You can find the source of this version on GitHub at cloudfoundry/cf-release. It was created based on the commit
The cf-release v230 was released on January 27, 2016.
- v230 includes a fix for CVE-2016-0732, privilege escalation with UAA. A privilege escalation vulnerability has been identified with the identity zones feature of UAA. Users with the appropriate permissions in one zone can perform unauthorized operations on a different zone. Only instances of UAA configured with multiple identity zones are vulnerable. The mitigation is to upgrade to cf-release v230
- v230 contains a performance regression in Gorouter introduced in v228. At low request volume, the issue is not observable; only at higher request volumes (such as a load test) is the regression evident. The regression was fixed in v234.
Contents: - CC and Service Broker APIs - Runtime - Buildpacks and Stacks - Identity - Routing - Loggregator - Internal Components - Job Spec Changes - Recommended BOSH Stemcell Versions - Recommended diego-release Version - Recommended garden-linux-release Version - Recommended etcd-release Version
CC and Service Broker APIs
CC API Version: 2.48.0
Service Broker API Version: 2.8
- [Experimental] Work continues on /v3 and Application Process Types details
- [Experimental] Work continues on Tasks details
- Add disclaimers to api docs about redundant query filters included in the path details
- Fixed an issue introduced in cf-release 229 that caused existing apps to be completely restarted when scaling to additional instances or other updates to the app model. details
- Replace libmysqlclient with mariadb equivalent details
Buildpacks and Stacks
updated to 1.31.0 (from 1.29.0)
Notably, this release addresses USN-2879-1 “rsync vulnerability”: - CVE-2014-9512: rsync 3.1.1 allows remote attackers to write to arbitrary files via a symlink attack on a file in the synchronization path
Notably, this release addresses USN-2874-1 “Bind vulnerability” and USN-2875-1 “libxml2 vulnerabilities”: - CVE-2015-8704: Denial of service via APL data that could trigger an INSIST - CVE-2015-7499: Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors. - CVE-2015-8710: out of bounds memory access via unclosed html comment
updated to v1.7.2 (from v1.7.1)
Notably, this release includes go 1.5.3 which patches CVE-2015-8618. - Add support for go 1.5.3 and remove support for go1.5.1 (https://www.pivotaltracker.com/story/show/111646892) - Add support for Go patch version wildcard matching. (https://www.pivotaltracker.com/story/show/106117500) - Updated to Godep v45. (https://www.pivotaltracker.com/story/show/110776726)
- SHA256: c7de9ddacde4159862de9881590c813c77d6e421af167ac4ed3b991fa8281717
updated to v1.5.5 (from v1.5.4)
- Added v4.2.5 and v5.5.0, removed v4.2.3 and v5.1.1. (https://www.pivotaltracker.com/story/show/111537310)
- Remove node 0.11.15 and 0.11.16 (https://www.pivotaltracker.com/story/show/109538496)
- SHA256: 9aa7fc28bb2146310295db2e52398041445ef6953c1958bb553919b187e823c8
updated to v4.3.3 (from v4.3.2)
- Show warning when composer.json and options.json both exist, to prevent conflicts (https://www.pivotaltracker.com/story/show/111962349)
- Make version 1.9.9 the default nginx version (https://www.pivotaltracker.com/story/show/110700942)
- Add versions 5.5.31, 5.6.17. (https://www.pivotaltracker.com/story/show/111532430)
- Remove versions 5.5.29, 5.6.15. (https://www.pivotaltracker.com/story/show/111532430)
|php||5.5.30||cflinuxfs2||amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib|
|php||5.5.31||cflinuxfs2||amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib|
|php||5.6.16||cflinuxfs2||amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib|
- SHA256: 0a3fae06cd31ee4ff6fea964ba414a710225812785cc872b0a262bbd6ecde9ab
Updated to UAA Release 3.0.1
- Gorouter now uses cf-lager logging framework to stream logs to syslog details, more details
- Gorouter has been updated to golang 1.5.3 details
- Gorouter now supports a configurable wait time for the drain operation. When a shutdown is initiated, the healthcheck endpoint will report the server is not listening, however the server will accept new requests for the configured wait time. Thanks to CAFxX from Rakuten for the PR details
- Gorouter now better handles unauthorized errors from Routing API details
- Gorouter now logs when it fetches a token from UAA for use with Routing API details
- CC API now supports parameters with request to bind route to service instance details
- No change
- When running as server, wait to write PID until after data sync. details
No functional changes.
No functional changes.
Job Spec Changes
- Increased the default values of the
cc.thresholds.api.restart_if_above_mbproperties in the
Recommended BOSH Stemcell Versions
- AWS: light-bosh-stemcell-3184.1-aws-xen-hvm-ubuntu-trusty-go_agent
- vSphere: bosh-stemcell-3184.1-vsphere-esxi-ubuntu-trusty-go_agent
- OpenStack: bosh-stemcell-3184.1-openstack-kvm-ubuntu-trusty-go_agent
- BOSH-Lite: bosh-stemcell-3147-warden-boshlite-ubuntu-trusty-go_agent
These are soft recommendations; several different versions of the BOSH and stemcells are likely to work fine with this version of cf-release and the corresponding versions of diego-release, garden-linux-release, and etcd-release.
This is a soft recommendation; several different versions of diego-release may work fine with this version of cf-release.
This is a soft recommendation; several different versions of the garden-linux-release may work fine with this version of cf-release and the aforementioned version of diego-release.
- etcd final release v27
This is a soft recommendation; several different versions of the etcd-release may work fine with this version of cf-release and the aforementioned version of diego-release.
You can reference this release in your deployment manifest from the
- name: "cf" version: "230" url: "https://bosh.io/d/github.com/cloudfoundry/cf-release?v=230" sha1: "8af451d3c817df8ec29641f1fb035d0058985415"
Or upload it to your director with the
bosh upload-release --sha1 8af451d3c817df8ec29641f1fb035d0058985415 \ https://bosh.io/d/github.com/cloudfoundry/cf-release?v=230