Skip to content
This repository has been archived by the owner on Jan 21, 2022. It is now read-only.

Releases: cloudfoundry-attic/cf-release

v237

20 May 17:35
v237
f074de4
Compare
Choose a tag to compare
v237

The cf-release v237 was released on May 14, 2016.

IMPORTANT

  • v237 includes a fix for CVE-2016-3084, UAA Password Reset Vulnerability. The mitigation is to upgrade to cf-release v237
  • Diego bridge components are now in CAPI-Release, submoduled into CF-Release. They are removed from Diego release as of v0.1469.0 and must be sourced from CF-Release. This will happen automatically for users of Diego manifest generation scripts. Users that generate their Diego deployment manifest manually must make this change now. See Job Spec Changes.
  • As part of moving Diego bridge components to CAPI-Release, properties for bridge components in Diego deployment manifests will be sourced from properties.capi in addition to properties.diego. We intend to only support properties.capi for CF-238. Users of Diego manifest generation scripts can wait for this to happen automatically. Users that generate their Diego deployment manifest manually can make this change now. See Job Spec Changes.
  • properties router.servers.z1 and router.servers.z2 have been replaced with a single property router.servers. This property is used by the HAProxy job to identify the routers as backends, and by UAA to whitelist requests from the routers.
  • The domain that was previously shared by several jobs has been deprecated in favor of system_domain

Contents:

CC and Service Broker APIs

CC API Version: 2.56.0

Service Broker API Version: 2.8

CAPI Release

  • Nginx workers for blobstore should be based on number of CPU cores details
  • Blobstore should use a configurable list of allow / deny directives for internal server. details
  • Consolidate system_domain and domain in manifest, deprecate domain details
  • EXPERIMENTAL: Operator can control whether volume services are enabled - disabled by default details

Cloud Controller

  • As a SpaceDeveloper, I should not be able to create a route for well known host.system_domains combinations. details
  • As an API client, I expect the errors from creating domains and routes to be clear details
  • Clarify 'docker_image' information in 'Creating an App' CC API docs details
  • As a CC API User, I would like to be able to sort organizations and spaces by name. details
  • Improve /v2/events SQL query performance details
  • V3 Experimental
    • Cancel Task endpoint should only be PUT /v3/tasks/:guid/cancel details
    • GET Task endpoint should only be /v3/tasks/:guid details
    • V3 API Pagination MUST include a total_pages field with an integer value of the total number of pages in the collection. [details](https://www.pivotaltracker.com/story/show/115739
    • Refactor v3-doc query parameters details
    • As an API consumer, I should be able to sort tasks by created_at and updated_at details
    • increase max length of environment variables for tasks on mysql details
    • As an API consumer, I should be able to filter /v3/droplets and /v3/apps/:guid/droplets details
    • As a space developer, I expect to be able to copy a Docker droplet for /v3/droplets details
    • Pushing a docker app via v3 does not correctly bind default ports details
    • As an API consumer, I should be able to filter /v3/route_mappings details
    • PUT /v3/apps/:guid/droplets/current should return droplet instead of app details
    • As an API consumer, I should be able to filter /v3/service_bindings details
    • better error when setting droplet that has two process types with case insensitive identical types details
    • As a space auditor, I would like audit events for droplets details
    • As a space developer, I should be able to set process ports to an empty array details
    • As an api consumer, I expect to be able to filter /v3/processes and /v3/apps/:guid/processes details
    • As a OrgManager, I expect to have only READ access for all V3 endpoints details
    • As an api consumer, I expect to be able to filter /v3/packages and /v3/apps/:guid/packages details
    • Upload bits to package after creating an app without package / droplet copy details
    • Change endpoint for retrieving current droplet to /apps/:guid/droplets/current details
    • Remove /v3/apps/:guid/stats endpoint and documentation details
  • Volume Services Experimental
    • When Cloud Controller runs a task on Diego and has a service binding containing volume_mounts, it should desire an TASK with volume mounts details
    • When Cloud Controller starts an app on Diego and has a service binding containing volume_mounts, it should desire an LRP with volume mounts details
    • V2 Service Bindings should be able to include volume_mounts details
    • V3 Service Bindings should be able to include volume_mounts details
    • CC should reject binding if the broker returns volume_mounts and the service does not require volume mounts. details
Pull Requests and Issues

DEA-Warden-HM9000 Runtime

  • DEA: Staging can occur over https
  • DEA: cpuPercentage is now a whole number which is the same as Diego
  • DEA: metron_endpoint.port renamed to metron_agent.dropsonde_incoming_port
  • DEA: Buildpack's release script is guaranteed to only be called once
  • HM9000: Multiple API servers now work again
  • HM9000: Fetcher and Sender are now integrated with Analyzer (2 fewer processes)

Buildpacks and Stacks

stacks

updated to 1.56.0 (from 1.51.0)

1.56.0

Notably, this release addresses [USN-2966-1: OpenSSH vulnerabilities](http:...

Read more
Assets 2
Loading

v236

28 Apr 22:27
v236
9a550e9
Compare
Choose a tag to compare
v236

The cf-release v236 was released on April 26, 2016.

IMPORTANT

  • Diego bridge components are now in CAPI-Release, submoduled into CF-Release. They are removed from the upcoming version of Diego, v0.1469.0 and will need to be sourced from CF-Release. Users of Diego manifest generation scripts can wait for this to happen automatically. Users that generate their Diego deployment manifest manually can make this change now. See Job Spec Changes.
  • As part of moving Diego bridge components to CAPI-Release, properties for bridge components in Diego deployment manifests will be sourced from properties.capi in addition to properties.diego. We intend to only support properties.capi for CF-238. Users of Diego manifest generation scripts can wait for this to happen automatically. Users that generate their Diego deployment manifest manually can make this change now. See Job Spec Changes.

Contents:

CC and Service Broker APIs

CC API Version: 2.55.0

Service Broker API Version: 2.8

CAPI Release

  • Move bridge properties out of diego namespace details

Cloud Controller

  • UndoAppChanges never undos details
  • V3 Experimental
    • As a space auditor, I would like audit events for droplets details
    • As a space developer, I expect the process stats endpoint to provide the full port-mapping for the exposed ports on each process instance details
    • As an API consumer, I should NOT be able to sort droplets or apps by id details
    • As a space developer, I expect link for stats for my process details
    • Remove pagination for /v3/processes/:guid/stats and /v3/apps/:guid/processes/:type/stats details
    • Remove /v3/apps/:guid/stats endpoint and documentation details
    • As a space developer, I expect to be able to copy_droplet for /v3/droplets details
    • As a space auditor, I would like audit events for processes details
    • As a space auditor, I would like audit events for v3 service bindings create and delete details
    • As a space auditor, I would like audit events for droplets details
    • /v3/apps/:app_guid/processes/:process_type/stats should not return a 500 when an instance is missing or down. details
    • As a space developer, I expect to be able to copy_droplet for /v3/droplets details
    • As a space auditor, I would like V2 audit events for V3 package details
Pull Requests and Issues

DEA-Warden-HM9000 Runtime

  • No Changes

Buildpacks and Stacks

java-buildpack

updated to v3.7 (from v3.6)

v3.7

I'm pleased to announce the release of the java-buildpack, version 3.7. This release contains the addition of a number of frameworks and updates to the dependencies.

For a more detailed look at the changes in 3.7, please take a look at the commit log. Packaged versions of the buildpack, suitable for use with create-buildpack and update-buildpack, can be found attached to this release.

Packaged Dependencies

Dependency Version
AppDynamics 4.1.8_5
Dynatrace 6.3.0_1305
GemFire Modules Tomcat7 8.2.0
GemFire Modules 8.2.0
GemFire Security 8.2.0
GemFire 8.2.0
Groovy 2.4.6
JRebel 6.4.2
Log4j API 2.1.0
Log4j Core 2.1.0
Log4j Jcl 2.1.0
Log4j Jul 2.1.0
Log4j Slf4j 2.1.0
MariaDB JDBC 1.4.2
Memory Calculator (mountainlion) 2.0.2_RELEASE
Memory Calculator (precise) 2.0.2_RELEASE
Memory Calculator (trusty) 2.0.2_RELEASE
New Relic Agent 3.27.0
OpenJDK JRE (mountainlion) 1.8.0_91
OpenJDK JRE (precise) 1.8.0_73
OpenJDK JRE (trusty) 1.8.0_91
Play Framework JPA Plugin 1.10.0_RELEASE
PostgreSQL JDBC 9.4.1208
RedisStore 1.2.0_RELEASE
Ruxit 1.91.271
SLF4J API 1.7.7
SLF4J JDK14 1.7.7
Spring Auto-reconfiguration 1.10.0_RELEASE
Spring Boot CLI 1.3.3_RELEASE
Spring Boot Container Customizer 1.0.0_RELEASE
Tomcat Access Logging Support 2.5.0_RELEASE
Tomcat Lifecycle Support 2.5.0_RELEASE
Tomcat Logging Support 2.5.0_RELEASE
Tomcat 8.0.33
YourKit Profiler (mountainlion) 2016.02.34
YourKit Profiler (precise) 2016.02.33
YourKit Profiler (trusty) 2016.02.34

nodejs-buildpack

updated to v1.5.12 (from v1.5.11)

v1.5.12

Packaged binaries:

name version cf_stacks
node 0.10.43 cflinuxfs2
node 0.10.44 cflinuxfs2
node 0.12.12 cflinuxfs2
node 0.12.13 cflinuxfs2
node 4.4.2 cflinuxfs2
node 4.4.3 cflinuxfs2
node 5.10.0 cflinuxfs2
node 5.10.1 cflinuxfs2
  • SHA256: 41aa8714a6a65573e1f27e6b2614958d3976b4ae53e85a16d7dd903df2fbdab6

Identity

Updated to UAA 3.3.0

Routing

  • Gorouter performance is no longer impacted when enabling streaming of access log to syslog details

Loggregator

  • Security logging of all external API requests

Internal Components

No changes.

Job Spec Changes

  • CC Bridge Jobs moving from Diego to CF

    jobs:
  cc_bridge_zX:
    templates:
    - name: consul_agent
      release: cf
    - name: stager
      release: cf
    - name: nsync
      release: cf
    - name: tps
      release: cf
    - name: cc_uploader
      release: cf
    - name: metron_agent
      release: cf

  • CC Bridge Properties moving from properties.diego to properties.capi:

    • diego.cc_uploader -> capi.cc_uploader
    • diego.nsync -> capi.nsync
    • diego.stager -> capi.stager
    • diego.tps -> capi.tps

Recommended BOSH Stemcell Versions

  • AWS: light-bosh-stemcell-3215.4-aws-xen-hvm-ubuntu-trusty-go_agent
  • vSphere: bosh-stemcell-3215.4-vsphere-esxi-ubuntu-trusty-go_agent
  • OpenStack: N/A
  • BOSH-Lite: bosh-stemcell-3147-warden-boshlite-ubuntu-trusty-go_agent

These are soft recommendations...

Read more
Assets 2
Loading

v235

25 Apr 13:12
v235
ed43e9d
Compare
Choose a tag to compare
v235

The cf-release v235 was released on April 19, 2016.

Contents:

CC and Service Broker APIs

CC API Version: 2.54.0

Service Broker API Version: 2.8

IMPORTANT

  • Added Security Event Logging - CEF formatted logs of all requests to Cloud Controller, off by default. See Job Spec Changes.

CAPI Release

  • Bumped to Go 1.6.1 details
  • As an operator, I can enable security event logging with a manifest property. details

Cloud Controller

  • admins should be able to push docker apps when diego_docker is disabled details
  • As an operator, I can configure the blobstore webdav client with a CA cert bundle details
  • As an operator, I can discover security event logs for the Cloud Controller details
  • As a CF user, I expect to be able to delete an app while it is staging on Diego details
  • V3 Experimental
    • As a space developer, I expect the 'source' for logging for processes to be [APP/PROC/PROCESS_TYPE/INDEX] details
    • as a space developer, I can specify multiple ports on a process type details
    • As an auditor, I expect app usage events for V3 process STARTED to record the buildpack_guid that was used to stage the droplet. details
Pull Requests and Issues

DEA-Warden-HM9000 Runtime

  • DEA heartbeats to HM9000 over HTTPS
  • (optional) CC starts instances over HTTPS
  • Added additional DEA metrics, available_memory_ratio, available_disk_ratio, avg_cpu_load, uptime
  • DEA drains and stops correctly, detects when previous stop fails
  • Bumped to latest ruby-nats 0.6.0
  • Bumped to Go 1.6.1

Buildpacks and Stacks

stacks

updated to 1.51.0 (from 1.49.0)

1.51.0

This release contains the addition of uuid-dev and non-critical updates to the rootfs.

1.50.0

This release contains no changes and is the same as release 1.49.0

go-buildpack

updated to v1.7.5 (from v1.7.3)

v1.7.5

Notably, this release includes fixes for CVE-2016-3958 and CVE-2016-3959 outlined here

Packaged binaries:

name version cf_stacks
go 1.4.2 cflinuxfs2
go 1.4.3 cflinuxfs2
go 1.5.3 cflinuxfs2
go 1.5.4 cflinuxfs2
go 1.6 cflinuxfs2
go 1.6.1 cflinuxfs2
godep v62 cflinuxfs2
  • SHA256: 777f72afa83ba39768be07d42bb4164631d4da62e615078e0bc4dfcb9ec2f8a2

v1.7.4

Packaged binaries:

name version cf_stacks
go 1.4.2 cflinuxfs2
go 1.4.3 cflinuxfs2
go 1.5.2 cflinuxfs2
go 1.5.3 cflinuxfs2
go 1.6 cflinuxfs2
godep v61 cflinuxfs2
  • SHA256: 7f41d66ef260525ebd75bee0800638c9d1e4a609a489fef5609fbd057fb98ffc

nodejs-buildpack

updated to v1.5.11 (from v1.5.10)

v1.5.11

Packaged binaries:

name version cf_stacks
node 0.10.43 cflinuxfs2
node 0.10.44 cflinuxfs2
node 0.12.12 cflinuxfs2
node 0.12.13 cflinuxfs2
node 4.4.2 cflinuxfs2
node 5.10.0 cflinuxfs2
node 5.10.1 cflinuxfs2
  • SHA256: 4023010e90b91a641213a1b7680b1d8cf2484dade6b702389ebaf87afa84b323

php-buildpack

updated to v4.3.10 (from v4.3.8)

v4.3.10

Packaged binaries:

name version cf_stacks modules
php 5.5.33 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 5.5.34 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 5.6.19 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 5.6.20 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 7.0.4 cflinuxfs2 bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, imagick, imap, ldap, lua, mailparse, mbstring, mcrypt, mongodb, msgpack, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, pspell, snmp, soap, sockets, xdebug, xsl, yaf, zip, zlib
php 7.0.5 cflinuxfs2 bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, imagick, imap, ldap, lua, mailparse, mbstring, mcrypt, mongodb, msgpack, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, pspell, snmp, soap, sockets, xdebug, xsl, yaf, zip, zlib
composer 1.0.0 cflinuxfs2
httpd 2.4.20 cflinuxfs2
newrelic 4.23.3.111 cflinuxfs2
nginx 1.8.1 cflinuxfs2
nginx 1.9.14 cflinuxfs2
  • SHA256: 654cfa833c8e77d082ff54f48b03264872f2e2de0a377de56b5102eacb3f0f16

v4.3.9

  • Update php 7.0.4 and add 7.0.5 with new recompiled PHP binaries that include
    the xdebug and imagick extensions
    (https:/...
Read more
Assets 2
Loading

v234

13 Apr 14:59
v234
8c85c79
Compare
Choose a tag to compare
v234

The cf-release v234 was released on April 06, 2016.

Important:

  • v234 includes a fix to a performance regression in Gorouter introduced in v228. At low request volume, the issue is not observable; only at higher request volumes (such as a load test) is the regression evident. The regression was the result of a change in the library used for logging in Gorouter and support being added for syslog streaming of access logs. A new manifest property router.enable_access_log_streaming may now be used to optionally enable support for streaming of access logs to syslog; this property is false by default. When enabled, the same performance degradation can be observed. We will further investigate the cause of this performance issue.
  • V234 includes a fix to the problem in V233 where there was a potential for only delivering partial sets of log messages for an app, or to the firehose.
  • In v217, the consul_agent job introduced support for securing all network traffic related to Consul. In this release, it is now mandatory to configure the consul_agent processes to run in this secure mode. If you have been previously running in an insecure mode, you will need to orchestrate an upgrade from an insecure cluster to a secure cluster. Refer to the Important section of the v217 release notes for instructions on how to do this.

Contents:

CC and Service Broker APIs

CC API Version: 2.53.0

Service Broker API Version: 2.8

IMPORTANT

  • Operators can configure the WebDAV blobstore client with a custom CA, however, during Cloud Controller startup we wait for the blobstore to become available using curl and system trusted certificates, including those configured to be added by bosh. We plan on making a fix in CF-235 such that this won't depend on the system trusted certificates.
  • CCDB migration could take significant time for databases containing large number of app usage events. This is mostly mitigated as app usage events are cleaned up per cc.app_usage_events.cutoff_age_in_days. We were able to complete this migration in under 90s for ~500k app_usage_events on a production deployment replica. Operators can increase canary_watch_time to allow more time for migration.
  • Work to fix deletion of an app while staging on Diego introduced a regression in the ability to delete an app while staging on DEA. Fix is planned for CF-235.
  • Work to move Diego CC-Bridge components to CAPI Release is underway. No changes are necessary at this point as the components will still come from Diego release when using our manifest generation scripts.

CAPI Release

  • Diego CC-Bridge components are in CAPI Release details
  • As an operator, I can configure the blobstore webdav client with a CA cert bundle details
  • Migrating to WebDAV with large blobstore does not require chown -r details
  • Blobstore internal is always TLS, update spec to indicate https details
  • WebDAV blobstore supports long system domain details

Cloud Controller

  • As a CF user, I expect to be able to delete an app while it is staging on Diego details
  • As an operator, I can configure the blobstore webdav client with a CA cert bundle details
  • as a CAPI developer, I would like a way to configure bosh-lite to route requests to CC to my local CC details
  • Bump fog to lastest, v1.37.0+ details
  • Experimental: CC can start DEA applications over https details
  • V3 Experimental
    • Move all /v3/apps related docs to the new docs details
    • Move all /v3/droplets related docs to the new docs details
    • Move all /v3/package related docs to the new docs details
    • Move all /v3/processes related docs to the new docs details
    • As an auditor, I expect app usage events for V3 process STARTED to record the buildpack_guid that was used to stage the droplet. details
    • As an auditor, I expect app usage events for staging of packages details
    • All V3 route mappings endpoints should be /v3/route_mappings instead of /v3/apps/:guid/route_mappings details
    • As a space developer, I can specify health check type and health check timeout on v3 processes details
    • Fix for Java JAR applications using V3 API details
    • As a space developer, I can attempt to delete a v3 app with a service binding and get a meaningful error details
    • MEMORY_LIMIT env variable for staging should be consistent between v2 and v3 details
    • V3 tasks should utilize bound syslog drains details
Pull Requests and Issues

DEA-Warden-HM9000 Runtime

  • No changes

Buildpacks and Stacks

stacks

updated to 1.49.0 (from 1.45.0)

1.49.0

Notably, this release addresses USN-2943-1: PCRE vulnerabilities Ubuntu Security Notice USN-2943-1:

  • CVE-2014-9769: pcre_jit_compile.c in PCRE 8.35 does not properly use table jumps to optimize nested alternatives, which allows remote attackers to cause a denial of service (stack memory corruption) or possibly have unspecified other impact via a crafted string, as demonstrated by packets encountered by Suricata during use of a regular expression in an Emerging Threats Open rule set.
  • CVE-2015-2325: heap buffer overflow in compile_branch()
  • CVE-2015-2326: heap buffer overflow in pcre_compile2()
  • CVE-2015-2327: PCRE before 8.36 mishandles the /(((a\2)|(a_)\g<-1>))_/ pattern and related patterns with certain internal recursive back references, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
  • CVE-2015-2328: PCRE before 8.36 mishandles the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified...
Read more
Assets 2
Loading

v233

21 Mar 22:00
v233
4ef5b27
Compare
Choose a tag to compare
v233

The cf-release v233 was released on March 18, 2016.

Important:

  • v233 includes a fix for CVE-2016-0781 UAA Persistent XSS Vulnerability. The UAA OAuth approval pages are vulnerable to an XSS attack by specifying malicious java script content in either the OAuth scopes (SCIM groups) or SCIM group descriptions.
  • v233 also includes a fix for CVE-2016-2165 - Loggregator Request URL Paths. 404 responses from Loggregator endpoints include the URL sent, and are vulnerable to an XSS attack.
  • v233 includes a fix for CVE-2016-0780 Cloud Controller Disk Quota Enforcement. It was discovered that Cloud Foundry does not properly enforce disk quotas in certain cases. An attacker could use an improper disk quota value to bypass enforcement and consume all the disk on DEAs/Diego Cells causing a potential denial of service for other applications.
  • v233 has a potential for only delivering partial sets of log messages for an app, or to the firehose. This can happen if multiple Dopplers have restarted since the Traffic Controllers were deployed. If you suspect you are missing logs, the workaround is to restart the Traffic Controllers.
  • v233 contains a performance regression in Gorouter introduced in v228. At low request volume, the issue is not observable; only at higher request volumes (such as a load test) is the regression evident. The regression was fixed in v234.
  • v233 includes a change in cflinuxfs2 that removes support for libmysqlclient in favor of libmariadb. This will require a clearing of buildpack cache and a restaging of apps for the changes to take place.

Contents:

CC and Service Broker APIs

CC API Version: 2.52.0

Service Broker API Version: 2.8

Cloud Controller

  • Fix for CVE-2016-0780 Cloud Controller Disk Quota Enforcement
  • Update ruby-nats client details
  • SpaceManagers, SpaceAuditors, OrgManagers should be able to view process stats details
  • Cloud Controller shouldn't fail app scale operations when backend is not available, rely on eventual consistency details
Pull Requests and Issues

DEA-Warden-HM9000 Runtime

  • No changes

Buildpacks and Stacks

stacks

updated to 1.45.0 (from 1.43.0)

1.45.0

This release includes two changes:

  1. cflinuxfs2 has dropped support for libmysqlclient in favor of libmariadb
  2. This release addresses USN-2935-1: PAM vulnerabilities Ubuntu Security Notice USN-2935-1 and USN-2935-2: PAM regression Ubuntu Security Notice USN-2935-2:
    • CVE-2013-7041: The pam_userdb module for Pam uses a case-insensitive method to comparehashed passwords, which makes it easier for attackers to guess the passwordvia a brute force attack.
    • CVE-2014-2583: Multiple directory traversal vulnerabilities in pam_timestamp.c in thepam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users tocreate aribitrary files or possibly bypass authentication via a .. (dotdot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTYvalue to the check_tty funtion, which is used by the format_timestamp_namefunction.
    • CVE-2015-3238: The _unix_run_helper_binary function in the pam_unix module in Linux-PAM(aka pam) before 1.2.1, when unable to directly access passwords, allowslocal users to enumerate usernames or cause a denial of service (hang) viaa large password.

1.44.0

Notably, this release addresses USN-2927-1: graphite2 vulnerabilities Ubuntu Security Notice USN-2927-1:

  • CVE-2016-1977: Graphite2 Machine::Code::decoder::analysis::set_ref stack out ofbounds bit set
  • CVE-2016-2790: Use of uninitialised memory in [@graphite2::TtfUtil::GetTableInfo]
  • CVE-2016-2791: graphite2: heap-buffer-overflow read in [@graphite2::GlyphCache::glyph]
  • CVE-2016-2792: graphite2: heap-buffer-overflow read in [@graphite2::Slot::getAttr] Slot.cpp:232
  • CVE-2016-2793: graphite2: heap-buffer-overflow read in CachedCmap.cpp
  • CVE-2016-2794: heap-buffer-overflow read in [@graphite2::TtfUtil::CmapSubtable12NextCodepoint]
  • CVE-2016-2795: Use of uninitialised memory in [@graphite2::FileFace::get_table_fn]
  • CVE-2016-2796: graphite2: heap-buffer-overflow write in [@graphite2::vm::Machine::Code::Code]
  • CVE-2016-2797: graphite2: heap-buffer-overflow read in [@graphite2::TtfUtil::CmapSubtable12Lookup]
  • CVE-2016-2798: graphite2: heap-buffer-overflow read in [@graphite2::GlyphCache::Loader::Loader]
  • CVE-2016-2799: graphite2: heap-buffer-overflow write in [@graphite2::Slot::setAttr]
  • CVE-2016-2800: graphite2: heap-buffer-overflow read in [@graphite2::Slot::getAttr] Slot.cpp:234
  • CVE-2016-2801: graphite2: heap-buffer-overflow read in [@graphite2::TtfUtil::CmapSubtable12Lookup] TtfUtil.cpp:1126
  • CVE-2016-2802: graphite2: heap-buffer-overflow read in [@graphite2::TtfUtil::CmapSubtable4NextCodepoint]

nodejs-buildpack

updated to v1.5.8 (from v1.5.7)

v1.5.8

Packaged binaries:

name version cf_stacks
node 0.10.42 cflinuxfs2
node 0.10.43 cflinuxfs2
node 0.12.11 cflinuxfs2
node 0.12.12 cflinuxfs2
node 4.4.0 cflinuxfs2
node 5.8.0 cflinuxfs2
  • SHA256: c416cff626aab10894543568e0a4ea68d1b721ebda0f9c3b719ae1c09cadb4e1

php-buildpack

updated to v4.3.7 (from v4.3.6)

v4.3.7

Packaged binaries:

name version cf_stacks modules
php 5.5.32 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 5.5.33 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 5.6.18 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, p...
Read more
Assets 2
Loading

v232

21 Mar 21:30
v232
d58979f
Compare
Choose a tag to compare
v232 Pre-release
Pre-release

The cf-release v232 was released on March 16, 2016.

Important:

  • This release is a pre-release, and should not be used. Metron was refactored in preparation for full multi-protocol support of UDP, TCP and TLS. This introduced a defect where Metron opens a new connection to each Doppler for every Doppler heartbeat sent to etcd (every 10 seconds). For small deployments (2 Dopplers), the kernel cleans up the extra connections fast enough to prevent overload, but in larger configurations, the connection list grows beyond the process ulimit and Metron crashes.
  • This release includes a fix for CVE-2016-0781 UAA Persistent XSS Vulnerability. The UAA OAuth approval pages are vulnerable to an XSS attack by specifying malicious java script content in either the OAuth scopes (SCIM groups) or SCIM group descriptions. Please use cf-release v233 for remediation.
  • This release includes a fix for CVE-2016-2165 - Loggregator Request URL Paths. 404 responses from Loggregator endpoints include the URL sent, and are vulnerable to an XSS attack.
  • This release extracts the Java buildpacks from being package dependencies of the Cloud Controller to being "package-only" jobs from a separate release, colocated with the Cloud Controllers. The release is submoduled into cf-release with appropriate symlinks so that it also appears as a job in cf-release, and requires minimal changes to your manifest. This was already done for all the other buildpacks in v231. details
  • The UAA job leverages a "post-deploy hook" feature of BOSH as of this release, which is not supported in older versions of the BOSH Director. Please ensure you are using a sufficiently recent version of the BOSH Director.
  • The UAA job is also leveraging new health-check functionality in the Route Registrar. details.
  • The cf client listed under the uaa.clients property should not have implicit as one of its authorized-grant-types and autoapprove should no longer be set to true. details
  • The tcp_emitter and tcp_router clients listed under the uaa.clients property should have the routing.router_groups.read authority add to their list of authorities. details
  • v233 includes a fix for CVE-2016-0780 Cloud Controller Disk Quota Enforcement. It was discovered that Cloud Foundry does not properly enforce disk quotas in certain cases. An attacker could use an improper disk quota value to bypass enforcement and consume all the disk on DEAs/Diego Cells causing a potential denial of service for other applications.
  • v232 contains a performance regression in Gorouter introduced in v228. At low request volume, the issue is not observable; only at higher request volumes (such as a load test) is the regression evident. The regression was fixed in v234.

Contents:

CC and Service Broker APIs

CC API Version: 2.52.0

Service Broker API Version: 2.8

IMPORTANT

  • Manifest changes required for all deployments, whether using nfs or other blobstore.
    • See document describing all required manifest changes. details
    • Simplify webdav configuration by only requiring secure_link.secret only on the blobstore
    • WebDAV can be configured to use TLS: blobstore.tls.cert, blobstore.tls.port, blobstore.tls.private_key
  • Operator can configure tasks over X age to be pruned: cc.completed_tasks.cutoff_age_in_days defaults to 31 days

Cloud Controller

  • Fix for CVE-2016-0780 Cloud Controller Disk Quota Enforcement
  • [Experimental] Work continues on /v3 and Application Process Types details
  • make webdav the default blobstore details
  • Created cloud controller wiki details
  • Allow SpaceDevelopers to purge space scoped instances details
  • Allow SpaceDevelopers to purge space scoped service offerings details
  • Delete route bindings when purging service instances details
  • Stopping/Deleting an application shouldn't fail if we get an error from Diego details
  • creating an app with multiple ports when diego is default returns an error details
  • Added feature flag space_developer_env_var_visibility to control whether a space developer can access /v2/apps/:guid/env and /v3/apps/:guid/env details
  • client author should be able to follow CC API docs to discover the app ports routes are mapped to details
  • client author should be able to follow CC API docs to update the app port for a route_mapping as a SpaceDeveloper details
  • cc api client author should be able to follow docs to delete a route mapping details
  • DEA heartbeats to HM9K over http details
  • Use dea.advertise only, kill staging.advertise details
  • CC client author should receive an error when moving an app from diego to DEA, and multiple app ports are mapped to routes details
  • As a space developer, I can map a route to a specific process type details
  • client author should be able to follow CC API docs to discover the app ports routes are mapped to details
  • Require that shared domain have hosts details
  • Simplify webdav configuration by only requiring secure_link.secret only on the blobstore details
  • client author should be able to follow CC API docs to discover the app ports routes are mapped to details
  • As an operator, I expect tasks completed X days ago to be pruned. cc.completed_tasks.cutoff_age_in_days defaults to 31 days details
  • client author should be able to follow CC API docs to discover the app ports routes are mapped to details
  • client author should be able to follow CC API docs to discover the app ports routes are mapped to details
  • Bump railties to 4.2.5.2 - Addresses CVE-2016-2097 and CVE-2016-2098 details
    Not exposed in the manifest yet. Requires this story
  • Enable https for internal webdav server details
    blobstore.tls.cert, blobstore.tls.port, blobstore.tls.private_key
Pull Requests and Issues
Read more
Assets 2
Loading

v231

01 Mar 20:40
v231
9e31b98
Compare
Choose a tag to compare
v231

The cf-release v231 was released on February 23, 2016.

Important:

  • There are new property names for doppler and metron manifests that must be updated or Loggregator deployments will fail.
  • Buildpacks (except for Java) have been extracted as their own releases, but submoduled back into cf-release with symlinks for the jobs and packages to eliminate impact on the current workflow of deploying the platform from a monolithic cf-release. You do not need to manually build and upload an additional set of releases (unless you want to). These buildpacks are no longer package dependencies of Cloud Controller, rather they are (no-op) jobs that are colocated with the Cloud Controller. To have an uninterrupted experience, you will need to colocate the new buildpack templates with the cloud_controller_ng template and update the package references in the cc.buildpacks property; see this mailing list thread for some further discussion. If you are using the "spiff" manifest generation tooling, and are not overriding the api_templates then you will get this change for free.
  • If using the DEA backend, the dea_next and hm9000 jobs should be colocated with a consul_agent job as they now rely on Consul for internal service discovery, including downloading blob assets from the CC via internal DNS. For this case, cloud_controller_ng jobs must also be colocated with the consul_agent job, and register the appropriate service. It is strongly advised that any job colocated with consul_agent should have consul_agent first in the templates list. (Note, the "spiff"-based manifest generation tooling provided in this repo is missing this configuration in the case of OpenStack).
  • This releases introduces a new blobstore job using the webdav protocol instead of nfs. Several manifest changes required if currently using the nfs job. See job spec changes below
  • v231 contains a performance regression in Gorouter introduced in v228. At low request volume, the issue is not observable; only at higher request volumes (such as a load test) is the regression evident. The regression was fixed in v234.

Contents:

CC and Service Broker APIs

CC API Version: 2.51.0

Service Broker API Version: 2.8

IMPORTANT: Manifest changes required for all deployments, whether using nfs or other blobstore.

  • Doc describing required manifest changes. details

Cloud Controller

  • [Experimental] Work continues on /v3 and Application Process Types details
  • [Experimental] Work continues on Tasks details
  • Add docs for using the USR1 trap for diagnostics details
  • Update rails to 4.2.5.1 details
  • Added support for webdav protocol details
    • This addition is considered experimental currently. Additional work to simplify the deployment and secure one part of the connection is in progress.
  • Remove incorrectly documented query param - organization_guid on /v2/apps/:guid/routes details
  • Fixed cloudfoundry/cloud_controller_ng #524: "/v2/apps/:guid/summary" will return duplicated "name" keys in JSON response details
  • cloudfoundry/cloud_controller_ng #522: Set TMPDIR for local worker details
  • Generate seed values for default environment variable groups details
  • Check for basic auth against clients that properly follow URI encoding - continue to support dea backend, which does not properly follow the conventions details
  • Remove organization_guid from listing all app routes docs details
  • Fixed cloudfoundry/cloud_controller_ng #528: Apps in space summary do not contain route paths details
  • Can toggle private service broker creation with a feature flag details
    • cf enable-feature-flag space_scoped_private_broker_creation
    • cf disable-feature-flag space_scoped_private_broker_creation
  • Fixed cloudfoundry/cloud_controller_ng #508: List Service Instance for a Service Plan documents invalid query parameter details
  • Fixed cloudfoundry/cloud_controller_ng #509: List Service Instance for a Service Plan documents invalid query parameter (2) details
  • Fixed cloudfoundry/cloud_controller_ng #499: Get Space Summary does not document last_operation parameter type details
  • Fixed cloudfoundry/cloud_controller_ng #511: Get the instance information for a STARTED App does not document field details
    • Documents DEA/Diego responses
  • Fixed cloudfoundry/cloud_controller_ng #536: Delete Service does not document response payload details
  • [cf-dev] Update apidocs for space quota and org quota to indicate unlimited values for total_routes and total_services details

Runtime

No changes.

Buildpacks and Stacks

stacks

updated to 1.36.0 (from 1.31.0)

1.36.0

Notably, this release addresses USN-2902-1 "graphite2 vulnerabilities":

  • CVE-2016-1521: An exploitable out-of-bounds read vulnerability exists in the opcode handling functionality of Libgraphite. A specially crafted font can cause an out-of-bounds read resulting in arbitrary code execution. An attacker can provide a malicious font to trigger this vulnerability.
  • CVE-2016-1522: An exploitable out-of-bounds access vulnerability exists in the bidirectional font handling functionality of Libgraphite. A specially crafted font can cause an out-of-bounds access resulting in arbitrary code execution. An attacker can provide a malicious font to trigger
    this vulnerability.
  • CVE-2016-1523: An exploitable heap-based buffer overflow exists in the context item handling functionality of Libgraphite. A specially crafted font can cause a buffer overflow resulting in potential code execution. An attacker can provide a malicious font to trigger this vulnerability.
  • CVE-2016-1526: No description provided

1.35.0

Notably, this release addresses USN-2900-1 "GNU C Library vulnerability":

  • CVE-2015-7547: GNU C Library could be made to crash or run programs if it received specially crafted network traffic.

1.34.0

Notably, this release addresses USN-2897-1 "Nettle vulnerabilities" and USN-2896-1 "Libgcrypt vulnerability":

1.33.0

This release contains only non-critical updates to the rootfs. See the receipt changes at this commit for more information.

1.32.0

Notably, this release addresses [U...

Read more
Assets 2
Loading

v230

02 Feb 20:32
v230
f7e63b6
Compare
Choose a tag to compare
v230

The cf-release v230 was released on January 27, 2016.

IMPORTANT

  • v230 includes a fix for CVE-2016-0732, privilege escalation with UAA.
    A privilege escalation vulnerability has been identified with the identity zones feature of UAA. Users with the appropriate permissions in one zone can perform unauthorized operations on a different zone. Only instances of UAA configured with multiple identity zones are vulnerable. The mitigation is to upgrade to cf-release v230
  • v230 contains a performance regression in Gorouter introduced in v228. At low request volume, the issue is not observable; only at higher request volumes (such as a load test) is the regression evident. The regression was fixed in v234.

Contents:

CC and Service Broker APIs

CC API Version: 2.48.0

Service Broker API Version: 2.8

Cloud Controller

  • [Experimental] Work continues on /v3 and Application Process Types details
  • [Experimental] Work continues on Tasks details
  • Add disclaimers to api docs about redundant query filters included in the path details
  • Fixed an issue introduced in cf-release 229 that caused existing apps to be completely restarted when scaling to additional instances or other updates to the app model. details
  • Replace libmysqlclient with mariadb equivalent details

Runtime

No changes.

Buildpacks and Stacks

stacks

updated to 1.31.0 (from 1.29.0)

1.31.0

Notably, this release addresses USN-2879-1 "rsync vulnerability":

  • CVE-2014-9512: rsync 3.1.1 allows remote attackers to write to arbitrary files via a symlink attack on a file in the synchronization path

1.30.0

Notably, this release addresses USN-2874-1 "Bind vulnerability" and USN-2875-1 "libxml2 vulnerabilities":

  • CVE-2015-8704: Denial of service via APL data that could trigger an INSIST
  • CVE-2015-7499: Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2
    before 2.9.3 allows context-dependent attackers to obtain sensitive process
    memory information via unspecified vectors.
  • CVE-2015-8710: out of bounds memory access via unclosed html comment

go-buildpack

updated to v1.7.2 (from v1.7.1)

v1.7.2

Notably, this release includes go 1.5.3 which patches CVE-2015-8618.

Packaged binaries:

name version cf_stacks
go 1.4.1 cflinuxfs2
go 1.4.2 cflinuxfs2
go 1.4.3 cflinuxfs2
go 1.5.2 cflinuxfs2
go 1.5.3 cflinuxfs2
godep v45 cflinuxfs2
  • SHA256: c7de9ddacde4159862de9881590c813c77d6e421af167ac4ed3b991fa8281717

nodejs-buildpack

updated to v1.5.5 (from v1.5.4)

v1.5.5

Packaged binaries:

name version cf_stacks
node 0.10.40 cflinuxfs2
node 0.10.41 cflinuxfs2
node 0.12.7 cflinuxfs2
node 0.12.9 cflinuxfs2
node 4.2.5 cflinuxfs2
node 5.5.0 cflinuxfs2
  • SHA256: 9aa7fc28bb2146310295db2e52398041445ef6953c1958bb553919b187e823c8

php-buildpack

updated to v4.3.3 (from v4.3.2)

v4.3.3

Packaged binaries:

name version cf_stacks modules
php 5.5.30 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 5.5.31 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 5.6.16 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 5.6.17 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
hhvm 3.5.0 cflinuxfs2
hhvm 3.5.1 cflinuxfs2
hhvm 3.6.0 cflinuxfs2
hhvm 3.6.1 cflinuxfs2
composer 1.0.0-alpha10 cflinuxfs2
httpd 2.4.18 cflinuxfs2
newrelic 4.23.3.111 cflinuxfs2
nginx 1.8.0 cflinuxfs2
nginx 1.9.9 cflinuxfs2
  • SHA256: 0a3fae06cd31ee4ff6fea964ba414a710225812785cc872b0a262bbd6ecde9ab

Identity

Updated to UAA Release 3.0.1

Routing

  • Gorouter now uses cf-lager logging framework to stream logs to syslog details, more details
  • Gorouter has been updated to golang 1.5.3 details
  • Gorouter now supports a configurable wait time for the drain operation. When a shutdown is initiated, the healthcheck endpoint will report the server is not listening, however the server will accept new requests for the configured wait time.
    Thanks to CAFxX from Rakuten for the PR details
  • Gorouter now better handles unauthorized errors from Routing API details
  • Gorouter now logs when it fetches a token from UAA for use with Routing API details
  • CC API now supports parameters with request to bind route to service instance details

Loggregator

  • No change

Internal Components

consul

  • When running as server, wait to write PID until after data sync. details

etcd

No functional changes.

etcd-metrics-server

No changes.

####...

Read more
Assets 2
Loading

v229

26 Jan 17:07
v229
3c73e6d
Compare
Choose a tag to compare
v229

The cf-release v229 was released on January 22, 2016.

IMPORTANT

  • v229 includes a fix for CVE-2016-0713, a XSS vulnerability in Gorouter. In previous releases, if a malicious intermediary modified requests from client to router to contain malicious code, this code could be executed on the operating system of the client from where the request originated. To our knowledge, this vulnerability does not pose a risk for penetration or takeover of Cloud Foundry system components or applications hosted by Cloud Foundry. This vulnerability was introduced in v141. The Cloud Foundry project recommends that Cloud Foundry Deployments using Gorouter are upgraded to cf-release v229.
  • In support of work in progress to enable developers to specify application ports when mapping routes, cf-release v229 introduces a database migration for CCDB. For deployments that use a PostgreSQL database for CCDB that is NOT the PostreSQL job that comes with cf-release, v229 introduces the following requirements. These requirements are applicable for subsequent releases. If you are using the PostgreSQL job that comes with cf-release, or if you are using MySQL as the backing db for CC, no action is necessary.
    • PostgreSQL 9.1 is required at a minimum
    • For versions 9.1-9.3, operators must first install the extension uuid-ossp
    • For versions 9.4 and newer, operators must first install the extension pgcrypto
  • v229 contains a performance regression in Gorouter introduced in v228. At low request volume, the issue is not observable; only at higher request volumes (such as a load test) is the regression evident. The regression was fixed in v234.

Contents:

CC and Service Broker APIs

CC API Version: 2.47.0

Service Broker API Version: 2.8

Cloud Controller

  • [Experimental] Work continues on /v3 and Application Process Types details
  • [Experimental] Work completed on Space Scoped Private Brokers details
    • Remove experimental flag on space guid for private brokers details
  • [Experimental] Work continues on Tasks details
  • Cleanup spec/templates for unused properties details
  • Allow use of the "IN" filter for organization_guid on routes details
  • Do not incorrectly claim domains are queryable by space_guid details
  • Disassociating users/roles from orgs by username returns 204 1,2,3,4
  • Document interpretation of route existence endpoint return code details

Runtime

DEA

Warden

  • Ruby 2.2.4

HM9000

  • Go 1.5

Buildpacks and Stacks

stacks

updated to 1.29.0 (from 1.28.0)

1.29.0

Notably, this release addresses USN-2869-1 "OpenSSH vulnerabilities":

java-buildpack

updated to v3.5.1 (from v3.4)

v3.5.1

I'm pleased to announce the release of the java-buildpack, version 3.5.1. This release contains minor improvements and updates to dependencies. It also addresses the critical vulnerability found in CVE-2016-0708.

For a more detailed look at the changes in 3.5.1, please take a look at the commit log. Packaged versions of the buildpack, suitable for use with create-buildpack and update-buildpack, can be found attached to this release.

Packaged Dependencies

Dependency Version
AppDynamics Agent 4.1.8_5
GemFire 8.2.0
GemFire Modules 8.2.0
GemFire Modules Tomcat7 8.2.0
GemFire Security 8.2.0
Groovy 2.4.5
JRebel 6.3.1
MariaDB JDBC 1.3.3
Memory Calculator (mountainlion) 2.0.1.RELEASE
Memory Calculator (precise) 2.0.1.RELEASE
Memory Calculator (trusty) 2.0.1.RELEASE
New Relic Agent 3.24.1
OpenJDK JRE (mountainlion) 1.8.0_65
OpenJDK JRE (precise) 1.8.0_65
OpenJDK JRE (trusty) 1.8.0_65
Play Framework JPA Plugin 1.10.0.RELEASE
PostgreSQL JDBC 9.4.1207
RedisStore 1.2.0_RELEASE
SLF4J API 1.5.8
SLF4J JDK14 1.5.8
Spring Auto-reconfiguration 1.10.0_RELEASE
Spring Boot CLI 1.3.1_RELEASE
Tomcat Access Logging Support 2.4.0_RELEASE
Tomcat Lifecycle Support 2.4.0_RELEASE
Tomcat Logging Support 2.4.0_RELEASE
Tomcat 8.0.30
YourKit Profiler 2015.15084.0

Identity

Updated to UAA release 3.0.0

Routing

Route Services (in progress)

  • CC now validates route service urls for user-provided service instances details

TCP Routing (in progress)

  • CC client can now specify an app port when mapping a TCP route to an app details
  • CC client can now specify an app port when mapping an HTTP route to an app details
  • Routing API will call UAA for new verification key when token can't be validated details

Loggregator

No change

Internal Components

consul

  • Ensure startup script terminates before monit runs another startup, so that only one is ever running at a time. details, details
  • Bump to Golang 1.5.3 to address CVE-2015-8618. details

etcd

  • Check DNS before etcd starts up in SSL mode. details

etcd-metrics-server

No changes.

route_registrar

No changes.

Job Spec Changes

  • Zeroed the default values of the name, build, version, support_address, and description properties in the cloud_controller_ng, cloud_controller_worker, and cloud_controller_clock jobs. details
  • Removed cc.info.name, cc.info.build, cc.info.version, and cc.info.description properties from cloud_controller_ng, cloud_controller_worker, and cloud_controller_clock jobs. details
  • Removed cc.info.custom properties from cloud_controller_worker, and cloud_controller_clock jobs. details
  • Removed cc.development_mode property from cloud_controller_clock job. details
  • Removed consul.agent.sync_timeout_in_seconds property from consul_agent job. details
  • Added dea_next.instance_nproc_limit property to dea_next job. details
  • Added etcd.dns_health_check_host property to etcd job. details
  • Removed uaa.jwt.policy.global.accessTokenValiditySeconds and uaa.jwt.policy.global.refreshTokenValiditySeconds properties from uaa job. details
  • Added uaa.authentication.policy.global.lockoutAfterFailures, uaa.authentication.policy.global.countFailuresWithinSeconds, `uaa.authentication.policy.g...
Read more
Assets 2
Loading

v228

20 Jan 20:18
v228
a7ead1d
Compare
Choose a tag to compare
v228

The cf-release v228 was released on January 15, 2016.

IMPORTANT

Due to CVE-2016-0708 [1] and CVE-2016-0715 [2], if you are running applications with automated buildpack detection that staged when java buildpack v2.0 through v3.4 was a system buildpack, it is strongly recommended to configure running DEAs and Diego Cells to protect applications from remote disclosure of information until they are restaged with Java Buildpack v3.5.1 [3] registered as a system buildpack. Once you are sure that all applications have been staged with Java Buildpack v3.5.1 or higher as a system buildpack, you may remove this particular configuration and deploy again.

If you are using DEAs, configure the deployment manifest segment for DEAs as shown:

properties:
  dea_next:
    post_setup_hook: "rm -f app/.java-buildpack.log app/**/.java-buildpack.log >/dev/null 2>&1"

If you are using the manifest generation scripts in the cf-release repository, and you do not wish to directly merge configuration into your manifest, first make sure you have the correct version of the repository checked out (e.g. if using v228 of cf-release, check out the v228 tag); you include the same configuration above in your stub.

If you are using Diego with diego-release v0.1446.0, add the following properties to your BOSH deployment manifest for Diego:

properties:
  diego:
    executor:
      post_setup_hook: sh -c "rm -f /home/vcap/app/.java-buildpack.log /home/vcap/app/**/.java-buildpack.log"
      post_setup_user: "root"

If you are using the manifest generation scripts in the diego-release repository [4], then rather than directly including the above configuration in your manifest, add the following properties to your property-overrides stub:

property_overrides:
  executor:
    post_setup_hook: sh -c "rm -f /home/vcap/app/.java-buildpack.log /home/vcap/app/**/.java-buildpack.log"
    post_setup_user: "root"

[1] https://pivotal.io/security/cve-2016-0708
[2] https://pivotal.io/security/cve-2016-0715
[3] https://github.com/cloudfoundry/java-buildpack/releases/tag/v3.5.1
[4] https://github.com/cloudfoundry-incubator/diego-release/blob/v0.1446.0/scripts/generate-deployment-manifest

A performance regression in Gorouter was introduced in v228. At low request volume, the issue is not observable; only at higher request volumes (such as a load test) is the regression evident. The regression was fixed in v234.

Contents:

CC and Service Broker APIs

CC API Version: 2.47.0

  • NOTE: Support for v1 service brokers removed in this cf-release.

Service Broker API Version: 2.8

Cloud Controller

  • [Experimental] Work continues on /v3 and Application Process Types details
  • [Experimental] Work continues on Private Brokers details
  • [Experimental] Work started on Tasks details
    • New feature flag task_creation added, defaults to false
  • Allow using BOSH default cert store for all HTTP outgoing communication in CC details
  • Increase size of rules field in security_groups to 16 mb details
  • Remove support for v1 service brokers detail
    • Removed POST /v2/service_plans endpoint
    • Users can only update the public field on update for PUT /v2/service_plans
    • Remove POST/PUT /v2/services

Runtime

DEA

Warden

No changes.

HM9000

No changes.

Buildpacks and Stacks

stacks

updated to 1.28.0 (from 1.24.0)

1.28.0

Notably, this release addresses USN-2868-1 "DHCP vulnerability":

  • CVE-2015-8605: A badly formed packet with an invalid IPv4 UDP length field can cause a DHCP server, client, or relay program to terminate abnormally.

1.27.0

Notably, this release addresses USN-2865-1 "GnuTLS vulnerability":

  • CVE-2015-7575: MD5 signatures accepted within TLS 1.2 ServerKeyExchange in server signature

1.26.0

Release due to erroneous deploy. Contains no changes. Same as Release 1.25.0

1.25.0

Notably, this release addresses USN-2861-1 "libpng vulnerabilities":

java-buildpack

updated to v3.4 (from v3.3.1)

v3.4

I'm pleased to announce the release of the java-buildpack, version 3.4. This release focuses on developer diagnostic tools.

For a more detailed look at the changes in 3.4, please take a look at the commit log. Packaged versions of the buildpack, suitable for use with create-buildpack and update-buildpack, can be found attached to this release.

Packaged Dependencies

Dependency Version
AppDynamics Agent 4.1.7_1
GemFire 8.2.0
GemFire Modules 8.2.0
GemFire Modules Tomcat7 8.2.0
GemFire Security 8.2.0
Groovy 2.4.5
JRebel 6.3.0
MariaDB JDBC 1.3.2
Memory Calculator (mountainlion) 2.0.1.RELEASE
Memory Calculator (precise) 2.0.1.RELEASE
Memory Calculator (trusty) 2.0.1.RELEASE
New Relic Agent 3.22.0
OpenJDK JRE (mountainlion) 1.8.0_65
OpenJDK JRE (precise) 1.8.0_65
OpenJDK JRE (trusty) 1.8.0_65
Play Framework JPA Plugin 1.10.0.RELEASE
PostgreSQL JDBC 9.4.1206
RedisStore 1.2.0_RELEASE
SLF4J API 1.5.8
SLF4J JDK14 1.5.8
Spring Auto-reconfiguration 1.10.0_RELEASE
Spring Boot CLI 1.3.0_RELEASE
Tomcat Access Logging Support 2.4.0_RELEASE
Tomcat Lifecycle Support 2.4.0_RELEASE
Tomcat Logging Support 2.4.0_RELEASE
Tomcat 8.0.29
YourKit Profiler 2015.15080

php-buildpack

updated to v4.3.2 (from v4.3.1)

v4.3.2

Packaged binaries:

name version cf_stacks modules
php 5.5.29 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 5.5.30 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 5.6.15 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets,...
Read more
Assets 2
Loading