release: github.com/cloudfoundry/cf-release / 230

Github source: 3de108d9 or master branch

The cf-release v230 was released on January 27, 2016.

IMPORTANT

  • v230 includes a fix for CVE-2016-0732, privilege escalation with UAA. A privilege escalation vulnerability has been identified with the identity zones feature of UAA. Users with the appropriate permissions in one zone can perform unauthorized operations on a different zone. Only instances of UAA configured with multiple identity zones are vulnerable. The mitigation is to upgrade to cf-release v230
  • v230 contains a performance regression in Gorouter introduced in v228. At low request volume, the issue is not observable; only at higher request volumes (such as a load test) is the regression evident. The regression was fixed in v234.

Contents: - CC and Service Broker APIs - Runtime - Buildpacks and Stacks - Identity - Routing - Loggregator - Internal Components - Job Spec Changes - Recommended BOSH Stemcell Versions - Recommended diego-release Version - Recommended garden-linux-release Version - Recommended etcd-release Version

CC and Service Broker APIs

CC API Version: 2.48.0

Service Broker API Version: 2.8

Cloud Controller

  • [Experimental] Work continues on /v3 and Application Process Types details
  • [Experimental] Work continues on Tasks details
  • Add disclaimers to api docs about redundant query filters included in the path details
  • Fixed an issue introduced in cf-release 229 that caused existing apps to be completely restarted when scaling to additional instances or other updates to the app model. details
  • Replace libmysqlclient with mariadb equivalent details

Runtime

No changes.

Buildpacks and Stacks

stacks

updated to 1.31.0 (from 1.29.0)

1.31.0

Notably, this release addresses USN-2879-1 “rsync vulnerability”: - CVE-2014-9512: rsync 3.1.1 allows remote attackers to write to arbitrary files via a symlink attack on a file in the synchronization path

1.30.0

Notably, this release addresses USN-2874-1 “Bind vulnerability” and USN-2875-1 “libxml2 vulnerabilities”: - CVE-2015-8704: Denial of service via APL data that could trigger an INSIST - CVE-2015-7499: Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors. - CVE-2015-8710: out of bounds memory access via unclosed html comment

go-buildpack

updated to v1.7.2 (from v1.7.1)

v1.7.2

Notably, this release includes go 1.5.3 which patches CVE-2015-8618. - Add support for go 1.5.3 and remove support for go1.5.1 (https://www.pivotaltracker.com/story/show/111646892) - Add support for Go patch version wildcard matching. (https://www.pivotaltracker.com/story/show/106117500) - Updated to Godep v45. (https://www.pivotaltracker.com/story/show/110776726)

Packaged binaries:

name version cf_stacks
go 1.4.1 cflinuxfs2
go 1.4.2 cflinuxfs2
go 1.4.3 cflinuxfs2
go 1.5.2 cflinuxfs2
go 1.5.3 cflinuxfs2
godep v45 cflinuxfs2
  • SHA256: c7de9ddacde4159862de9881590c813c77d6e421af167ac4ed3b991fa8281717

nodejs-buildpack

updated to v1.5.5 (from v1.5.4)

v1.5.5

Packaged binaries:

name version cf_stacks
node 0.10.40 cflinuxfs2
node 0.10.41 cflinuxfs2
node 0.12.7 cflinuxfs2
node 0.12.9 cflinuxfs2
node 4.2.5 cflinuxfs2
node 5.5.0 cflinuxfs2
  • SHA256: 9aa7fc28bb2146310295db2e52398041445ef6953c1958bb553919b187e823c8

php-buildpack

updated to v4.3.3 (from v4.3.2)

v4.3.3

Packaged binaries:

name version cf_stacks modules
php 5.5.30 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 5.5.31 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 5.6.16 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 5.6.17 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
hhvm 3.5.0 cflinuxfs2
hhvm 3.5.1 cflinuxfs2
hhvm 3.6.0 cflinuxfs2
hhvm 3.6.1 cflinuxfs2
composer 1.0.0-alpha10 cflinuxfs2
httpd 2.4.18 cflinuxfs2
newrelic 4.23.3.111 cflinuxfs2
nginx 1.8.0 cflinuxfs2
nginx 1.9.9 cflinuxfs2
  • SHA256: 0a3fae06cd31ee4ff6fea964ba414a710225812785cc872b0a262bbd6ecde9ab

Identity

Updated to UAA Release 3.0.1

Routing

  • Gorouter now uses cf-lager logging framework to stream logs to syslog details, more details
  • Gorouter has been updated to golang 1.5.3 details
  • Gorouter now supports a configurable wait time for the drain operation. When a shutdown is initiated, the healthcheck endpoint will report the server is not listening, however the server will accept new requests for the configured wait time. Thanks to CAFxX from Rakuten for the PR details
  • Gorouter now better handles unauthorized errors from Routing API details
  • Gorouter now logs when it fetches a token from UAA for use with Routing API details
  • CC API now supports parameters with request to bind route to service instance details

Loggregator

  • No change

Internal Components

consul

  • When running as server, wait to write PID until after data sync. details

etcd

No functional changes.

etcd-metrics-server

No changes.

route_registrar

No functional changes.

Job Spec Changes

  • Increased the default values of the cc.thresholds.api.alert_if_above_mb, cc.thresholds.api.restart_if_consistently_above_mb, and cc.thresholds.api.restart_if_above_mb properties in the cloud_controller_ng, cloud_controller_worker, and cloud_controller_clock jobs. details

Recommended BOSH Stemcell Versions

  • AWS: light-bosh-stemcell-3184.1-aws-xen-hvm-ubuntu-trusty-go_agent
  • vSphere: bosh-stemcell-3184.1-vsphere-esxi-ubuntu-trusty-go_agent
  • OpenStack: bosh-stemcell-3184.1-openstack-kvm-ubuntu-trusty-go_agent
  • BOSH-Lite: bosh-stemcell-3147-warden-boshlite-ubuntu-trusty-go_agent

These are soft recommendations; several different versions of the BOSH and stemcells are likely to work fine with this version of cf-release and the corresponding versions of diego-release, garden-linux-release, and etcd-release.

Recommended diego-release Version

This is a soft recommendation; several different versions of diego-release may work fine with this version of cf-release.

Recommended garden-linux-release Version

This is a soft recommendation; several different versions of the garden-linux-release may work fine with this version of cf-release and the aforementioned version of diego-release.

Recommended etcd-release Version

  • etcd final release v27

This is a soft recommendation; several different versions of the etcd-release may work fine with this version of cf-release and the aforementioned version of diego-release.

Upload this release version to the Director:

$ bosh upload-release https://bosh.io/d/github.com/cloudfoundry/cf-release?v=230 --sha1 8af451d3c817df8ec29641f1fb035d0058985415

Modify deployment manifest to use this release in addition to any other used releases:

releases:
- name: cf
  version: "230"

Finally add needed deployment jobs and specify values for required properties.

Optionally download sha1: 8af451d3c817df8ec29641f1fb035d0058985415 release tarball locally:

# ...or download it directly using curl
$ curl -L -J -O https://bosh.io/d/github.com/cloudfoundry/cf-release?v=230

# or with wget...
$ wget --content-disposition https://bosh.io/d/github.com/cloudfoundry/cf-release?v=230