release: github.com/cloudfoundry/cf-release / 229

Github source: 7f7b9690 or master branch

The cf-release v229 was released on January 22, 2016.

IMPORTANT

  • v229 includes a fix for CVE-2016-0713, a XSS vulnerability in Gorouter. In previous releases, if a malicious intermediary modified requests from client to router to contain malicious code, this code could be executed on the operating system of the client from where the request originated. To our knowledge, this vulnerability does not pose a risk for penetration or takeover of Cloud Foundry system components or applications hosted by Cloud Foundry. This vulnerability was introduced in v141. The Cloud Foundry project recommends that Cloud Foundry Deployments using Gorouter are upgraded to cf-release v229.
  • In support of work in progress to enable developers to specify application ports when mapping routes, cf-release v229 introduces a database migration for CCDB. For deployments that use a PostgreSQL database for CCDB that is NOT the PostreSQL job that comes with cf-release, v229 introduces the following requirements. These requirements are applicable for subsequent releases. If you are using the PostgreSQL job that comes with cf-release, or if you are using MySQL as the backing db for CC, no action is necessary.
    • PostgreSQL 9.1 is required at a minimum
    • For versions 9.1-9.3, operators must first install the extension uuid-ossp
    • For versions 9.4 and newer, operators must first install the extension pgcrypto
  • v229 contains a performance regression in Gorouter introduced in v228. At low request volume, the issue is not observable; only at higher request volumes (such as a load test) is the regression evident. The regression was fixed in v234.

Contents: - CC and Service Broker APIs - Runtime - Buildpacks and Stacks - Identity - Routing - Loggregator - Internal Components - Job Spec Changes - Recommended BOSH Stemcell Versions - Recommended Diego Version - Recommended Garden Linux Version

CC and Service Broker APIs

CC API Version: 2.47.0

Service Broker API Version: 2.8

Cloud Controller

  • [Experimental] Work continues on /v3 and Application Process Types details
  • [Experimental] Work completed on Space Scoped Private Brokers details
    • Remove experimental flag on space guid for private brokers details
  • [Experimental] Work continues on Tasks details
  • Cleanup spec/templates for unused properties details
  • Allow use of the “IN” filter for organization_guid on routes details
  • Do not incorrectly claim domains are queryable by space_guid details
  • Disassociating users/roles from orgs by username returns 204 1,2,3,4
  • Document interpretation of route existence endpoint return code details

Runtime

DEA

Warden

  • Ruby 2.2.4

HM9000

  • Go 1.5

Buildpacks and Stacks

stacks

updated to 1.29.0 (from 1.28.0)

1.29.0

Notably, this release addresses USN-2869-1 “OpenSSH vulnerabilities”: - CVE-2016-0777: information leak in roaming support - CVE-2016-0778: buffer overflow in roaming support

java-buildpack

updated to v3.5.1 (from v3.4)

v3.5.1

I’m pleased to announce the release of the java-buildpack, version 3.5.1. This release contains minor improvements and updates to dependencies. It also addresses the critical vulnerability found in CVE-2016-0708. - Secure JRebel (via @bssie) - Improved documentation (via Daniel Mikusa, Violeta Georgieva) - Logging in the Luna Security Provider

For a more detailed look at the changes in 3.5.1, please take a look at the commit log. Packaged versions of the buildpack, suitable for use with create-buildpack and update-buildpack, can be found attached to this release.

Packaged Dependencies

Dependency Version
AppDynamics Agent 4.1.8_5
GemFire 8.2.0
GemFire Modules 8.2.0
GemFire Modules Tomcat7 8.2.0
GemFire Security 8.2.0
Groovy 2.4.5
JRebel 6.3.1
MariaDB JDBC 1.3.3
Memory Calculator (mountainlion) 2.0.1.RELEASE
Memory Calculator (precise) 2.0.1.RELEASE
Memory Calculator (trusty) 2.0.1.RELEASE
New Relic Agent 3.24.1
OpenJDK JRE (mountainlion) 1.8.0_65
OpenJDK JRE (precise) 1.8.0_65
OpenJDK JRE (trusty) 1.8.0_65
Play Framework JPA Plugin 1.10.0.RELEASE
PostgreSQL JDBC 9.4.1207
RedisStore 1.2.0_RELEASE
SLF4J API 1.5.8
SLF4J JDK14 1.5.8
Spring Auto-reconfiguration 1.10.0_RELEASE
Spring Boot CLI 1.3.1_RELEASE
Tomcat Access Logging Support 2.4.0_RELEASE
Tomcat Lifecycle Support 2.4.0_RELEASE
Tomcat Logging Support 2.4.0_RELEASE
Tomcat 8.0.30
YourKit Profiler 2015.15084.0

Identity

Updated to UAA release 3.0.0

Routing

Route Services (in progress) - CC now validates route service urls for user-provided service instances details

TCP Routing (in progress) - CC client can now specify an app port when mapping a TCP route to an app details - CC client can now specify an app port when mapping an HTTP route to an app details - Routing API will call UAA for new verification key when token can’t be validated details

Loggregator

No change

Internal Components

consul

  • Ensure startup script terminates before monit runs another startup, so that only one is ever running at a time. details, details
  • Bump to Golang 1.5.3 to address CVE-2015-8618. details

etcd

  • Check DNS before etcd starts up in SSL mode. details

etcd-metrics-server

No changes.

route_registrar

No changes.

Job Spec Changes

  • Zeroed the default values of the name, build, version, support_address, and description properties in the cloud_controller_ng, cloud_controller_worker, and cloud_controller_clock jobs. details
  • Removed cc.info.name, cc.info.build, cc.info.version, and cc.info.description properties from cloud_controller_ng, cloud_controller_worker, and cloud_controller_clock jobs. details
  • Removed cc.info.custom properties from cloud_controller_worker, and cloud_controller_clock jobs. details
  • Removed cc.development_mode property from cloud_controller_clock job. details
  • Removed consul.agent.sync_timeout_in_seconds property from consul_agent job. details
  • Added dea_next.instance_nproc_limit property to dea_next job. details
  • Added etcd.dns_health_check_host property to etcd job. details
  • Removed uaa.jwt.policy.global.accessTokenValiditySeconds and uaa.jwt.policy.global.refreshTokenValiditySeconds properties from uaa job. details
  • Added uaa.authentication.policy.global.lockoutAfterFailures, uaa.authentication.policy.global.countFailuresWithinSeconds, uaa.authentication.policy.global.lockoutPeriodSeconds, uaa.password.policy.global.minLength, uaa.password.policy.global.maxLength, uaa.password.policy.global.requireUpperCaseCharacter, uaa.password.policy.global.requireLowerCaseCharacter, uaa.password.policy.global.requireDigit, uaa.password.policy.global.requireSpecialCharacter, uaa.password.policy.global.expirePasswordInMonths, uaa.jwt.policy.global.accessTokenValiditySeconds, and uaa.jwt.policy.global.refreshTokenValiditySeconds properties to uaa job. details

Recommended BOSH Stemcell Versions

  • AWS: light-bosh-stemcell-3181-aws-xen-hvm-ubuntu-trusty-go_agent
  • vSphere: bosh-stemcell-3181-vsphere-esxi-ubuntu-trusty-go_agent
  • OpenStack: bosh-stemcell-3181-openstack-kvm-ubuntu-trusty-go_agent
  • BOSH-Lite: bosh-stemcell-3147-warden-boshlite-ubuntu-trusty-go_agent

These are soft recommendations; several different versions of the BOSH and stemcells are likely to work fine with this version of cf-release and the corresponding versions of diego-release, garden-linux-release, and etcd-release.

Recommended Diego Version

This is a soft recommendation; several different versions of the diego-release may work fine with this version of cf-release.

Recommended Garden Linux Version

This is a soft recommendation; several different versions of the garden-linux release may work fine with this version of cf-release and the aforementioned version of diego-release.

Recommended ETCD Version for Diego Deployment

  • Etcd final release v22

This is a soft recommendation; several different versions of the etcd release may work fine with this version of cf-release and the aforementioned version of diego-release.

Upload this release version to the Director:

$ bosh upload release https://bosh.io/d/github.com/cloudfoundry/cf-release?v=229

Modify deployment manifest to use this release in addition to any other used releases:

releases:
- {name: cf, version: "229"}

Finally add needed deployment jobs and specify values for required properties.

Optionally download sha1: bb82f8f1a00f7cdf4ed603b58191b8a0fe579a9e release tarball locally:

# ...or download it directly using curl
$ curl -L -J -O https://bosh.io/d/github.com/cloudfoundry/cf-release?v=229

# or with wget...
$ wget --content-disposition https://bosh.io/d/github.com/cloudfoundry/cf-release?v=229