v250

@cf-release-notes-bot cf-release-notes-bot released this Dec 22, 2016

The cf-release v250 was released on December 22, 2016.

IMPORTANT

  • The CAPI Release included in CF-250 has several new manifest properties that aren’t meant to be required yet. We’ve discovered an issue with BOSH directors before v257 where these properties must still be set. One of the following workarounds should be applied:
    • Upgrade your BOSH deployment to v257 or later
    • Set the following properties to ”” in your CF Deployment manifest: cc.mutual_tls.ca_cert, cc.mutual_tls.public_cert, and cc.mutual_tls.private_key
  • The Loggregator bosh properties for loggregator.tls.metron.cert and loggregator.tls.metron.key do not need to be set for this release. They were added for documentation that a future version of cf-release will require these properties.

The Loggregator release

Contents:

CC and Service Broker APIs

Contains CAPI release v1.14.0. Release notes for v1.12.0, v1.13.0, and v1.14.0

Identity

No Changes

Routing

No changes

Loggregator

No changes

Buildpacks and Stacks

stacks

updated to 1.95.0 (from 1.92.0)

1.95.0

1.94.0

USN-3156-1 Ubuntu Security Notice USN-3156-1:

  • CVE-2016-1252: A man-in-the-middle attacker could circumvent the InRelease signature of a repository, leading to a malicious package being installed and, therefore, remote arbitrary code execution.

1.93.0

dotnet-core-buildpack

updated to v1.0.6 (from v1.0.5)

v1.0.6

Highlights:

  • Add dotnet 1.0.0-preview2-1-003177, remove .NET SDK 1.0.0-preview2-1-003155

Default binary versions: node 6.9.1, bower 1.8.0, dotnet 1.0.0-preview2-003131

go-buildpack

updated to v1.7.16 (from v1.7.15)

v1.7.16

Highlights:

  • Add go 1.6.4, 1.7.4, remove go 1.6.2, 1.7.1

Default binary versions: go 1.7.4

nodejs-buildpack

updated to v1.5.24 (from v1.5.23)

v1.5.24

Highlights:

  • Add node 7.2.0, remove node 7.0.0

Default binary versions: node 4.6.2

php-buildpack

updated to v4.3.23 (from v4.3.22)

v4.3.23

Highlights:

  • Add rdkafka for PHP5, ioncube for PHP 7
  • Add nginx 1.11.6, remove nginx 1.11.5
  • Add php 5.6.28, 7.0.13, remove php 5.6.26, 7.0.11

Default binary versions: php 5.5.38, composer 1.2.2, httpd 2.4.23, newrelic 6.3.0.161, nginx 1.11.6

python-buildpack

updated to v1.5.13 (from v1.5.12)

v1.5.13

Default binary versions: python 2.7.12

ruby-buildpack

updated to v1.6.29 (from v1.6.28)

v1.6.29

Highlights:

  • Add ruby 2.1.10, 2.2.6, 2.3.2, 2.3.3, remove ruby 2.1.8, 2.2.4, 2.3.1

Default binary versions: ruby 2.3.3, node 4.6.2

staticfile-buildpack

updated to v1.3.14 (from v1.3.13)

v1.3.14

Highlights:

  • Enable 'Vary: Accept-Encoding' header
  • Add nginx 1.11.6, remove nginx 1.11.5

Default binary versions: nginx 1.11.6

DEA-Warden-HM9000 Runtime

This section will be updated soon. If this section is not yet up-to-date, please reach out for information:

Internal Components

postgres-release (includes postgres job)

  • No changes

etcd-release (includes etcd and etcd_metrics_server jobs)

  • No changes

consul-release (includes consul_agent job)

  • Bumped from v135 to v145. Functional changes: ** Now includes consul 0.7.1(was 0.7.0) ** Changes to support running consul_agent on windows in client mode.

nats-release (includes nats and nats_stream_forwarder jobs)

  • No changes.

Recommended Versions of Additional Releases

These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release.

Job Spec Changes

Recommended BOSH Stemcell Version

  • 3312.12

Note: For AWS you should use the Xen-HVM stemcells rather than Xen.

These are soft recommendations; several different versions of the stemcells are likely to work fine with this version of cf-release and the corresponding versions of the additional releases listed above.

Downloads

v249

@cf-release-notes-bot cf-release-notes-bot released this Dec 10, 2016 · 26 commits to master since this release

The cf-release v249 was released on December 10, 2016.

Important

login.saml.serviceProviderKeyPassword:
description: "Password to protect the service provider private key."

Contents:

CC and Service Broker APIs

Contains CAPI release v1.11.0. Release notes for v1.11.0

Identity

UAA Release bumped to v24 aka UAA Release v3.9.3

Routing

Routing-release was bumped to 0.142.0

Loggregator

This section will be updated soon. If this section is not yet up-to-date, please reach out for information:

  • Updated to golang 1.7.4
  • Improved Cipher Suites
  • Update to TLS versions being used

Buildpacks and Stacks

  • No changes

DEA-Warden-HM9000 Runtime

  • No changes

Internal Components

postgres-release (includes postgres job)

  • No changes

etcd-release (includes etcd and etcd_metrics_server jobs)

  • Bumped from v86 to v87. Functional changes: The proxy for TLS migration now responds to /v2/members, fixing an issue in consumers that get peers via the API instead of via bosh properties.

consul-release (includes consul_agent job)

  • No changes.

nats-release (includes nats and nats_stream_forwarder jobs)

  • No changes.

Recommended Versions of Additional Releases

These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release.

Job Spec Changes

Recommended BOSH Stemcell Versions

  • real IaaS: 3312.7
  • BOSH-Lite: 3312.7

Note: For AWS you should use the Xen-HVM stemcells rather than Xen.

These are soft recommendations; several different versions of the stemcells are likely to work fine with this version of cf-release and the corresponding versions of the additional releases listed above.

Downloads

v248

@cf-release-notes-bot cf-release-notes-bot released this Dec 2, 2016 · 51 commits to master since this release

The cf-release v248 was released on December 02, 2016.

IMPORTANT

BACKWARDS INCOMPATIBLE CHANGES

Starting with this release UAA no longer provides default values for the SAML Service Provider Certificate and JWT Signing Key as a security best practice. These need to be generated explicitly per deployment of UAA and are required for proper start-up and functioning of UAA.

These are standard artifacts which can be generated using openssl. Please refer the topic here on how to generate a self signed cert.

Please refer here for more details.

Contents:

CC and Service Broker APIs

Contains CAPI release v1.11.0. Release notes for v1.11.0

Identity

This release includes UAA 3.9.2

Routing

No changes

Loggregator

This section will be updated soon. If this section is not yet up-to-date, please reach out for information:

Buildpacks and Stacks

stacks

updated to 1.92.0 (from 1.90.0)

1.92.0

USN-3142-1 Ubuntu Security Notice USN-3142-1:

USN-3139-1 Ubuntu Security Notice USN-3139-1:

  • CVE-2016-1248: vim before patch 8.0.0056 does not properly validate values for the 'filetype', 'syntax' and 'keymap' options, which may result in the execution of arbitrary code if a file with a specially crafted modeline is opened.

USN-3134-1 Ubuntu Security Notice USN-3134-1:

  • CVE-2016-0772: The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
  • CVE-2016-1000110: use of HTTP_PROXY flag supplied by attacker in CGI scripts
  • CVE-2016-5636: Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.
  • CVE-2016-5699: CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.

USN-3132-1 Ubuntu Security Notice USN-3132-1:

USN-3131-1 Ubuntu Security Notice USN-3131-1:
(81 CVEs addressed, see USN link)

1.91.0

dotnet-core-buildpack

updated to v1.0.5 (from v1.0.4)

v1.0.5

  • Add bower 1.8.0, remove bower 1.7.9
  • Serve libunwind from buildpacks.cloudfoundry.org

Default binary versions: node 6.9.1, bower 1.8.0, dotnet 1.0.0-preview2-003131

go-buildpack

updated to v1.7.15 (from v1.7.14)

v1.7.15

  • Ensure all downloaded binaries have checksums verified
  • Add godep v75, remove godep v74

Default binary versions: go 1.6.3

nodejs-buildpack

updated to v1.5.23 (from v1.5.22)

v1.5.23

  • Add node 7.1.0, 7.0.0, 6.9.1, 4.6.2
  • Remove node 6.8.1, 4.6.0, 0.10.47 (EOL), 0.10.48 (EOL)
  • Ensure all downloaded binaries have checksums verified
  • Remove vendored node binary executable

Default binary versions: node 4.6.2

php-buildpack

updated to v4.3.22 (from v4.3.21)

v4.3.22

  • Ensure all downloaded binaries have checksums verified
  • Add composer 1.2.2, remove composer 1.2.1
  • Add APCu support to all PHP versions
  • Warn and error when composer.json or composer.lock has invalid format
  • Add support for phpiredis and phpredis in PHP7

Default binary versions: php 5.5.38, composer 1.2.2, httpd 2.4.23, newrelic 6.3.0.161, nginx 1.11.5

python-buildpack

updated to v1.5.12 (from v1.5.11)

v1.5.12

  • Ensure all downloaded binaries have checksums verified

Default binary versions: python 2.7.12

ruby-buildpack

updated to v1.6.28 (from v1.6.27)

v1.6.28

  • Add node 4.6.2, remove node 4.6.1
  • Add bundler 1.13.6, remove bundler 1.13.5
  • Add openjdk 1.8.0_111, remove openjdk 1.8.0_101
  • Ensure all downloaded binaries have checksums verified

Default binary versions: ruby 2.3.1, node 4.6.2

staticfile-buildpack

updated to v1.3.13 (from v1.3.12)

v1.3.13

  • Option to enable hosting of hidden dot-files
  • Enable HSTS support
  • Don't write hashed credentials from Staticfile.auth to the logs

DEA-Warden-HM9000 Runtime

This section will be updated soon. If this section is not yet up-to-date, please reach out for information:

Internal Components

postgres-release (includes postgres job)

  • No changes

etcd-release (includes etcd and etcd_metrics_server jobs)

  • Bumped from vXX to vXX. Functional changes:

consul-release (includes consul_agent job)

  • Bumped from vXX to vXX. Functional changes:

nats-release (includes nats and nats_stream_forwarder jobs)

  • No changes

Recommended Versions of Additional Releases

These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release.

Job Spec Changes

Recommended BOSH Stemcell Versions

  • real IaaS: 3312.6
  • BOSH-Lite: 3312.6

Note: For AWS you should use the Xen-HVM stemcells rather than Xen.

These are soft recommendations; several different versions of the stemcells are likely to work fine with this version of cf-release and the corresponding versions of the additional releases listed above.

Downloads

v247

@cf-release-notes-bot cf-release-notes-bot released this Nov 17, 2016 · 82 commits to master since this release

The cf-release v247 was released on November 17, 2016.

Contents:

CC and Service Broker APIs

Contains CAPI release v1.11.0. Release notes for v1.11.0

Identity

Updated to UAA 3.9.0

Routing

No changes

Loggregator

This release includes support for gRPC which enables TLS. For notes about setting up certs see: https://github.com/cloudfoundry/loggregator#generating-tls-certificates

Buildpacks and Stacks

stacks

updated to 1.90.0 (from 1.89.0)

1.90.0

Notably, this release addresses:

USN-3116-1: DBus vulnerabilities Ubuntu Security Notice USN-3116-1:

  • CVE-2015-0245: D-Bus 1.4.x through 1.6.x before 1.6.30, 1.8.x before 1.8.16, and 1.9.x before 1.9.10 does not validate the source of ActivationFailure signals, which allows local users to cause a denial of service (activation failure error returned) by leveraging a race condition involving sending an ActivationFailure signal before systemd responds.

USN-3117-1: GD library vulnerabilities Ubuntu Security Notice USN-3117-1:

  • CVE-2016-6911: invalid read in gdImageCreateFromTiffPtr()
  • CVE-2016-7568: Integer overflow in the gdImageWebpCtx function in gd_webp.c in the GD Graphics Library (aka libgd) through 2.2.3, as used in PHP through 7.0.11, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted imagewebp and imagedestroy calls.
  • CVE-2016-8670: Stack Buffer Overflow in GD dynamicGetbuf

USN-3119-1: Bind vulnerability Ubuntu Security Notice USN-3119-1:

  • CVE-2016-8864: A problem handling responses containing a DNAME answer can lead to an assertion failure

USN-3123-1: curl vulnerabilities Ubuntu Security Notice USN-3123-1:

  • CVE-2016-7141: curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420.
  • CVE-2016-7167: Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow.
  • CVE-2016-8615: cookie injection for other servers
  • CVE-2016-8616: case insensitive password comparison
  • CVE-2016-8617: OOB write via unchecked multiplication
  • CVE-2016-8618: double-free in curl_maprintf
  • CVE-2016-8619: double-free in krb5 code
  • CVE-2016-8620: glob parser write/read out of bounds
  • CVE-2016-8621: curl_getdate read out of bounds
  • CVE-2016-8622: URL unescape heap overflow via integer truncation
  • CVE-2016-8623: Use-after-free via shared cookies
  • CVE-2016-8624: invalid URL parsing with '#'

dotnet-core-buildpack

v1.0.5

CF v247 is the first CF release to include the .NET Core buildpack. This buildpack adds support for .NET Core apps on the cflinuxfs2 stack.

DEA-Warden-HM9000 Runtime

This section will be updated soon. If this section is not yet up-to-date, please reach out for information:

Internal Components

postgres-release (includes postgres job)

No changes.

etcd-release (includes etcd and etcd_metrics_server jobs)

  • Bumped from v77 to v85. Functional changes:
    • Bump golang to 1.7.3 details
    • Properly set ulimit for the etcd process details
    • Make bind addresses configurable for etcd and proxy details
    • Fix submodule URL in etcd_metrics_server details

consul-release (includes consul_agent job)

  • Bumped from v133 to v135. Functional changes:
    • Properly set ulimit for consul process details

nats-release (includes nats and nats_stream_forwarder jobs)

  • No changes.

Recommended Versions of Additional Releases

These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release.

Although it's still considered experimental, we have started to test CF against the new netman release. It's not recommended for production, but for those deploying it, here is the information for netman-release:

Job Spec Changes

  • Add etcd.client_ip and etcd.peer_ip to allow specifying the bind address for the etcd server details
  • Add etcd_proxy.ip to allow specifying the bind address the the etcd proxy server details

Recommended BOSH Stemcell Versions

  • real IaaS: 3309
  • BOSH-Lite: 3309

Note: For AWS you should use the Xen-HVM stemcells rather than Xen.

These are soft recommendations; several different versions of the stemcells are likely to work fine with this version of cf-release and the corresponding versions of the additional releases listed above.

Downloads

v246

@cf-release-notes-bot cf-release-notes-bot released this Nov 3, 2016 · 125 commits to master since this release

The cf-release v246 was released on November 03, 2016.

IMPORTANT

  • With this release UAA defaults to enforcing signature validation on Incoming SAML Assertions. Please make sure any SAML Identity configured for UAA is sending only signed SAML assertions

Contents:

CC and Service Broker APIs

Contains CAPI release v1.10.0. Release notes for v1.8.0, v1.9.0, and v1.10.0

Identity

Updated to UAA Release 3.8.0
Spec changes can be found here

Routing

Routing-release bumped to 0.141.0

Loggregator

No changes.

Buildpacks and Stacks

stacks

updated to 1.89.0 (from 1.86.0)

1.89.0

No CVEs present. Notably, this release introduces the libsasl2-dev package.

1.88.0

No CVEs present.

1.87.0

No CVEs present.

binary-buildpack

updated to v1.0.5 (from v1.0.4)

v1.0.5

go-buildpack

updated to v1.7.14 (from v1.7.13)

v1.7.14

Default binary versions: go 1.6.3

java-buildpack

updated to v3.10 (from v3.9)

v3.10

I'm pleased to announce the release of the java-buildpack, version 3.10. This release updates the Dynatrace frameworks.

For a more detailed look at the changes in 3.10, please take a look at the commit log. Packaged versions of the buildpack, suitable for use with create-buildpack and update-buildpack, can be found attached to this release.

nodejs-buildpack

updated to v1.5.22 (from v1.5.21)

v1.5.22

  • Add node 6.9.0 and 6.8.1, remove node 6.6.0 and 6.7.0
  • Add node 0.10.48, remove node 0.10.46
  • Add node 0.12.17, remove node 0.12.15
  • Add node 4.6.1, remove node 4.5.0
  • Address USN-3087-1: OpenSSL vulnerabilities with node 6.8.1 and 6.9.0
  • NOTICE: Node.js 0.10 will be removed after October 31, 2016 due to end of LTS

Default binary versions: node 4.6.0

php-buildpack

updated to v4.3.21 (from v4.3.20)

v4.3.21

  • Address USN-3095-1 and associated CVEs with PHP 5.6.27 and 7.0.12
  • Add support for rdkafka in PHP 7
  • Add php 5.6.26 and 5.6.27, remove php 5.6.24 and 5.6.25
  • Add php 7.0.11 and 7.0.12, remove php 7.0.9 and 7.0.10
  • Add nginx 1.11.5, remove nginx 1.11.4
  • Add nginx 1.10.2, remove nginx 1.10.1

Default binary versions: php 5.5.38, composer 1.2.1, httpd 2.4.23, newrelic 6.3.0.161, nginx 1.11.5

python-buildpack

updated to v1.5.11 (from v1.5.10)

v1.5.11

Default binary versions: python 2.7.12

ruby-buildpack

updated to v1.6.27 (from v1.6.26)

v1.6.27

  • Add node 4.6.1, remove node 4.6.0
  • Add bundler 1.13.5, remove bundler 1.13.1

Default binary versions: ruby 2.3.1, node 4.6.1

staticfile-buildpack

updated to v1.3.12 (from v1.3.11)

v1.3.12

DEA-Warden-HM9000 Runtime

  • Fixed container startup issues with Linux 4.4
  • Improved HM9000 actual state processing time for large number of instances (> 10k)
  • Reduced connection count to etcd on start when there is a stampede on start ( 35k -> 65)

Internal Components

postgres-release (includes postgres job)

  • No changes.

etcd-release (includes etcd and etcd_metrics_server jobs)

  • Bumped from v73 to v77. Functional changes:
  • Add network diagnostics logging to etcd job details

consul-release (includes consul_agent job)

  • Bumped from v126 to v133. Functional changes:
  • consul_agent job only drains when in server mode, not in client mode. details
  • Set performance raft_multiplier to 1 for Consul process. details
  • Change default value of consul.agent.dns_config.allow_stale to true and consul.agent.dns_config.max_stale to 30s in consul_agent job. details
  • consul_agent job running in mode: server no longer needs to be configured with consul.agent_cert or consul.agent_key properties. details

nats-release (includes nats and nats_stream_forwarder jobs)

  • Bumped from v11 to v14. Functional changes: bump to golang 1.7, enables forwarding of nats logs to a syslog drain

Recommended Versions of Additional Releases

These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release.

Job Spec Changes

  • CAPI v1.9.0 Job Spec Changes and v1.10.0 Job Spec Changes
  • Add etcd.network_diagnostics_duration_in_seconds property with default 30 to etcd job property to avoid filling up log aggregation services. details
  • Add etcd.enable_network_diagnostics and default to true. details details

    Recommended BOSH Stemcell Versions

  • real IaaS: 3263.8

  • BOSH-Lite: 3262.2

Note: For AWS you should use the Xen-HVM stemcells rather than Xen.

These are soft recommendations; several different versions of the stemcells are likely to work fine with this version of cf-release and the corresponding versions of the additional releases listed above.

Downloads

v245

@cf-release-notes-bot cf-release-notes-bot released this Oct 9, 2016 · 193 commits to master since this release

The cf-release v245 was released on October 09, 2016.

IMPORTANT

  • This release fixes a critical security vulnerability pertaining to command injection. Please see the mailing list thread on CVE 2016-6655 for more details. Operators are strongly encouraged to update to this latest version of cf-release.
  • This release includes a significant migration of the CCDB that is the first step to releasing the CC V3 API. Please see the release notes for CAPI v1.6.0 for details.
  • CVE-2016-6658: The Cloud Controller in CF-245 contains a fix for a medium CVE where apps using custom buildpack urls could contain credentials. This fix ensures that urls containing credentials are either encrypted or stored in an obfuscated format at rest. This is a continuation of CVE-2016-6638 originally reported fixed in CF-241.

KNOWN ISSUES

  • The included version of CAPI Release contains an issue staging Python buildpack based apps and apps using any buildpack that doesn't return process types in the staging result. We've prioritized this bug at the top of our backlog. Workaround is to add a Procfile containing any command, e.g. web: foo.

Contents:

CC and Service Broker APIs

Contains CAPI release v1.7.0. Release notes for v1.6.0 and v1.7.0

Identity

No Changes

Routing

Routing-release bumped to 0.140.0

Loggregator

No Changes

Buildpacks and Stacks

stacks

updated to 1.86.0 (from 1.84.0)

1.86.0

Notably, this release addresses USN-3096-1: NTP vulnerabilities Ubuntu Security Notice USN-3096-1. As cflinuxfs2 only includes the ntpdate package, many of these CVEs may not apply.

  • CVE-2015-7973: Deja Vu: Replay attack on authenticated broadcast mode
  • CVE-2015-7974: NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key."
  • CVE-2015-7975: ntpq buffer overflow
  • CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames
  • CVE-2015-7977: reslist NULL pointer dereference
  • CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list
  • CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode
  • CVE-2015-8138: Zero Origin Timestamp Bypass, AKA: Additional KoD Checks
  • CVE-2015-8158: Potential Infinite Loop in ntpq
  • CVE-2016-0727: NTP statsdir cleanup cronjob insecure
  • CVE-2016-1547: Validate crypto-NAKs, AKA: nak-dos
  • CVE-2016-1548: Interleave-pivot
  • CVE-2016-1550: Improve NTP security against buffer comparison timing attacks, authdecrypt-timing, AKA: authdecrypt-timing
  • CVE-2016-2516: Duplicate IPs on unconfig directives will cause an assertion botch
  • CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC
  • CVE-2016-4954: The process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication.
  • CVE-2016-4955: ntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers to cause a denial of service (peer-variable clearing and association outage) by sending (1) a spoofed crypto-NAK packet or (2) a packet with an incorrect MAC value at a certain time.
  • CVE-2016-4956: ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (interleaved-mode transition and time change) via a spoofed broadcast packet. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-1548.

1.85.0

Notably, this release addresses USN-3088-1: Bind vulnerability Ubuntu Security Notice USN-3088-1:

nodejs-buildpack

updated to v1.5.21 (from v1.5.20)

v1.5.21

  • Address USN-3087-1: OpenSSL vulnerabilities by updating node.
    The new versions of node included in this buildpack are built
    against the patched version of OpenSSL
    (https://www.pivotaltracker.com/story/show/130945067)

  • Updated node: 0.10.47, 0.12.16, 4.6.0, 6.7.0

Default binary versions: node 4.6.0

ruby-buildpack

updated to v1.6.26 (from v1.6.25)

v1.6.26

Default binary versions: ruby 2.3.1, node 4.6.0

DEA-Warden-HM9000 Runtime

This section will be updated soon. If this section is not yet up-to-date, please reach out for information:

Internal Components

postgres-release (includes postgres job)

  • Bumped from v5 to v6. No functional changes.

etcd-release (includes etcd and etcd_metrics_server jobs)

  • Bumped from v66 to v73. Functional changes:
    • Added -debug flag to uses of etcdtcl CLI to improve debuggability. details
    • Added etcd_consistency_checker process to etcd job. details
    • Added etcd network diagnostics logging to etcd job. details

consul-release (includes consul_agent job)

  • Bumped from v125 to v126. Functional changes:
    • consul_agent job will now use sed instead of awk -W in agent_ctl script. details

nats-release (includes nats and nats_stream_forwarder jobs)

  • No change, still at v11.

Recommended Versions of Additional Releases

These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release.

Job Spec Changes

Recommended BOSH Stemcell Versions

  • real IaaS: 3263.5
  • BOSH-Lite: 3262.2

Note: For AWS you should use the Xen-HVM stemcells rather than Xen.

These are soft recommendations; several different versions of the stemcells are likely to work fine with this version of cf-release and the corresponding versions of the additional releases listed above.

Downloads

v244

@cf-release-notes-bot cf-release-notes-bot released this Sep 28, 2016 · 241 commits to master since this release

The cf-release v244 was released on September 28, 2016.

IMPORTANT

  • From this release onwards, Loggregator is no longer registering it legacy logging_endpoint with the router. This makes the legacy endpoints on Traffic Controller unaccessible.

Contents:

CC and Service Broker APIs

No Change

Identity

Updated to UAA Release 3.7.4

Routing

No changes

Loggregator

  • Metron attempts initial reconnection to etcd using exponential backoff strategy up to 15 times instead of panicking immediately.
  • Property name changes in loggregator_trafficcontroller/spec
    • doppler.uaa_client_id replaces loggregator.uaa.client
    • uaa.clients.doppler.secret replaces loggregator.uaa.client_secret
    • doppler.outgoing_port replaces loggregator.doppler_port
  • Property name changes in metron_agent/spec
    • metron_agent.listening_port replacesmetron_agent.dropsonde_incoming_port
  • The Loggregator Consumer endpoint no longer gets a route registered in this release. This makes the Loggregator Consumer endpoint inaccessible in this release. The loggregator_consumer library is deprecated in favor of noaa which makes use of the new endpoints as described here.

Buildpacks and Stacks

stacks

updated to 1.84.0 (from 1.80.0)

1.84.0

Notably, this release addresses USN-3087-2: OpenSSL regression.

USN-3087-2 is a fix for a regression introduced by USN-3087-1, which was included in cflinuxfs2 1.83.0.

1.83.0

Notably, this release addresses USN-3087-1: OpenSSL vulnerabilities Ubuntu Security Notice USN-3087-1:

  • CVE-2016-2177: OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-bufferboundary checks, which might allow remote attackers to cause a denial ofservice (integer overflow and application crash) or possibly haveunspecified other impact by leveraging unexpected malloc behavior, relatedto s3_srvr.c, ssl_sess.c, and t1_lib.c.
  • CVE-2016-2178: The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through1.0.2h does not properly ensure the use of constant-time operations, whichmakes it easier for local users to discover a DSA private key via a timingside-channel attack.
  • CVE-2016-2179: The DTLS implementation in OpenSSL before 1.1.0 does not properly restrictthe lifetime of queue entries associated with unused out-of-order messages,which allows remote attackers to cause a denial of service (memoryconsumption) by maintaining many crafted DTLS sessions simultaneously,related to d1_lib.c, statem_dtls.c, statem_lib.c, and statem_srvr.c.
  • CVE-2016-2180: The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public KeyInfrastructure Time-Stamp Protocol (TSP) implementation in OpenSSL through1.0.2h allows remote attackers to cause a denial of service (out-of-boundsread and application crash) via a crafted time-stamp file that ismishandled by the "openssl ts" command.
  • CVE-2016-2181: The Anti-Replay feature in the DTLS implementation in OpenSSL before 1.1.0mishandles early use of a new epoch number in conjunction with a largesequence number, which allows remote attackers to cause a denial of service(false-positive packet drops) via spoofed DTLS records, related torec_layer_d1.c and ssl3_record.c.
  • CVE-2016-2182: The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 doesnot properly validate division results, which allows remote attackers tocause a denial of service (out-of-bounds write and application crash) orpossibly have unspecified other impact via unknown vectors.
  • CVE-2016-2183: The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSecprotocols and other protocols and products, have a birthday bound ofapproximately four billion blocks, which makes it easier for remoteattackers to obtain cleartext data via a birthday attack against along-duration encrypted session, as demonstrated by an HTTPS session usingTriple DES in CBC mode, aka a "Sweet32" attack.
  • CVE-2016-6302: The tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1.0does not consider the HMAC size during validation of the ticket length,which allows remote attackers to cause a denial of service via a ticketthat is too short.
  • CVE-2016-6303: Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c inOpenSSL before 1.1.0 allows remote attackers to cause a denial of service(out-of-bounds write and application crash) or possibly have unspecifiedother impact via unknown vectors.
  • CVE-2016-6304: OCSP Status Request extension unbounded memory growth
  • CVE-2016-6306: In ssl3_get_client_certificate, ssl3_get_server_certificate andssl3_get_certificate_request check we have enough roombefore reading a length.

1.82.0

To address RFC #36, this release upgrades Ruby from 2.2.4 to 2.3.1.

This release also addresses USN-3085-1: GDK-PixBuf vulnerabilities Ubuntu Security Notice USN-3085-1:

  • CVE-2015-7552: Heap-based buffer overflow in the gdk_pixbuf_flip function in gdk-pixbuf-scale.c in gdk-pixbuf 2.30.x allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted BMP file.
  • CVE-2015-8875: Multiple integer overflows in the (1) pixops_composite_nearest, (2)pixops_composite_color_nearest, and (3) pixops_process functions in pixops/pixops.c in gdk-pixbuf before 2.33.1 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted image, which triggers a heap-based buffer overflow.
  • CVE-2016-6352: Write out-of-bounds

1.81.0

No CVEs present.

binary-buildpack

updated to v1.0.4 (from v1.0.3)

v1.0.4

Highlights:

  • Updated various buildpack development dependencies

go-buildpack

updated to v1.7.13 (from v1.7.12)

v1.7.13

Highlights:

  • Add go 1.7.1

Default binary versions: go 1.6.3

nodejs-buildpack

updated to v1.5.20 (from v1.5.19)

v1.5.20

Highlights:

  • WARNING: This buildpack is vulnerable to high CVE 2016-6304. Please upgrade to 1.5.21 ASAP.

  • Add node 6.6.0, remove node 6.4.0

Default binary versions: node 4.5.0

php-buildpack

updated to v4.3.20 (from v4.3.19)

v4.3.20

Highlights:

  • Enable mssql and pdo-dblib support for PHP

  • Update modules: cassandra, xdebug, yaf, twig, php-protobuf

  • Updated dependencies: nginx, composer

Default binary versions: php 5.5.38, composer 1.2.1, httpd 2.4.23, newrelic 6.3.0.161, nginx 1.11.4

python-buildpack

updated to v1.5.10 (from v1.5.9)

v1.5.10

  • Lock version of conda to 4.1.11

Default binary versions: python 2.7.12

ruby-buildpack

updated to v1.6.25 (from v1.6.24)

v1.6.25

  • WARNING: This buildpack is vulnerable to high CVE 2016-6304. Please upgrade to 1.6.26 ASAP.

  • Remove vendored libyaml

  • Update bundler

Default binary versions: ruby 2.3.1, node 4.5.0

staticfile-buildpack

updated to v1.3.11 (from v1.3.10)

v1.3.11

  • Update nginx

  • Redact credentials from URLs in a cached and uncached buildpack output

DEA-Warden-HM9000 Runtime

No changes

Internal Components

postgres-release (includes postgres job)

  • No changes.

etcd-release (includes etcd and etcd_metrics_server jobs)

  • No changes

consul-release (includes consul_agent job)

  • Bumped from v110 to v125. Functional changes:
    • Bump consul to 0.7. details
    • Add consul.agent.dns_config.recursor_timeout property. details
    • Add drain script. details
    • Significantly change the orchestration logic for starting consul servers. Consul will no longer use bootstrap-expect for determining which consul server should be the bootstrap node. This release will now programmatically determine which node to bootstrap, and in doing so paves the way for better and more advanced automatic failure recovery logic. details

nats-release (includes nats and nats_stream_forwarder jobs)

  • No change. Still v11. No functional changes.

Recommended Versions of Additional Releases

These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release.

Job Spec Changes

  • Added consul.agent.dns_config.recursor_timeout property. details
  • properties.uaa.clients.cc-service-dashboards.secret -- previously an optional field for opting in to SSO integration for services -- is now a required field. details

Recommended BOSH Stemcell Versions

  • real IaaS: 3263.2
  • BOSH-Lite: 3262.2

Note: For AWS you should use the Xen-HVM stemcells rather than Xen.

These are soft recommendations; several different versions of the stemcells are likely to work fine with this version of cf-release and the corresponding versions of the additional releases listed above.

Downloads

v243

@cf-release-notes-bot cf-release-notes-bot released this Sep 21, 2016 · 280 commits to master since this release

The cf-release v243 was released on September 21, 2016.

IMPORTANT

Contents:

CC and Service Broker APIs

No Change

Identity

This release includes UAA 3.7.3
This is a security release which addresses CVE-2016-6651 Privilege Escalation in UAA

Routing

Routing-release bumped to 0.138.0

Loggregator

No changes

Buildpacks and Stacks

java-buildpack

updated to v3.9 (from v3.8.1)

v3.9

I'm pleased to announce the release of the java-buildpack, version 3.9. This release has no theme per se, but has a number of important updates collected within it.

For a more detailed look at the changes in 3.9, please take a look at the commit log.

DEA-Warden-HM9000 Runtime

No Change

Internal Components

postgres-release (includes postgres job)

  • No changes, still at v5.

etcd-release (includes etcd and etcd_metrics_server jobs)

  • No changes, still at v66.

consul-release (includes consul_agent job)

  • No changes, still at v110.

nats-release (includes nats and nats_stream_forwarder jobs)

  • No changes, still at v11.

Recommended Versions of Additional Releases

These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release.

Job Spec Changes

Recommended BOSH Stemcell Versions

  • real IaaS: 3262.14
  • BOSH-Lite: 3262.2

Note: For AWS you should use the Xen-HVM stemcells rather than Xen.

These are soft recommendations; several different versions of the stemcells are likely to work fine with this version of cf-release and the corresponding versions of the additional releases listed above.

Downloads

v242

@cf-release-notes-bot cf-release-notes-bot released this Sep 13, 2016 · 291 commits to master since this release

The cf-release v242 was released on September 13, 2016.

IMPORTANT

  • Starting with this release the format for bootstrapping UAA Users and Groups has been switched from a Pipe format to a struct format.

    The previous format for uaa.scim.users was:

      - marissa|koala|marissa@test.org|Marissa|Bloggs|scim.write,scim.read,openid
    

    The new format for uaa.scim.users is:

     - name: marissa
     password: koala
     email: marissa@test.org
     firstName: Marissa
     lastName: Bloggs
     groups:
      - scim.write
      - scim.read
      - openid
    

    The previous format for uaa.scim.groups was:

    group1,group2,group3
    

    The new format is for uaa.scim.groups is:

    group1: 'My test group description'
    group2: 'My other test group description'
    group3: 'My next group description'
    

Contents:

CC and Service Broker APIs

Contains CAPI release v1.5.0. Release notes for v1.4.0 and v1.5.0

Identity

Updated to UAA 3.7.0

Routing

No change.

Loggregator

  • Loggregator Traffic Controllers now run consul_agent template to be discoverable via consul DNS.

  • dea_logging_agent now lives in its own repository. It is now submoduled within loggregator for backward compatibility. However, the intention is to move it directly under cf-release and out of Loggregator.

  • Loggregator components are now packaged with golang1.7

  • DopplerServer.sentMessagesFirehose no longer appends the subscription_id to the metric name, instead it adds subscription_id as a tag.

  • No longer supporting message aggregation of HttpStart and HttpStop messages in Metron Agent.

Buildpacks and Stacks

stacks

updated to 1.80.0 (from 1.78.0)

1.80.0

Minor curl and ISC DHCP updates. No CVEs present.

1.79.0

Minor Linux kernel header upgrade. No CVEs present.

go-buildpack

updated to v1.7.12 (from v1.7.11)

v1.7.12

Highlights:

Default binary versions: go 1.6.3

nodejs-buildpack

updated to v1.5.19 (from v1.5.18)

v1.5.19

Highlights:

Default binary versions: node 4.5.0

php-buildpack

updated to v4.3.19 (from v4.3.17)

v4.3.19

Highlights:

Default binary versions: php 5.5.38, composer 1.2.0, httpd 2.4.23, newrelic 6.3.0.161, nginx 1.11.3

v4.3.18

Highlights:

Default binary versions: php 5.5.38, composer 1.2.0, httpd 2.4.23, newrelic 6.3.0.161, nginx 1.11.3

ruby-buildpack

updated to v1.6.24 (from v1.6.21)

v1.6.24

Default binary versions: ruby 2.3.1, node 4.5.0

v1.6.23

Highlights:

Default binary versions: ruby 2.3.1, node 4.5.0

v1.6.22

Highlights:

Default binary versions: ruby 2.3.1, node 4.5.0

DEA-Warden-HM9000 Runtime

No changes

Internal Components

postgres-release (includes postgres job)

  • No changes.

etcd-release (includes etcd and etcd_metrics_server jobs)

  • No changes.

consul-release (includes consul_agent job)

  • Bumped from v108 to v110. No major functional changes, but several implementation changes from pull request to support consul_agent job on BOSH Windows stemcells.

nats-release (includes nats and nats_stream_forwarder jobs)

  • Bumped from v8 to v11. Functional changes:
    • Introduce BOSH links for nats.user, nats.password, nats.port (and implicitly, nats.machines) properties on nats job, including adding default value of 4222 to nats.port property. details

Recommended Versions of Additional Releases

These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release.

Job Spec Changes

Recommended BOSH Stemcell Versions

  • real IaaS: 3262.12
  • BOSH-Lite: 3262.2

Note: For AWS you should use the Xen-HVM stemcells rather than Xen.

These are soft recommendations; several different versions of the stemcells are likely to work fine with this version of cf-release and the corresponding versions of the additional releases listed above.

Downloads

v241

@cf-release-notes-bot cf-release-notes-bot released this Aug 29, 2016 · 347 commits to master since this release

The cf-release v241 was released on August 29, 2016.

IMPORTANT

  • UPDATE 2016-09-02 17:06 UTC - MySQL implicitly ends transactions before (and often after) certain statement including DDL statements. A Cloud Controller database migration in CF-241 is encrypting the specified buildpack of an application as this column could contain a Git url containing a username and password. To perform this migration, it creates new columns, encrypts the existing buildpack data and saves it to the new columns, then deletes the old column. This results in a period of time where Cloud Controllers running the code from a previous release can potentially write data to the old column, which is about to be deleted, when an app is pushed with a specified buildpack. While these sort of migrations are uncommon, this is not the first time Cloud Controller has made this sort of migration. Operators that are particularly sensitive to this can always scale their Cloud Controller to a single instance in order to take downtime while the migration is performed. The CAPI team intends to explore how we can make migrations on MySQL better in the future.
  • UPDATE 2016-09-01 21:36 UTC - The underlying Sequel gem automatically runs migrations in a transaction for RDBMs that support transactions for DDL statements. This means PostgreSQL will run the entire migration in a transaction, but MySQL will not. We are still determining the proper steps to take for MySQL.
  • UPDATE 2016-09-01 17:25 UTC - The Cloud Controller database migration in CF-241 is not wrapped in a transaction. During a rolling deploy of Cloud Controllers, API requests to Cloud Controllers with the previous code could result in data inconsistencies. We will update these release notes when we determine the proper resolution.
  • CVE-2016-6638: The Cloud Controller in CF-241 contains a database migration to encrypt an app's specified buildpack at rest. Although it is not recommended, a user could specify a git buildpack url containing a username and password. This migration will cause /v2/apps API (or any API call that returns app resource data through inline-relations-depth or summary endpoints) to fail during the rolling deploy as the migration is performed before the updated Cloud Controller(s) are deployed.
  • This release updates the version of PostgreSQL used in the postgres job to 9.4.9 from 9.4.6. This also drops support for being able to upgrade from PostgreSQL 9.4.2. Before upgrading to this or later versions of cf-release, you must first upgrade to v226 or higher.
  • This release introduces official support for running the etcd cluster (shared by several components such as Routing API and the loggregator subsystem, but not Diego which uses its own secure cluster) in secure TLS mode. Upgrading an existing deployment with an insecure etcd cluster to a secure one with minimal downtime is non-trivial. Instructions and additional information for this procedure can be found here. If you are using the manifest generation scripts included within the cf-release repo to generate manifests, you're strongly recommended to upgrade to a secure etcd cluster at this point. The instructions above assume you are upgrading to a secure etcd cluster from a pre-v241 Cloud Foundry deployment and will not apply as smoothly if you later attempt to upgrade a post-v241 non-TLS etcd cluster to a TLS cluster within the Cloud Foundry deployment.

Contents:

CC and Service Broker APIs

Contains CAPI release v1.3.0. Release notes for v1.2.0 and v1.3.0

Identity

No Changes

Routing

Routing release bumped to 0.137.0 - Release Notes

Loggregator

  • Loggregator now provides metron_agent_windows so you can run the Metron Agent on Microsoft Windows Diego Cells.
  • Loggregator now supports dynamic IPs after fixing this issue.

Buildpacks and Stacks

stacks

updated to 1.78.0 (from 1.72.0)

1.78.0

USN-3067-1: HarfBuzz vulnerabilities Ubuntu Security Notice USN-3067-1:

  • CVE-2015-8947: hb-ot-layout-gpos-table.hh in HarfBuzz before 1.0.5 allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted data, a different vulnerability than CVE-2016-2052.
  • CVE-2016-2052: Multiple unspecified vulnerabilities in HarfBuzz before 1.0.6, as used in Google Chrome before 48.0.2564.82, allow attackers to cause a denial of service or possibly have other impact via crafted data, as demonstrated by a buffer over-read resulting from an inverted length check in hb-ot-font.cc, a different issue than CVE-2015-8947.

USN-3068-1: Libidn vulnerabilities Ubuntu Security Notice USN-3068-1:

  • CVE-2015-2059: The stringprep_utf8_to_ucs4 function in libin before 1.31, as used in jabberd2, allows context-dependent attackers to read system memory and possibly have other unspecified impact via invalid UTF-8 characters in a string, which triggers an out-of-bounds read.
  • CVE-2015-8948: Solve out-of-bounds-read when reading one zero byte as input
  • CVE-2016-6261: out-of-bounds stack read in idna_to_ascii_4i
  • CVE-2016-6262: Solve out-of-bounds-read when reading one zero byte as input
  • CVE-2016-6263: stringprep_utf8_nfkc_normalize reject invalid UTF-8

1.77.0

USN-3064-1: GnuPG vulnerability Ubuntu Security Notice USN-3064-1:

USN-3065-1: Libgcrypt vulnerability Ubuntu Security Notice USN-3065-1:

1.76.0

USN-3063-1: Fontconfig vulnerability Ubuntu Security Notice USN-3063-1:

  • CVE-2016-5384: fontconfig before 2.12.1 does not validate offsets, which allows localusers to trigger arbitrary free calls and consequently conduct double freeattacks and execute arbitrary code via a crafted cache file.

1.75.0

USN-3061-1: OpenSSH vulnerabilities Ubuntu Security Notice USN-3061-1:

  • CVE-2016-6210: User enumeration via covert timing channel
  • CVE-2016-6515: The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3does not limit password lengths for password authentication, which allowsremote attackers to cause a denial of service (crypt CPU consumption) via along string.

1.74.0

USN-3060-1: GD library vulnerabilities Ubuntu Security Notice USN-3060-1:

1.73.0

USN-3048-1: curl vulnerabilities Ubuntu Security Notice USN-3048-1:

python-buildpack

updated to v1.5.9 (from v1.5.8)

v1.5.9

Highlights:

Default binary versions: python 2.7.12

ruby-buildpack

updated to v1.6.21 (from v1.6.20)

v1.6.21

Highlights:

Default binary versions: ruby 2.3.1, node 4.4.7

DEA-Warden-HM9000 Runtime

Internal Components

postgres-release (includes postgres job)

  • Bumped to v5. Functional changes:

    • Bumped from postgres-9.4.6 package to postgres-9.4.9. NOTE: this drops support for upgrading from PostgreSQL 9.4.2. details

etcd-release (includes etcd and etcd_metrics_server jobs)

  • Bumped from v63 to v66. Functional changes:

    • Removed all /varz support from etcd_metrics_server. details

consul-release (includes consul_agent job)

  • Bumped from v101 to v108. Functional changes:

    • Fixed consul_agent in client mode to use ephemeral disk instead of possibly-non-existent persistent disk for storing data such as gossip keyring data, avoiding issues such as having no space left on the root volume device. details
    • Added support for passing max_stale and allow_stale DNS config options through to Consul. details

nats-release (includes nats and nats_stream_forwarder jobs)

  • Bumped to v8. Functional changes:

    • Bumped gnatsd dependency to v0.8.1. details
    • Minor fixes to log directory setup on job start scripts. details

Recommended Versions of Additional Releases

These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release.

Job Spec Changes

  • Removed etcd_metrics_server.nats.password, etcd_metrics_server.nats.username, etcd_metrics_server.nats.port, and etcd_metrics_server.nats.machines properties from etcd_metrics_server job. details

Recommended BOSH Stemcell Versions

  • real IaaS: 3262.8
  • BOSH-Lite: 3262.2

Note: For AWS you should use the Xen-HVM stemcells rather than Xen.

These are soft recommendations; several different versions of the stemcells are likely to work fine with this version of cf-release and the corresponding versions of the additional releases listed above.

Downloads