release: github.com/cloudfoundry/cf-release / 226

Github source: 5ac6aacd or master branch

The cf-release v226 was released on December 03, 2015.

Important: - This release includes a bump of PostgreSQL from 9.4.2 to 9.4.5. It also drops support for migrating databases running PostgreSQL 9.0.3 or lower. This means that you will not be able to upgrade directly from a version less than or equal to v210 to a version greater than or equal to v226 if you are using the postgres job within cf-release.

Contents: - CC and Service Broker APIs - Runtime - Buildpacks and Stacks - Identity - Routing - Loggregator - Internal Components - Job Spec Changes - Recommended BOSH Stemcell Versions - Recommended Diego Version - Recommended Garden Linux Version

CC and Service Broker APIs

CC API Version: 2.44.0

Service Broker API Version: 2.8 - Brokers may now include a requires: [“route_forwarding”] on their catalog endpoint. - On bind, the Cloud Controller will now send a new top-level key, bind_resource, under which the required parameters of the binding are found. This would include, for example, app_guid for an app binding and route for a route binding. For backwards compatibility, app_guid will remain a top-level key in addition to being included in the bind_resource. - Adds support for a route_service_url key in the binding response.

Cloud Controller

  • [Experimental] Work continues on /v3 and Application Process Types details
  • [Experimental] Work continues on Private Brokers details
  • [Experimental] Work continues on TCP Routing details
  • Service Usage Events now expire after manifest configurable number of days details
    • cc.service_usage_events.cutoff_age_in_days defaults to 31 days.
    • More info about using usage events can be found here
  • Remove experimental flag on space quota app instance limit details , apidoc
    • cf CLI support has not yet been added, but api implementation is complete
  • cloudfoundry/cloud_controller_ng #428: extraneous log stmts details
    • Removed some logs that were duplicative and merged route info into other log lines
  • cloudfoundry/cloud_controller_ng #458: Too many params on Delete Application details
  • Increased character limit on tags for service instances to 2048 details
  • cloudfoundry/cloud_controller_ng #459: User provided service instances should handle errors when renaming details

Runtime

DEA

No changes.

Warden

No changes.

HM9000

No changes.

Buildpacks and Stacks

stacks

updated to 1.20.0 (from 1.17.0)

1.20.0

Notably, this release addresses USN-2821-1 “GnuTLS vulnerability” and USN-2820-1 “dpkg vulnerability”, which address: - CVE-2015-0860 “read_line stack overflow” - CVE 2015-8313 “Poodle TLS1.0 issue”

1.19.0

Notably, this release addresses USN-2815-1, “libpng vulnerabilities”, which is related to: - CVE-2012-3425 “The png_push_read_zTXt function in pngpread.c in libpng 1.0.x before 1.0.58, 1.2.x before 1.2.48, 1.4.x before 1.4.10, and 1.5.x before 1.5.10 allows remote attackers to cause a denial of service (out-of-bounds read) via a large avail_in field value in a PNG image.” - CVE-2015-7981 “read out of bound” - CVE-2015-8126 “Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE functions in libpng before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image.”

1.18.0

Notably, this release addresses USN-2812-1, “libxml2 vulnerabilities”, which is related to: - CVE-2015-1819 “The xmlreader in libxml allows remote attackers to cause a denial of service (memory consumption) via crafted XML data, related to an XML Entity Expansion (XEE) attack.” - CVE-2015-7941 “out-of-bounds memory access” - CVE-2015-7942 “heap-buffer-overflow in xmlParseConditionalSections” - CVE-2015-8035 “DoS via crafted xz file”

as well as USN-2810-1, “Kerberos vulnerabilities”, which is related to: - CVE-2002-2443 “schpw.c in the kpasswd service in kadmind in MIT Kerberos 5 (aka krb5) before 1.11.3 does not properly validate UDP packets before sending responses, which allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged packet that triggers a communication loop, as demonstrated by krb_pingpong.nasl, a related issue to CVE-1999-0103.” - CVE-2014-5355 “MIT Kerberos 5 (aka krb5) through 1.13.1 incorrectly expects that a krb5_read_message data field is represented as a string ending with a ‘\0’ character, which allows remote attackers to (1) cause a denial of service (NULL pointer dereference) via a zero-byte version string or (2) cause a denial of service (out-of-bounds read) by omitting the ‘\0’ character, related to appl/user_user/server.c and lib/krb5/krb/recvauth.c.” - CVE-2015-2694 “The kdcpreauth modules in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.2 do not properly track whether a client’s request has been validated, which allows remote attackers to bypass an intended preauthentication requirement by providing (1) zero bytes of data or (2) an arbitrary realm name, related to plugins/preauth/otp/main.c and plugins/preauth/pkinit/pkinit_srv.c.” - CVE-2015-2695 “lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) before 1.14 relies on an inappropriate context handle, which allows remote attackers to cause a denial of service (incorrect pointer read and process crash) via a crafted SPNEGO packet that is mishandled during a gss_inquire_context call.” - CVE-2015-2696 “lib/gssapi/krb5/iakerb.c in MIT Kerberos 5 (aka krb5) before 1.14 relies on an inappropriate context handle, which allows remote attackers to cause a denial of service (incorrect pointer read and process crash) via a crafted IAKERB packet that is mishandled during a gss_inquire_context call.” - CVE-2015-2697 “The build_principal_va function in lib/krb5/krb/bld_princ.c in MIT Kerberos 5 (aka krb5) before 1.14 allows remote authenticated users to cause a denial of service (out-of-bounds read and KDC crash) via an initial ‘\0’ character in a long realm field within a TGS request.” - CVE-2015-2698 “memory corruption caused due to original patch for CVE-2015-2696”

go-buildpack

updated to v1.7.0 (from v1.6.3)

v1.7.0

Packaged binaries:

name version cf_stacks
go 1.4.1 cflinuxfs2
go 1.4.2 cflinuxfs2
go 1.4.3 cflinuxfs2
go 1.5 cflinuxfs2
go 1.5.1 cflinuxfs2
godep v17 cflinuxfs2
  • SHA256: ffa187787f322cb8fe0e71a2749abec18c45c829e1058a0c1da39619ae80ab34

nodejs-buildpack

updated to v1.5.3 (from v1.5.2)

v1.5.3

Packaged binaries:

name version cf_stacks
node 0.10.38 cflinuxfs2
node 0.10.40 cflinuxfs2
node 0.11.15 cflinuxfs2
node 0.11.16 cflinuxfs2
node 0.12.6 cflinuxfs2
node 0.12.7 cflinuxfs2
node 4.2.2 cflinuxfs2
  • SHA256: e870ed1f82da65ab737fb12a9ddb2fe87b0f9fffff664692b989c5f1142a83ea

php-buildpack

updated to v4.3.0 (from v4.2.1)

v4.3.0

Packaged binaries:

name version cf_stacks modules
php 5.5.29 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 5.5.30 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 5.6.14 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 5.6.15 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
hhvm 3.5.0 cflinuxfs2
hhvm 3.5.1 cflinuxfs2
hhvm 3.6.0 cflinuxfs2
hhvm 3.6.1 cflinuxfs2
composer 1.0.0-alpha10 cflinuxfs2
httpd 2.4.17 cflinuxfs2
newrelic 4.23.3.111 cflinuxfs2
nginx 1.8.0 cflinuxfs2
nginx 1.9.6 cflinuxfs2
  • SHA256: 5170d88482484cf42e81b47e29a8986f85930af09c4145794a02b3a454d2296b

python-buildpack

updated to v1.5.2 (from v1.5.1)

v1.5.2

Packaged binaries:

name version cf_stacks
python 2.7.10 cflinuxfs2
python 2.7.9 cflinuxfs2
python 3.3.5 cflinuxfs2
python 3.3.6 cflinuxfs2
python 3.4.2 cflinuxfs2
python 3.4.3 cflinuxfs2
python 3.5.0 cflinuxfs2
libffi 3.1 cflinuxfs2
libmemcache 1.0.18 cflinuxfs2
  • SHA256: aceeb7368ac9c59243ab942c0eeaf3ed5a33a0491e1c8e30507052a0ce1223fa

ruby-buildpack

updated to v1.6.9 (from v1.6.8)

v1.6.9

Packaged binaries:

name version cf_stacks
ruby 2.0.0 cflinuxfs2
ruby 2.1.6 cflinuxfs2
ruby 2.1.7 cflinuxfs2
ruby 2.2.2 cflinuxfs2
ruby 2.2.3 cflinuxfs2
jruby ruby-1.9.3-jruby-1.7.22 cflinuxfs2
jruby ruby-2.0.0-jruby-1.7.22 cflinuxfs2
jruby ruby-2.2.2-jruby-9.0.4.0 cflinuxfs2
node 0.12.7 cflinuxfs2
bundler 1.9.7 cflinuxfs2
libyaml 0.1.6 cflinuxfs2
openjdk1.8-latest 1.8.0_65 cflinuxfs2
rails3_serve_static_assets - cflinuxfs2
rails_log_stdout - cflinuxfs2
  • SHA256: f3202b1d0a6e2f5ef5c3144e48e073e20fbaeedb75bebd75a35316698392fd4d

staticfile-buildpack

updated to v1.2.3 (from v1.2.2)

v1.2.3

Packaged binaries:

name version cf_stacks
nginx 1.8.0 cflinuxfs2
  • SHA256: 596168a04877b25d46deba5b00abe72d1569d0f0df915f8186f96854ea687012

Identity

Bumped to UAA version from 2.7.1 to 2.7.3 Please refer to release notes for 2.7.2 & 2.7.3 for more details

Routing

  • Client connections are no longer severed prematurely when gorouter is shutdown details
  • Default ciphers for Gorouter are now discoverable in job spec, and RC4 ciphers are not supported by default details
  • RC4 ciphers are no longer supported by default for HAProxy details
  • CATS test for wildcard routes now skips ssl validation as a new domain will be created each test run and we don’t want to use an existing domain to avoid collisions details
  • Removed DROPSONDE_DESTINATION and DROPSONDE_ORIGIN env vars from gorouter and routing api as they’re no longer used details
  • Origin name for Gorouter metrics in firehose is now “gorouter” details

Work continues on support for Multiple App Ports and TCP Routing - CC API client can request a random port when creating a TCP route details - A maximum of 10 app ports can be enabled for buildpack apps details - CC API client can now specify a list of ports for an app. This ports are opened on the container by Diego and are accessible via host ports generated by Diego details - When CC API client disables diego for an app (switching back to DEA), specified app ports are deleted details - CC API client author now receives an error when creating an app with ports and diego:false details - Godeps removed from Routing API details - Added CATS test for SSE events on Routing API details

Loggregator

No changes

Internal Components

consul

No changes.

etcd

No changes.

etcd-metrics-server

No changes.

route_registrar

No changes.

postgres

Job Spec Changes

  • Added cc.service_usage_events.cutoff_age_in_days property to cloud_controller_clock, cloud_controller_ng, and cloud_controller_worker jobs. details
  • Removed metron_endpoint.shared_secret, dea_logging_agent.status.user, dea_logging_agent.status.password, dea_logging_agent.status.port, nats.user, nats.password, nats.machines, and nats.port properties from dea_logging_agent job. details
  • Removed doppler.status.user, doppler.status.password, and doppler.status.port properties from doppler job. details
  • Added doppler.syslog_skip_cert_verify property to doppler job. details
  • Removed ssl.skip_cert_verify property from doppler job. details
  • Changed default value of router.cipher_suites in gorouter job from "" to a longer list of ciphers. details
  • Removed RC4-SHA value from list of ciphers in default value for ha_proxy.ssl_ciphers property in haproxy job. details
  • Removed traffic_controller.status.user, traffic_controller.status.password, traffic_controller.status.port, nats.user, nats.password, nats.machines, nats.port, and loggregator_endpoint.shared_secret properties from loggregator_trafficcontroller job. details
  • Added metron_endpoint.shared_secret property to metron_agent job. details
  • Removed loggregator_endpoint.shared_secret property from metron_agent job. details
  • Added databases.additional_config property to postgres job. details
  • Added uaa.jwt.policy.accessTokenValiditySeconds, uaa.jwt.policy.refreshTokenValiditySeconds, uaa.jwt.policy.keys, uaa.jwt.policy.global.accessTokenValiditySeconds, and uaa.jwt.policy.global.refreshTokenValiditySeconds properties to uaa job. details, additional details
  • Added uaa.jwt.claims.exclude property to uaa job. details
  • Added uaa.ldap.externalGroupsWhitelist property to uaa job. details
  • Deprecated uaa.id_token.disable property in uaa job, and changed default from true to false. details

Recommended BOSH Stemcell Versions

  • AWS: light-bosh-stemcell-3146-aws-xen-hvm-ubuntu-trusty-go_agent
  • vSphere: bosh-stemcell-3146-vsphere-esxi-ubuntu-trusty-go_agent
  • OpenStack: bosh-stemcell-3146-openstack-kvm-ubuntu-trusty-go_agent
  • BOSH-Lite: bosh-stemcell-2776-warden-boshlite-ubuntu-trusty-go_agent

These are soft recommendations; several different versions of the BOSH and stemcells are likely to work fine with this version of cf-release and the corresponding versions of diego-release, garden-linux-release, and etcd-release.

Recommended Diego Version

This is a soft recommendation; several different versions of the diego-release may work fine with this version of cf-release.

Recommended Garden Linux Version

This is a soft recommendation; several different versions of the garden-linux release may work fine with this version of cf-release and the aforementioned version of diego-release.

Recommended ETCD Version for Diego Deployment

  • Etcd final release v18

This is a soft recommendation; several different versions of the etcd release may work fine with this version of cf-release and the aforementioned version of diego-release.

Upload this release version to the Director:

$ bosh upload-release https://bosh.io/d/github.com/cloudfoundry/cf-release?v=226 --sha1 249b3f879c8a129142a412d0f225d95234a59d4e

Modify deployment manifest to use this release in addition to any other used releases:

releases:
- name: cf
  version: "226"

Finally add needed deployment jobs and specify values for required properties.

Optionally download sha1: 249b3f879c8a129142a412d0f225d95234a59d4e release tarball locally:

# ...or download it directly using curl
$ curl -L -J -O https://bosh.io/d/github.com/cloudfoundry/cf-release?v=226

# or with wget...
$ wget --content-disposition https://bosh.io/d/github.com/cloudfoundry/cf-release?v=226