The cf-release v228 was released on January 15, 2016.
Due to CVE-2016-0708  and CVE-2016-0715 , if you are running applications with automated buildpack detection that staged when java buildpack v2.0 through v3.4 was a system buildpack, it is strongly recommended to configure running DEAs and Diego Cells to protect applications from remote disclosure of information until they are restaged with Java Buildpack v3.5.1  registered as a system buildpack. Once you are sure that all applications have been staged with Java Buildpack v3.5.1 or higher as a system buildpack, you may remove this particular configuration and deploy again.
If you are using DEAs, configure the deployment manifest segment for DEAs as shown:
properties: dea_next: post_setup_hook: "rm -f app/.java-buildpack.log app/**/.java-buildpack.log >/dev/null 2>&1"
If you are using the manifest generation scripts in the cf-release repository, and you do not wish to directly merge configuration into your manifest, first make sure you have the correct version of the repository checked out (e.g. if using v228 of cf-release, check out the v228 tag); you include the same configuration above in your stub.
If you are using Diego with diego-release v0.1446.0, add the following properties to your BOSH deployment manifest for Diego:
properties: diego: executor: post_setup_hook: sh -c "rm -f /home/vcap/app/.java-buildpack.log /home/vcap/app/**/.java-buildpack.log" post_setup_user: "root"
If you are using the manifest generation scripts in the diego-release repository , then rather than directly including the above configuration in your manifest, add the following properties to your property-overrides stub:
property_overrides: executor: post_setup_hook: sh -c "rm -f /home/vcap/app/.java-buildpack.log /home/vcap/app/**/.java-buildpack.log" post_setup_user: "root"
 https://pivotal.io/security/cve-2016-0708  https://pivotal.io/security/cve-2016-0715  https://github.com/cloudfoundry/java-buildpack/releases/tag/v3.5.1  https://github.com/cloudfoundry-incubator/diego-release/blob/v0.1446.0/scripts/generate-deployment-manifest
A performance regression in Gorouter was introduced in v228. At low request volume, the issue is not observable; only at higher request volumes (such as a load test) is the regression evident. The regression was fixed in v234.
Contents: - CC and Service Broker APIs - Runtime - Buildpacks and Stacks - Identity - Routing - Loggregator - Internal Components - Job Spec Changes - Recommended BOSH Stemcell Versions - Recommended Diego Version - Recommended Garden Linux Version
CC and Service Broker APIs
CC API Version: 2.47.0 - NOTE: Support for v1 service brokers removed in this cf-release.
Service Broker API Version: 2.8
- [Experimental] Work continues on /v3 and Application Process Types details
- [Experimental] Work continues on Private Brokers details
- [Experimental] Work started on Tasks details
- New feature flag
task_creationadded, defaults to false
- New feature flag
- Allow using BOSH default cert store for all HTTP outgoing communication in CC details
- Increase size of rules field in security_groups to 16 mb details
- Remove support for v1 service brokers detail
- Removed POST /v2/service_plans endpoint
- Users can only update the public field on update for PUT /v2/service_plans
- Remove POST/PUT /v2/services
Buildpacks and Stacks
updated to 1.28.0 (from 1.24.0)
Notably, this release addresses USN-2868-1 “DHCP vulnerability”: - CVE-2015-8605: A badly formed packet with an invalid IPv4 UDP length field can cause a DHCP server, client, or relay program to terminate abnormally.
Release due to erroneous deploy. Contains no changes. Same as Release 1.25.0
updated to v3.4 (from v3.3.1)
I’m pleased to announce the release of the
3.4. This release focuses on developer diagnostic tools.
- JMX Support with
- Debugging Support with
cf ssh (via Mike Youngstrom)
- YourKit Profiling Support with
- Improved Tomcat documentation (via Violeta Georgieva)
- Improved Tomcat testing (via Violeta Georgieva)
- Improved AppDynamics config (via Nikhil Katre)
For a more detailed look at the changes in
3.4, please take a look at the commit log. Packaged versions of the buildpack, suitable for use with
update-buildpack, can be found attached to this release.
|GemFire Modules Tomcat7||
|Memory Calculator (
|Memory Calculator (
|Memory Calculator (
|New Relic Agent||
|OpenJDK JRE (
|OpenJDK JRE (
|OpenJDK JRE (
|Play Framework JPA Plugin||
|Spring Boot CLI||
|Tomcat Access Logging Support||
|Tomcat Lifecycle Support||
|Tomcat Logging Support||
updated to v4.3.2 (from v4.3.1)
- Add nginx 1.9.9, drop nginx 1.9.7 (https://www.pivotaltracker.com/story/show/110627098)
- Add httpd 2.4.18, drop httpd 2.4.17 (https://www.pivotaltracker.com/story/show/110627098)
|php||5.5.29||cflinuxfs2||amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib|
|php||5.5.30||cflinuxfs2||amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib|
|php||5.6.15||cflinuxfs2||amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib|
- SHA256: 85c91281f762d2be37c729cf708040c96ceac764cce6e5f3392ef667e86d9342
updated to v1.5.4 (from v1.5.3)
- Added 3.4.4, removed 3.4.2 (https://www.pivotaltracker.com/story/show/111145834)
- Revert to v1.5.2 of pip-install script to prevent issue where
pip contacts the internet in the cached buildpack.
- This fixes a defect that would cause a python app to fail to stage when in a disconnected environment.
- SHA256: 9841ba3dde6778782471597aa8462bf0c5ccd455181b8e91802071b18acbc65c
updated to v1.6.12 (from v1.6.11)
- add Ruby 2.3.0 (https://www.pivotaltracker.com/story/show/110759512)
- SHA256: 790409854a1bd73661c822ae4a46a8a2e08f89b7c01016155cd86b041d789885
updated to v1.3.0 (from v1.2.3)
Item of note: - We’ve updated the version of this release to 1.3.0 to represent a new milestone of tracking nginx mainline releases. - added nginx 1.9.9, drop 1.8.0 (https://www.pivotaltracker.com/story/show/110627622) - correctly redirect http to https
- SHA256: 7616b0339149743cf18b36cd87ae83ffc76095aa9221465c8d27e244a3be4c27
- No changes
- Deploy fails fast if
gorouter.enable_routing_api:trueand on startup gorouter fails to authenticate with routing api details
- Routing API is no longer deployed with cf-release. For the time being, this component will be deployed with cf-routing-release details
- No changes
- Delete PIDFILE on
monit stop. details
- Fix nameserver insertion into
- Insert 127.0.0.1 as the first line of
/etc/resolv.conf.d/headinstead of re-writing the file. details
- Several changes to make etcd startup more robust, especially in “SSL mode” where it has a dependency on the local consul agent. details, details, details
- Deregister routes on shutdown instead of just leaving TTL to expire. details
- INCOMPLETE: Introduce healthcheck contract for processes whose routes are being registered. details
Job Spec Changes
dea_nextjob; note this property is immediately DEPRECATED and was only added to mitigate the CVE mentioned at the top of these release notes. details
route_registrarjob to accept
Recommended BOSH Stemcell Versions
- AWS: light-bosh-stemcell-3177-aws-xen-hvm-ubuntu-trusty-go_agent
- vSphere: bosh-stemcell-3177-vsphere-esxi-ubuntu-trusty-go_agent
- OpenStack: bosh-stemcell-3177-openstack-kvm-ubuntu-trusty-go_agent
- BOSH-Lite: bosh-stemcell-3147-warden-boshlite-ubuntu-trusty-go_agent
These are soft recommendations; several different versions of the BOSH and stemcells are likely to work fine with this version of cf-release and the corresponding versions of diego-release, garden-linux-release, and etcd-release.
Recommended Diego Version
This is a soft recommendation; several different versions of the diego-release may work fine with this version of cf-release.
Recommended Garden Linux Version
This is a soft recommendation; several different versions of the garden-linux release may work fine with this version of cf-release and the aforementioned version of diego-release.
Recommended ETCD Version for Diego Deployment
- Etcd final release v22
This is a soft recommendation; several different versions of the etcd release may work fine with this version of cf-release and the aforementioned version of diego-release.
Upload this release version to the Director:
$ bosh upload-release https://bosh.io/d/github.com/cloudfoundry/cf-release?v=228 --sha1 cc9d5930f67e48c6862b686c628730a0846bd9e3
Modify deployment manifest to use this release in addition to any other used releases:
releases: - name: cf version: "228"
Finally add needed deployment jobs and specify values for required properties.
Optionally download sha1: cc9d5930f67e48c6862b686c628730a0846bd9e3 release tarball locally:
# ...or download it directly using curl $ curl -L -J -O https://bosh.io/d/github.com/cloudfoundry/cf-release?v=228 # or with wget... $ wget --content-disposition https://bosh.io/d/github.com/cloudfoundry/cf-release?v=228