release: github.com/cloudfoundry/cf-release / 234

Github source: 650248ea or master branch

The cf-release v234 was released on April 06, 2016.

Important: - v234 includes a fix to a performance regression in Gorouter introduced in v228. At low request volume, the issue is not observable; only at higher request volumes (such as a load test) is the regression evident. The regression was the result of a change in the library used for logging in Gorouter and support being added for syslog streaming of access logs. A new manifest property router.enable_access_log_streaming may now be used to optionally enable support for streaming of access logs to syslog; this property is false by default. When enabled, the same performance degradation can be observed. We will further investigate the cause of this performance issue. - V234 includes a fix to the problem in V233 where there was a potential for only delivering partial sets of log messages for an app, or to the firehose. - In v217, the consul_agent job introduced support for securing all network traffic related to Consul. In this release, it is now mandatory to configure the consul_agent processes to run in this secure mode. If you have been previously running in an insecure mode, you will need to orchestrate an upgrade from an insecure cluster to a secure cluster. Refer to the Important section of the v217 release notes for instructions on how to do this.

Contents: - CC and Service Broker APIs - DEA-Warden-HM9000 Runtime - Buildpacks and Stacks - Identity - Routing - Loggregator - Internal Components - Job Spec Changes - Recommended BOSH Stemcell Versions - Recommended diego-release Version - Recommended garden-linux-release Version - Recommended etcd-release Version

CC and Service Broker APIs

CC API Version: 2.53.0

Service Broker API Version: 2.8

IMPORTANT - Operators can configure the WebDAV blobstore client with a custom CA, however, during Cloud Controller startup we wait for the blobstore to become available using curl and system trusted certificates, including those configured to be added by bosh. We plan on making a fix in CF-235 such that this won’t depend on the system trusted certificates. - CCDB migration could take significant time for databases containing large number of app usage events. This is mostly mitigated as app usage events are cleaned up per cc.app_usage_events.cutoff_age_in_days. We were able to complete this migration in under 90s for ~500k app_usage_events on a production deployment replica. Operators can increase canary_watch_time to allow more time for migration. - Work to fix deletion of an app while staging on Diego introduced a regression in the ability to delete an app while staging on DEA. Fix is planned for CF-235. - Work to move Diego CC-Bridge components to CAPI Release is underway. No changes are necessary at this point as the components will still come from Diego release when using our manifest generation scripts.

CAPI Release

  • Diego CC-Bridge components are in CAPI Release details
  • As an operator, I can configure the blobstore webdav client with a CA cert bundle details
  • Migrating to WebDAV with large blobstore does not require chown -r details
  • Blobstore internal is always TLS, update spec to indicate https details
  • WebDAV blobstore supports long system domain details

Cloud Controller

  • As a CF user, I expect to be able to delete an app while it is staging on Diego details
  • As an operator, I can configure the blobstore webdav client with a CA cert bundle details
  • as a CAPI developer, I would like a way to configure bosh-lite to route requests to CC to my local CC details
  • Bump fog to lastest, v1.37.0+ details
  • Experimental: CC can start DEA applications over https details
  • V3 Experimental
    • Move all /v3/apps related docs to the new docs details
    • Move all /v3/droplets related docs to the new docs details
    • Move all /v3/package related docs to the new docs details
    • Move all /v3/processes related docs to the new docs details
    • As an auditor, I expect app usage events for V3 process STARTED to record the buildpack_guid that was used to stage the droplet. details
    • As an auditor, I expect app usage events for staging of packages details
    • All V3 route mappings endpoints should be /v3/route_mappings instead of /v3/apps/:guid/route_mappings details
    • As a space developer, I can specify health check type and health check timeout on v3 processes details
    • Fix for Java JAR applications using V3 API details
    • As a space developer, I can attempt to delete a v3 app with a service binding and get a meaningful error details
    • MEMORY_LIMIT env variable for staging should be consistent between v2 and v3 details
    • V3 tasks should utilize bound syslog drains details
Pull Requests and Issues
  • cloudfoundry/cloud_controller_ng#420: CC doesn’t always stop details
  • cloudfoundry/cloud_controller_ng#454: staging_failed_reason and staging_failed_description type information missing details
  • cloudfoundry/cloud_controller_ng#481: Combine endpoints details
  • cloudfoundry/cloud_controller_ng#490: document that Files API only supports Diego deployed apps details
  • cloudfoundry/cloud_controller_ng#563: Allow starts to DEAs to occur over https details
  • cloudfoundry/cloud_controller_ng#566: Add a switch to control writing to /proc/sys details
  • cloudfoundry/cloud_controller_ng#569: Add previous values to app usage events details
  • cloudfoundry/cloud_controller_ng#570: Database migration for total_service_keys in space quotas failure details

DEA-Warden-HM9000 Runtime

  • No changes

Buildpacks and Stacks

stacks

updated to 1.49.0 (from 1.45.0)

1.49.0

Notably, this release addresses USN-2943-1: PCRE vulnerabilities Ubuntu Security Notice USN-2943-1: - CVE-2014-9769: pcrejit_compile.c in PCRE 8.35 does not properly use table jumps to optimize nested alternatives, which allows remote attackers to cause a denial of service (stack memory corruption) or possibly have unspecified other impact via a crafted string, as demonstrated by packets encountered by Suricata during use of a regular expression in an Emerging Threats Open rule set. - CVE-2015-2325: heap buffer overflow in compile_branch() - CVE-2015-2326: heap buffer overflow in pcre_compile2() - CVE-2015-2327: PCRE before 8.36 mishandles the /(((a\2)|(a)\g<-1>))_/ pattern and related patterns with certain internal recursive back references, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. - CVE-2015-2328: PCRE before 8.36 mishandles the /((?®a|(?1)))+/ pattern and related patterns with certain recursion, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScriptRegExp object encountered by Konqueror. - CVE-2015-3210: heap buffer overflow in pcre_compile2() / compile_regex() - CVE-2015-5073: Heap Overflow Vulnerability in find_fixedlength() - CVE-2015-8380: The pcre_exec function in pcre_exec.c in PCRE before 8.38 mishandles a //pattern with a \01 string, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScriptRegExp object encountered by Konqueror. - CVE-2015-8381: The compile_regex function in pcre_compile.c in PCRE before 8.38 andpcre2_compile.c in PCRE2 before 10.2x mishandles the/(?J:(?|(:(?|(?‘R’)(\k’R’)|((?‘R’)))H’Rk’Rf)|s(?‘R’))))/ and/(?J:(?|(:(?|(?‘R’)(\z(?|(?‘R’)(\k’R’)|((?‘R’)))k’R’)|((?‘R’)))H’Ak’Rf)|s(?‘R’)))/patterns, and related patterns with certain group references, which allows remote attackers to cause a denial of service (heap-based buffer overflow)or possibly have unspecified other impact via a crafted regular expression,as demonstrated by a JavaScript RegExp object encountered by Konqueror. - CVE-2015-8382: The match function in pcre_exec.c in PCRE before 8.37 mishandles the/(?:((abcd))|(((?:(?:(?:(?:abc|(?:abcdef))))b)abcdefghi)abc)|((_ACCEPT)))/pattern and related patterns involving (_ACCEPT), which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (partially initialized memory and application crash) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-2547. - CVE-2015-8383: PCRE before 8.38 mishandles certain repeated conditional groups, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. - CVE-2015-8384: PCRE before 8.38 mishandles the /(?J)(?’d’(?’d’\g{d}))/ pattern and related patterns with certain recursive back references, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, a related issue toCVE-2015-8392 and CVE-2015-8395. - CVE-2015-8385: PCRE before 8.38 mishandles the /(?|(\k’Pm’)|(?‘Pm’))/ pattern and related patterns with certain forward references, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. - CVE-2015-8386: PCRE before 8.38 mishandles the interaction of look behind assertions and mutually recursive sub patterns, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScriptRegExp object encountered by Konqueror. - CVE-2015-8387: PCRE before 8.38 mishandles (?123) subroutine calls and related subroutine calls, which allows remote attackers to cause a denial of service (integeroverflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. - CVE-2015-8388: PCRE before 8.38 mishandles the /(?=di(?<=(?1))|(?=(.))))/ pattern and related patterns with an unmatched closing parenthesis, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. - CVE-2015-8389: PCRE before 8.38 mishandles the /(?:|a|){100}x/ pattern and related patterns, which allows remote attackers to cause a denial of service(infinite recursion) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. - CVE-2015-8390: PCRE before 8.38 mishandles the [: and \ substrings in character classes,which allows remote attackers to cause a denial of service (uninitialized memory read) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. - CVE-2015-8391: The pcre_compile function in pcre_compile.c in PCRE before 8.38 mishandles certain [: nesting, which allows remote attackers to cause a denial of service (CPU consumption) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. - CVE-2015-8392: PCRE before 8.38 mishandles certain instances of the (?| substring, which allows remote attackers to cause a denial of service (unintended recursion and buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, a related issue to CVE-2015-8384 andCVE-2015-8395. - CVE-2015-8393: pcre grep in PCRE before 8.38 mishandles the -q option for binary files,which might allow remote attackers to obtain sensitive information via a crafted file, as demonstrated by a CGI script that sends stdout data to a client. - CVE-2015-8394: PCRE before 8.38 mishandles the (?() and (?(R) conditions,which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. - CVE-2015-8395: PCRE before 8.38 mishandles certain references, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScriptRegExp object encountered by Konqueror, a related issue to CVE-2015-8384 and CVE-2015-8392. - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE 8.38 mishandles the/((?:F?+(?:^(?®a+\“){99}-))(?J)(?‘R’(?‘R’<((?‘RR’(?‘R’){97)?J)?J)(?‘R’(?‘R’){99|(:(?|(?‘R’)(\k’R’)|((?‘R’)))H’R’R)(H’R))))))/pattern and related patterns with named subgroups, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. - CVE-2016-3191: The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 andpcre2_compile.c in PCRE2 before 10.22 mishandles patterns containing an(*ACCEPT) substring in conjunction with nested parentheses, which allows remote attackers to execute arbitrary code or cause a denial of service(stack-based buffer overflow) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, akaZDI-CAN-3542.

1.48.0

Notably, this release addresses an issue where applications staged with stacks 1.45 or lower will fail to restart due to references to the mysql library. All applications pushed using stacks 1.48.0 or later will link against libmariadb, as expected.

Additionally, this release addresses USN-2939-1: LibTIFF vulnerabilities Ubuntu Security Notice USN-2939-1: - CVE-2015-8665: Out-of-bounds Read - CVE-2015-8683: out-of-bounds read in CIE Lab image format - CVE-2015-8781: tif_luv.c in libtiff allows attackers to cause a denial of service(out-of-bounds write) via an invalid number of samples per pixel in a LogLcompressed TIFF image, a different vulnerability than CVE-2015-8782. - CVE-2015-8782: tif_luv.c in libtiff allows attackers to cause a denial of service(out-of-bounds writes) via a crafted TIFF image, a different vulnerabilitythan CVE-2015-8781. - CVE-2015-8783: tif_luv.c in libtiff allows attackers to cause a denial of service(out-of-bounds reads) via a crafted TIFF image. - CVE-2015-8784: potential out-of-bound write in NeXTDecode()

1.47.0

This release includes a patch for USN-2938-1: Git vulnerabilities Ubuntu Security Notice USN-2938-1: - CVE-2016-2315: Denial of service or possibly remote code execution via crafted git repo - CVE-2016-2324: Denial of service or possibly remote code execution via crafted git repo

1.46.0

This release only contains non-critical updates to the rootfs. See the receipt changes at this commit for more information.

nodejs-buildpack

updated to v1.5.10 (from v1.5.8)

v1.5.10

Notably, this release includes updated versions of nodejs that addresses security issues mentioned in: https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/ - Add nodejs 0.12.13, 0.10.44, 4.4.2, 5.10.0, remove nodejs 0.12.11, 0.10.42, 4.4.1, 5.9.1 (https://www.pivotaltracker.com/story/show/116741361)

Packaged binaries:

name version cf_stacks
node 0.10.43 cflinuxfs2
node 0.10.44 cflinuxfs2
node 0.12.12 cflinuxfs2
node 0.12.13 cflinuxfs2
node 4.4.2 cflinuxfs2
node 5.10.0 cflinuxfs2
  • SHA256: 988da954cbfc42bb4957f31b68ba30df01e01e6fb638c5064ee726287e6ddc5a

v1.5.9

Packaged binaries:

name version cf_stacks
node 0.10.42 cflinuxfs2
node 0.10.43 cflinuxfs2
node 0.12.11 cflinuxfs2
node 0.12.12 cflinuxfs2
node 4.4.1 cflinuxfs2
node 5.9.1 cflinuxfs2
  • SHA256: 67185a882fdad9dce237c306a8d03e7f83d3153fc2a783f30543bb730972a681

php-buildpack

updated to v4.3.8 (from v4.3.7)

v4.3.8

Packaged binaries:

name version cf_stacks modules
php 5.5.32 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 5.5.33 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 5.6.18 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 5.6.19 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 7.0.3 cflinuxfs2 bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, imap, ldap, lua, mailparse, mbstring, mcrypt, mongodb, msgpack, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, pspell, snmp, soap, sockets, xsl, yaf, zip, zlib
php 7.0.4 cflinuxfs2 bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, imap, ldap, lua, mailparse, mbstring, mcrypt, mongodb, msgpack, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, pspell, snmp, soap, sockets, xsl, yaf, zip, zlib
composer 1.0.0-beta2 cflinuxfs2
httpd 2.4.18 cflinuxfs2
newrelic 4.23.3.111 cflinuxfs2
nginx 1.8.1 cflinuxfs2
nginx 1.9.12 cflinuxfs2
  • SHA256: 25a571a2bcfba4f2291381e4b3d279841124f13f33b1d6e54fc8488a0009895a

python-buildpack

updated to v1.5.5 (from v1.5.4)

v1.5.5

  • Increase the Python 3 timeout to 120 seconds.
  • Updated to pip 8.1.1
  • Various improvements from upstream Heroku maintainers

Packaged binaries:

name version cf_stacks
python 2.7.10 cflinuxfs2
python 2.7.11 cflinuxfs2
python 3.3.5 cflinuxfs2
python 3.3.6 cflinuxfs2
python 3.4.3 cflinuxfs2
python 3.4.4 cflinuxfs2
python 3.5.0 cflinuxfs2
python 3.5.1 cflinuxfs2
libffi 3.1 cflinuxfs2
libmemcache 1.0.18 cflinuxfs2
  • SHA256: 4ebb40039f3fbca546bb051929501b03feea4a18409cde77a0a0dc7873b21341

staticfile-buildpack

updated to v1.3.5 (from v1.3.3)

v1.3.5

Packaged binaries:

name version cf_stacks
nginx 1.9.12 cflinuxfs2
  • SHA256: 1b1d2c61c5745c255c9181c99237dd1c254d07e1811458fbf8bcd4f2aff3fc9c

v1.3.4

Packaged binaries:

name version cf_stacks
nginx 1.9.12 cflinuxfs2
  • SHA256: fe465c64d27831ddee5ba4cca275266e6718037022709730728549da055f04d9

Identity

No Changes

Routing

  • Gorouter performance regression resolved by not streaming access logs to syslog by default. This regression was introduced in v228. Thanks to SAP for alerting us of the issue. Access logs continue to be logged locally. details
  • Access logs may be optionally streamed to syslog with new manifest property router.enable_access_log_streaming. With high request volume, this does effect performance. We will be investigating the cause of this details
  • Gorouter now logs start messages with millisecond granularity details
  • Gorouter now connects to UAA using TLS when fetching a token for communicating with Routing API details
  • Gorouter logs now clearly show when it fetches a token from UAA for communicating with Routing API details
  • Fixed a bug in Gorouter whereby absolute URIs were being decoded before route lookup details
  • property router.enable_routing_api has been replaced by new property routing_api.enabled, which now manages both cc and gorouter behavior regarding Routing API details
  • Fixed a regression that when dockerfile exposes multiple ports, port 8080 is mapped to the route instead of the lowest port. Previous behavior is restored details

Loggregator

  • Fixed a defect where Traffic Controllers would hang on their connection to Dopplers.
  • Reworked metronbenchmark tool to add features for performance testing of Metron.

Internal Components

consul

  • consul-release was bumped from v65 to v75
  • consul now uses Golang 1.6 details
  • consul now only supports encrypted modes of operation, requiring TLS and gossip encryption configuration. details
  • consul allows operator configuration of the base domain used for service discovery; this configuration is mandatory. details

etcd and etcd-metrics-server

  • etcd-release was bumped from v38 to v42.
  • etcd and etcd-metrics-server now use Golang 1.6 details
  • etcd allows operator configuration of the advertisement DNS suffix; this configuration is mandatory. details, details

Job Spec Changes

  • WebDAV blobstore can be configured to use a custom ca: cc.resource_pool.webdav_config.ca_cert, cc.packages.webdav_config.ca_cert, cc.droplets.webdav_config.ca_cert, cc.buildpacks.webdav_config.ca_cert
  • EXPERIMENTAL: DEA can be configured to use HTTPS: cc.dea_use_https. This should remain false until work is completed on the DEA side.
  • Removed default value from etcd.advertise_urls_dns_suffix property of etcd job (previous default was etcd.service.cf.internal); this now needs to be specified explicitly in the manifest, and should generally be specified as the previous default value. details
  • Removed consul.require_ssl property from consul_agent job (SSL configuration is now required). details
  • Added consul.agent.domain property to consul_agent job; this property does not have a default and its configuration is required, typical deployments should set the value to cf.internal. details

Recommended BOSH Stemcell Versions

  • AWS: light-bosh-stemcell-3215-aws-xen-hvm-ubuntu-trusty-go_agent
  • vSphere: bosh-stemcell-3215-vsphere-esxi-ubuntu-trusty-go_agent
  • OpenStack: N/A
  • BOSH-Lite: bosh-stemcell-3147-warden-boshlite-ubuntu-trusty-go_agent

These are soft recommendations; several different versions of the stemcells are likely to work fine with this version of cf-release and the corresponding versions of diego-release, garden-linux-release, and etcd-release.

Recommended diego-release Version

This is a soft recommendation; several different versions of the diego-release may work fine with this version of cf-release.

Recommended garden-linux-release Version

This is a soft recommendation; several different versions of the garden-linux-release may work fine with this version of cf-release and the aforementioned version of diego-release.

Recommended etcd-release Version

  • etcd final release v43

This is a soft recommendation; several different versions of the etcd-release may work fine with this version of cf-release and the aforementioned version of diego-release.

Upload this release version to the Director:

$ bosh upload release https://bosh.io/d/github.com/cloudfoundry/cf-release?v=234

Modify deployment manifest to use this release in addition to any other used releases:

releases:
- {name: cf, version: "234"}

Finally add needed deployment jobs and specify values for required properties.

Optionally download sha1: d2f5a27c09c11b5152a672576cff5bcadd19877d release tarball locally:

# ...or download it directly using curl
$ curl -L -J -O https://bosh.io/d/github.com/cloudfoundry/cf-release?v=234

# or with wget...
$ wget --content-disposition https://bosh.io/d/github.com/cloudfoundry/cf-release?v=234