to the secure etcd server. details.
  • blobstore.tls.port now defaults to 4443 and must be above 1024. When using WebDAV blobstore, the Cloud Controller must now be configured with the ...
Read more
Assets 2
Loading

v238

01 Jul 17:04
v238
dc03ada
Compare
Choose a tag to compare
v238

The cf-release v238 was released on June 27, 2016.

IMPORTANT

  • Known issue: The WebDAV blobstore and Cloud Controller API / Clock / Worker jobs are unable to start after a VM restart because creation of the run directory for each process, /var/vcap/data/sys/run/*, was moved to the bosh pre-start script. The jobs are unable to start because /var/vcap/data/sys/run is mounted on a temporary file-system and the bosh pre-start script is not executed on VM restart, only deployment. A fix is in the pipeline for CF-240. To workaround this issue, operators can do a bosh deploy, which will recognize the failing jobs and properly create the run directory.
  • v238 includes a fix for CVE-2016-4468, UAA SQL Injection. The mitigation is to upgrade to cf-release v238
  • Cloud Controller and other components of capi-release now use bosh pre-start job-lifecycle scripts for many startup tasks including database migrations. This capability requires bosh-release v206+ (1.3072.0) and requires releases deployed with 3125+ stemcells.

Contents:

CC and Service Broker APIs

CC API Version: 2.57.0

Service Broker API Version: 2.9

CAPI Release

  • Add blobstore timeout configuration details
  • Add configuration to run multiple blobstore nginx workers per core details
  • Update nginx to 1.11.1 details
  • Bridge components only support properties.capi details

Cloud Controller

  • Make minimum candidate stagers configurable details
  • Use hm9000 internal address when making requests details
  • Add missing event types to API documentation details
  • Enforce space quota on route creation details
  • Client author should be able to follow CC API docs to configure total reserved route ports when creating a space quota details
  • Retry blobstore requests before failing details
  • hm9000 client handles socket error when internal hm9000 address does not exist details
  • Emit error when consul is down details
  • Add optional description to security group rule details
  • Domain helper used in check_for_domain_overlap doesn't work when a second domain appears in list in addition to the system domain details
  • /v2/routes and /v2/apps/:guid/routes and /v3/apps/:guid/routes return a deprecated url format for domains. details
  • Emit error when consul is down details
  • Allow Shared Domains to be seeded through the manifest details
  • Sequel sql_log_level is 'debug', not 'debug2' details
  • Move database migrations and seeding into bosh pre-start. Move buildpack installation into bosh post-start. Run cloud controller scripts as vcap user. details
  • Updating service broker with non-unique service plan name fails to provide offending service and plan info. details
  • EXPERIMENTAL: When Cloud Controller starts an app on Diego and has a service binding containing volume_mounts, it should desire an LRP with volume mounts details
  • V3 Experimental
    • As a space developer, I can map a route to a specific process type on a specific port details
    • As a space auditor, I should NOT be able to download packages or droplets details
    • v3 process examples in docs should show stats link details
    • Droplet memory_limit field should be staging_memory_in_mb details
    • Droplet disk_limit field should be staging_disk_in_mb details
    • As a SpaceAuditor, I expect to never see sensitive information details
    • As a SpaceManager, I expect to have oznly READ access for all V3 endpoints details
    • As a space developer, I can get the list of droplets associated with a package details
    • As an API consumer, I should be able to filter /v3/droplets and /v3/apps/:guid/droplets details
  • Service Broker API
    • Add service_id and plan_id to last_operation calls to service brokers details
    • Support for broker operation identifier for provision details
    • Support for broker operation identifier for deprovision details
    • Support for broker operation identifier for update details
    • EXPERIMENTAL: Translate service broker volume mounts to diego volume mounts details

TPS

  • Support ActualLRPCrashedEvent from BBS in TPS details
Pull Requests and Issues

DEA-Warden-HM9000 Runtime

  • Bumped to ruby 2.3.1
  • Improved HM9000 performance

Known issues

  • Container metrics via CLI are 100x larger than reality.

Buildpacks and Stacks

Support for .profile pre-runtime hooks. Documentation can be found here

stacks

updated to 1.67.0 (from 1.56.0)

1.67.0

1.66.0

1.65.0

1.64.0

1.63.0

1.62.0

1.61.0

1.60.0

1.59.0

1.58.0

1.57.0

java-buildpack

updated to v3.7.1 (from v3.7)

v3.7.1

nodejs-buildpack

updated to v1.5.15 (from v1.5.14)

v1.5.15

php-buildpack

updated to v4.3.14 (from v4.3.12)

v4.3.14

v4.3.13

python-buildpack

updated to v1.5.6 (from v1.5.5)

v1.5.6

ruby-buildpack

updated to v1.6.19 (from v1.6.17)

v1.6.19

[v1.6.18](ht...

Read more
Assets 2
Loading