release: github.com/cloudfoundry/cf-release / 237

Github source: 87f11091 or master branch

The cf-release v237 was released on May 14, 2016.

IMPORTANT - v237 includes a fix for CVE-2016-3084, UAA Password Reset Vulnerability. The mitigation is to upgrade to cf-release v237 - Diego bridge components are now in CAPI-Release, submoduled into CF-Release. They are removed from Diego release as of v0.1469.0 and must be sourced from CF-Release. This will happen automatically for users of Diego manifest generation scripts. Users that generate their Diego deployment manifest manually must make this change now. See Job Spec Changes. - As part of moving Diego bridge components to CAPI-Release, properties for bridge components in Diego deployment manifests will be sourced from properties.capi in addition to properties.diego. We intend to only support properties.capi for CF-238. Users of Diego manifest generation scripts can wait for this to happen automatically. Users that generate their Diego deployment manifest manually can make this change now. See Job Spec Changes. - properties router.servers.z1 and router.servers.z2 have been replaced with a single property router.servers. This property is used by the HAProxy job to identify the routers as backends, and by UAA to whitelist requests from the routers. - The domain that was previously shared by several jobs has been deprecated in favor of system_domain

Contents: - CC and Service Broker APIs - DEA-Warden-HM9000 Runtime - Buildpacks and Stacks - Identity - Routing - Loggregator - Internal Components - Job Spec Changes - Recommended BOSH Stemcell Versions - Recommended diego-release Version - Recommended garden-linux-release Version - Recommended etcd-release Version - Recommended cflinuxfs2-rootfs-release Version

CC and Service Broker APIs

CC API Version: 2.56.0

Service Broker API Version: 2.8

CAPI Release

  • Nginx workers for blobstore should be based on number of CPU cores details
  • Blobstore should use a configurable list of allow / deny directives for internal server. details
  • Consolidate system_domain and domain in manifest, deprecate domain details
  • EXPERIMENTAL: Operator can control whether volume services are enabled - disabled by default details

Cloud Controller

  • As a SpaceDeveloper, I should not be able to create a route for well known host.system_domains combinations. details
  • As an API client, I expect the errors from creating domains and routes to be clear details
  • Clarify ‘docker_image’ information in ‘Creating an App’ CC API docs details
  • As a CC API User, I would like to be able to sort organizations and spaces by name. details
  • Improve /v2/events SQL query performance details
  • V3 Experimental
    • Cancel Task endpoint should only be PUT /v3/tasks/:guid/cancel details
    • GET Task endpoint should only be /v3/tasks/:guid details
    • V3 API Pagination MUST include a total_pages field with an integer value of the total number of pages in the collection. [details](https://www.pivotaltracker.com/story/show/115739
    • Refactor v3-doc query parameters details
    • As an API consumer, I should be able to sort tasks by created_at and updated_at details
    • increase max length of environment variables for tasks on mysql details
    • As an API consumer, I should be able to filter /v3/droplets and /v3/apps/:guid/droplets details
    • As a space developer, I expect to be able to copy a Docker droplet for /v3/droplets details
    • Pushing a docker app via v3 does not correctly bind default ports details
    • As an API consumer, I should be able to filter /v3/route_mappings details
    • PUT /v3/apps/:guid/droplets/current should return droplet instead of app details
    • As an API consumer, I should be able to filter /v3/service_bindings details
    • better error when setting droplet that has two process types with case insensitive identical types details
    • As a space auditor, I would like audit events for droplets details
    • As a space developer, I should be able to set process ports to an empty array details
    • As an api consumer, I expect to be able to filter /v3/processes and /v3/apps/:guid/processes details
    • As a OrgManager, I expect to have only READ access for all V3 endpoints details
    • As an api consumer, I expect to be able to filter /v3/packages and /v3/apps/:guid/packages details
    • Upload bits to package after creating an app without package / droplet copy details
    • Change endpoint for retrieving current droplet to /apps/:guid/droplets/current details
    • Remove /v3/apps/:guid/stats endpoint and documentation details
  • Volume Services Experimental
    • When Cloud Controller runs a task on Diego and has a service binding containing volume_mounts, it should desire an TASK with volume mounts details
    • When Cloud Controller starts an app on Diego and has a service binding containing volume_mounts, it should desire an LRP with volume mounts details
    • V2 Service Bindings should be able to include volume_mounts details
    • V3 Service Bindings should be able to include volume_mounts details
    • CC should reject binding if the broker returns volume_mounts and the service does not require volume mounts. details
Pull Requests and Issues
  • cloudfoundry/cloud_controller_ng#456: Updates to user provided services do not propagate to bindings details
  • cloudfoundry/cloud_controller_ng#572: CC ignores log_level for DB log details
  • cloudfoundry/cloud_controller_ng#582: CLI Calls Undocumented API details
  • cloudfoundry/cloud_controller_ng#583: CC stages over HTTPS details
  • cloudfoundry/cloud_controller_ng#586: Create a Task does not document droplet_guid request payload details
  • cloudfoundry/cloud_controller_ng#589: Task command database column is too small details
  • cloudfoundry/cloud_controller_ng#591: Fallback to NATs if staging over http isn’t there details
  • cloudfoundry/cloud_controller_ng#597: The “Updating an App” documentation makes it look like I can update the detected_start_command details

DEA-Warden-HM9000 Runtime

  • DEA: Staging can occur over https
  • DEA: cpuPercentage is now a whole number which is the same as Diego
  • DEA: metron_endpoint.port renamed to metron_agent.dropsonde_incoming_port
  • DEA: Buildpack’s release script is guaranteed to only be called once
  • HM9000: Multiple API servers now work again
  • HM9000: Fetcher and Sender are now integrated with Analyzer (2 fewer processes)

Buildpacks and Stacks

stacks

updated to 1.56.0 (from 1.51.0)

1.56.0

Notably, this release addresses USN-2966-1: OpenSSH vulnerabilities Ubuntu Security Notice USN-2966-1: - CVE-2015-8325: The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2,when the UseLogin feature is enabled and PAM is configured to read.pam_environment files in user home directories, allows local users to gainprivileges by triggering a crafted environment for the /bin/login program,as demonstrated by an LD_PRELOAD environment variable. - CVE-2016-1907: The ssh_packet_read_poll2 function in packet.c in OpenSSH before 7.1p2allows remote attackers to cause a denial of service (out-of-bounds readand application crash) via crafted network traffic. - CVE-2016-1908: Eliminate the fallback from untrusted X11-forwarding to trusted forwardingfor cases when the X server disables the SECURITY extension - CVE-2016-3115: Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSHbefore 7.2p2 allow remote authenticated users to bypass intendedshell-command restrictions via crafted X11 forwarding data, related to the(1) do_authenticated1 and (2) session_x11_req functions.

1.55.0

Notably, this release addresses USN-2961-1: Little CMS vulnerability Ubuntu Security Notice USN-2961-1: - CVE-2013-7455: double free in lcms2 may lead to code execution in applications usingit

1.54.0

Notably, this release addresses USN-2959-1: OpenSSL vulnerabilities Ubuntu Security Notice USN-2959-1: - CVE-2016-2105: EVP_EncodeUpdate overflow - CVE-2016-2106: EVP_EncryptUpdate overflow - CVE-2016-2107: Padding oracle in AES-NI CBC MAC check - CVE-2016-2108: Memory corruption in the ASN.1 encoder - CVE-2016-2109: ASN.1 BIO excessive memory allocation

1.53.0

Notably, this release addresses USN-2957-1: Libtasn1 vulnerability Ubuntu Security Notice USN-2957-1: - CVE-2016-4008: Infinite loops parsing malicious DER certificates

Additionally, this release contains only non-critical updates to the rootfs. See the receipt changes at this commit for more information.

1.52.0

This release contains only non-critical updates to the rootfs. See the receipt changes at this commit for more information.

binary-buildpack

updated to v1.0.2 (from v1.0.1)

v1.0.2

Packaged binaries:

name version cf_stacks
  • SHA256: be92e0837189f7732499692c94af237a0965c7649344d13e2150703abf63f09e

go-buildpack

updated to v1.7.8 (from v1.7.5)

v1.7.8

Packaged binaries:

name version cf_stacks
go 1.5.3 cflinuxfs2
go 1.5.4 cflinuxfs2
go 1.6.1 cflinuxfs2
go 1.6.2 cflinuxfs2
godep v65 cflinuxfs2
  • SHA256: d86eea60ea82e25426f573e8de7dfc42245d4763d234c64e983d626018a3ee67

v1.7.7

v1.7.6

Note: We discovered a bug in this release. This bug will prevent native vendoring with go1.6. The new version of the bulidpack (v1.7.7) will be released soon with a fix.

Changelog

commit e7a51484243a979d2534d1b27d63d8a7ede80581 Author: David Jahn david.a.jahn@gmail.com Date: Tue Apr 19 12:07:34 2016 -0400 - Print a warning when the app uses go1.6 with vendor experiment and doesn’t have a vendor dir (https://www.pivotaltracker.com/story/show/117840949) - Fix bug where apps using go1.6 and ldflags could not stage (https://www.pivotaltracker.com/story/show/117841169)

nodejs-buildpack

updated to v1.5.14 (from v1.5.12)

v1.5.14

Notably, this version of the nodejs buildpack addresses the following openssl vulnerabilities for the following CVEs: - CVE-2016-2107: Padding oracle in AES-NI CBC MAC check - CVE-2016-2105: EVP_EncodeUpdate overflow - CVE-2016-2108: Memory corruption in the ASN.1 encoder - CVE-2016-2106: EVP_EncryptUpdate overflow - CVE-2016-2109: ASN.1 BIO excessive memory allocation (CVE-2016-2109) - CVE-2016-2176: EBCDIC overread

More information can be found here https://nodejs.org/en/blog/vulnerability/openssl-may-2016/

Version changes: - Replace 0.10.43 with 0.10.45 - Replace 0.12.12 with 0.12.14 - Replace 4.4.2 with 4.4.4 - Replace 5.11.0 with 5.11.1 - Add 6.1.0

(https://www.pivotaltracker.com/story/show/119080687) (https://www.pivotaltracker.com/story/show/119053109) (https://www.pivotaltracker.com/story/show/119050895) (https://www.pivotaltracker.com/story/show/119055011)

Packaged binaries:

name version cf_stacks
node 0.10.44 cflinuxfs2
node 0.10.45 cflinuxfs2
node 0.12.13 cflinuxfs2
node 0.12.14 cflinuxfs2
node 4.4.3 cflinuxfs2
node 4.4.4 cflinuxfs2
node 5.10.1 cflinuxfs2
node 5.11.1 cflinuxfs2
node 6.0.0 cflinuxfs2
node 6.1.0 cflinuxfs2
  • SHA256: 8ac8e19ed2c8ed1ac58e4836aff342c67b1de388c1b01e5f93e1541acaf40a57

v1.5.13

  • Add nodejs 6.0.0

Note that many node packages do not yet and possibly will not support the node 6 series

Ex. bson_ext is not compatible with v8 and node 6: https://github.com/christkv/bson-ext/issues/28#issuecomment-212258411

(https://www.pivotaltracker.com/story/show/118424939) - Fix bug where versions with an odd minor semver portion get filtered out during version resolution (https://www.pivotaltracker.com/story/show/118436661) - Add nodejs 5.11.0, Remove 5.10.0 (https://www.pivotaltracker.com/story/show/118134235)

php-buildpack

updated to v4.3.12 (from v4.3.10)

v4.3.12

Packaged binaries:

name version cf_stacks modules
php 5.5.34 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 5.5.35 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 5.6.20 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 5.6.21 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 7.0.5 cflinuxfs2 bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, imagick, imap, ldap, lua, mailparse, mbstring, mcrypt, mongodb, msgpack, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, pspell, snmp, soap, sockets, xdebug, xsl, yaf, zip, zlib
php 7.0.6 cflinuxfs2 bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, imagick, imap, ldap, lua, mailparse, mbstring, mcrypt, mongodb, msgpack, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, pspell, snmp, soap, sockets, xdebug, xsl, yaf, zip, zlib
composer 1.0.2 cflinuxfs2
httpd 2.4.20 cflinuxfs2
newrelic 4.23.3.111 cflinuxfs2
nginx 1.8.1 cflinuxfs2
nginx 1.9.15 cflinuxfs2
  • SHA256: 961345be4ebd5a0fc691bca1d46a710f3fb13ab55feede69f203a1908a30f0d3

v4.3.11

ruby-buildpack

updated to v1.6.17 (from v1.6.16)

v1.6.17

Packaged binaries:

name version cf_stacks
ruby 2.1.8 cflinuxfs2
ruby 2.1.9 cflinuxfs2
ruby 2.2.4 cflinuxfs2
ruby 2.2.5 cflinuxfs2
ruby 2.3.0 cflinuxfs2
ruby 2.3.1 cflinuxfs2
jruby ruby-1.9.3-jruby-1.7.25 cflinuxfs2
jruby ruby-2.0.0-jruby-1.7.25 cflinuxfs2
jruby ruby-2.2.3-jruby-9.0.5.0 cflinuxfs2
node 0.12.7 cflinuxfs2
bundler 1.11.2 cflinuxfs2
libyaml 0.1.6 cflinuxfs2
openjdk1.8-latest 1.8.0_91 cflinuxfs2
rails3_serve_static_assets - cflinuxfs2
rails_log_stdout - cflinuxfs2
  • SHA256: 8266973d7b235656555bb09b736a1e4b6c590f8955ac7ffd076e5e212527cb37

staticfile-buildpack

updated to v1.3.8 (from v1.3.6)

v1.3.8

Packaged binaries:

name version cf_stacks
nginx 1.9.15 cflinuxfs2
  • SHA256: bbd7ee04e43a8bdd39f6bddc911ce2ac563b2987f6e235f431c21d6fcee0daff

v1.3.7

Identity

Updated to UAA 3.3.0.1

Routing

no changes

Loggregator

  • Add metron_agent.protocols and deprecate metron_agent.preferred_protocol. For upcoming TCP feature.
  • Create syslog_daemon_config.enable property to disable rsyslog configuration (to support BOSH taking over this functionality)
  • Doppler generates new metric MetronAgent.DopplerForwarder.sentMessages
  • New property locked_memory_limit to set ulimit on Doppler, Traffic Controller and syslog drain binder.

Internal Components

consul

No changes.

etcd and etcd-metrics-server

  • Bumped etcd-release from v45 to v48.
  • etcd job uses custom DNS A record checking binary instead of host to evaluate whether or not service discovery is working, in the case of etcd running in SSL mode. This defines a more stringent condition than simply host exiting 0. host will exit 0 even if the etcd.dns_health_check_host has MX records associated with it but no A records. These changes have no impact on the operator. details

postgres

No changes.

nats and nats_stream_forwarder

  • nats and nats_stream_forwarder jobs have been extracted into nats-release. details
  • Bump the version of Ruby used by nats to 2.2.5.

Job Spec Changes

  • properties router.servers.z1 and router.servers.z2 have been replaced with a single property router.servers. This property is used by the HAProxy job to identify the routers as backends, and by UAA to whitelist requests from the routers.
  • The domain that was previously shared by several jobs has been deprecated in favor of system_domain
  • DEA: metron_endpoint.port renamed to metron_agent.dropsonde_incoming_port
  • CC Bridge Jobs have moved from Diego to CF
  jobs:
    cc_bridge_zX:
      templates:
      - name: consul_agent
        release: cf
      - name: stager
        release: cf
      - name: nsync
        release: cf
      - name: tps
        release: cf
      - name: cc_uploader
        release: cf
      - name: metron_agent
        release: cf
  • CC Bridge Properties moving from diego namespace to capi namespace:
    • diego.cc_uploader -> capi.cc_uploader
    • diego.nsync -> capi.nsync
    • diego.stager -> capi.stager
    • diego.tps -> capi.tps
  • Blobstore allow/deny directives are configurable with blobstore.internal_access_rules
  blobstore.internal_access_rules:
    description: >-
      List of allow / deny rules for the blobstore internal server. Defaults
      to RFC 1918 Private Networks. Will be followed by 'deny all'. See
      http://nginx.org/en/docs/http/ngx_http_access_module.html for valid rules
    default:
      - "allow 10.0.0.0/8;"
      - "allow 172.16.0.0/12;"
      - "allow 192.168.0.0/16;"
  • EXPERIMENTAL: properties.cc.volume_services_enabled - Enable binding to services that provide volume_mount information. Default is false.

Recommended BOSH Stemcell Versions

  • AWS: light-bosh-stemcell-3232.3-aws-xen-hvm-ubuntu-trusty-go_agent
  • vSphere: bosh-stemcell-3232.3-vsphere-esxi-ubuntu-trusty-go_agent
  • OpenStack: N/A
  • BOSH-Lite: bosh-stemcell-3147-warden-boshlite-ubuntu-trusty-go_agent

These are soft recommendations; several different versions of the stemcells are likely to work fine with this version of cf-release and the corresponding versions of diego-release, garden-linux-release, and etcd-release.

Recommended diego-release Version

This is a soft recommendation; several different versions of the diego-release may work fine with this version of cf-release.

Recommended garden-linux-release Version

This is a soft recommendation; several different versions of the garden-linux-release may work fine with this version of cf-release and the aforementioned version of diego-release.

Recommended etcd-release Version

This is a soft recommendation; several different versions of the etcd-release may work fine with this version of cf-release and the aforementioned version of diego-release.

Recommended cflinuxfs2-rootfs-release Version

This is a soft recommendation; several different versions of the cflinuxfs2-rootfs-release may work fine with this version of cf-release and the aforementioned version of diego-release.

Upload this release version to the Director:

$ bosh upload-release https://bosh.io/d/github.com/cloudfoundry/cf-release?v=237 --sha1 8996122278b03b6ba21ec673812d2075c37f1097

Modify deployment manifest to use this release in addition to any other used releases:

releases:
- name: cf
  version: "237"

Finally add needed deployment jobs and specify values for required properties.

Optionally download sha1: 8996122278b03b6ba21ec673812d2075c37f1097 release tarball locally:

# ...or download it directly using curl
$ curl -L -J -O https://bosh.io/d/github.com/cloudfoundry/cf-release?v=237

# or with wget...
$ wget --content-disposition https://bosh.io/d/github.com/cloudfoundry/cf-release?v=237