release: github.com/cloudfoundry/cf-release / 245

Github source: 3fe03720 or master branch

The cf-release v245 was released on October 09, 2016.

IMPORTANT - This release fixes a critical security vulnerability pertaining to command injection. Please see the mailing list thread on CVE 2016-6655 for more details. Operators are strongly encouraged to update to this latest version of cf-release. - This release includes a significant migration of the CCDB that is the first step to releasing the CC V3 API. Please see the release notes for CAPI v1.6.0 for details. - CVE-2016-6658: The Cloud Controller in CF-245 contains a fix for a medium CVE where apps using custom buildpack urls could contain credentials. This fix ensures that urls containing credentials are either encrypted or stored in an obfuscated format at rest. This is a continuation of CVE-2016-6638 originally reported fixed in CF-241.

KNOWN ISSUES - The included version of CAPI Release contains an issue staging Python buildpack based apps and apps using any buildpack that doesn’t return process types in the staging result. We’ve prioritized this bug at the top of our backlog. Workaround is to add a Procfile containing any command, e.g. web: foo.

Contents: - CC and Service Broker APIs - Identity - Routing - Loggregator - Buildpacks and Stacks - DEA-Warden-HM9000 Runtime - Internal Components - Recommended Versions of Additional Releases - Job Spec Changes - Recommended BOSH Stemcell Versions

CC and Service Broker APIs

Contains CAPI release v1.7.0. Release notes for v1.6.0 and v1.7.0

Identity

No Changes

Routing

Routing-release bumped to 0.140.0

Loggregator

No Changes

Buildpacks and Stacks

stacks

updated to 1.86.0 (from 1.84.0)

1.86.0

Notably, this release addresses USN-3096-1: NTP vulnerabilities Ubuntu Security Notice USN-3096-1. As cflinuxfs2 only includes the ntpdate package, many of these CVEs may not apply. - CVE-2015-7973: Deja Vu: Replay attack on authenticated broadcast mode - CVE-2015-7974: NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a “skeleton key.” - CVE-2015-7975: ntpq buffer overflow - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames - CVE-2015-7977: reslist NULL pointer dereference - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode - CVE-2015-8138: Zero Origin Timestamp Bypass, AKA: Additional KoD Checks - CVE-2015-8158: Potential Infinite Loop in ntpq - CVE-2016-0727: NTP statsdir cleanup cronjob insecure - CVE-2016-1547: Validate crypto-NAKs, AKA: nak-dos - CVE-2016-1548: Interleave-pivot - CVE-2016-1550: Improve NTP security against buffer comparison timing attacks, authdecrypt-timing, AKA: authdecrypt-timing - CVE-2016-2516: Duplicate IPs on unconfig directives will cause an assertion botch - CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC - CVE-2016-4954: The process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication. - CVE-2016-4955: ntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers to cause a denial of service (peer-variable clearing and association outage) by sending (1) a spoofed crypto-NAK packet or (2) a packet with an incorrect MAC value at a certain time. - CVE-2016-4956: ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (interleaved-mode transition and time change) via a spoofed broadcast packet. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-1548.

1.85.0

Notably, this release addresses USN-3088-1: Bind vulnerability Ubuntu Security Notice USN-3088-1: - CVE-2016-2776: Assertion Failure in buffer.c

nodejs-buildpack

updated to v1.5.21 (from v1.5.20)

v1.5.21

  • Address USN-3087-1: OpenSSL vulnerabilities by updating node. The new versions of node included in this buildpack are built against the patched version of OpenSSL (https://www.pivotaltracker.com/story/show/130945067)
  • Updated node: 0.10.47, 0.12.16, 4.6.0, 6.7.0

Default binary versions: node 4.6.0

ruby-buildpack

updated to v1.6.26 (from v1.6.25)

v1.6.26

Default binary versions: ruby 2.3.1, node 4.6.0

DEA-Warden-HM9000 Runtime

This section will be updated soon. If this section is not yet up-to-date, please reach out for information: - direct team email: runtime-og@cloudfoundry.org - CF Dev mailing list: https://lists.cloudfoundry.org/archives/list/cf-dev@lists.cloudfoundry.org/ - Slack channel: https://cloudfoundry.slack.com/messages/runtime_og/ - GitHub issues: https://github.com/cloudfoundry/dea-hm-workspace/issues

Internal Components

postgres-release (includes postgres job)

  • Bumped from v5 to v6. No functional changes.

etcd-release (includes etcd and etcd_metrics_server jobs)

  • Bumped from v66 to v73. Functional changes:
    • Added -debug flag to uses of etcdtcl CLI to improve debuggability. details
    • Added etcd_consistency_checker process to etcd job. details
    • Added etcd network diagnostics logging to etcd job. details

consul-release (includes consul_agent job)

  • Bumped from v125 to v126. Functional changes:
    • consul_agent job will now use sed instead of awk -W in agent_ctl script. details

nats-release (includes nats and nats_stream_forwarder jobs)

  • No change, still at v11.

Recommended Versions of Additional Releases

These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release. - Diego release v0.1487.0. Release notes for v0.1487.0. - Garden-Linux release v0.342.0. Release notes for v0.342.0. - Garden-Runc release v0.9.0. Release notes for v0.9.0 · v0.8.0 · v0.7.0 · v0.6.0 · v0.5.0 · v0.4.0 · v0.3.0 · v0.2.0 · v0.1.0 · v0.0.0. - etcd release v73. Release notes for v73 · v72 · v71. - cflinuxfs2-rootfs release v1.35.0. Release notes for v1.35.0 · v1.34.0.

Job Spec Changes

Recommended BOSH Stemcell Versions

  • real IaaS: 3263.5
  • BOSH-Lite: 3262.2

Note: For AWS you should use the Xen-HVM stemcells rather than Xen.

These are soft recommendations; several different versions of the stemcells are likely to work fine with this version of cf-release and the corresponding versions of the additional releases listed above.

Upload this release version to the Director:

$ bosh upload release https://bosh.io/d/github.com/cloudfoundry/cf-release?v=245

Modify deployment manifest to use this release in addition to any other used releases:

releases:
- {name: cf, version: "245"}

Finally add needed deployment jobs and specify values for required properties.

Optionally download sha1: 0c9f485f640c2b9e3136fcc89047b3d76dd6863c release tarball locally:

# ...or download it directly using curl
$ curl -L -J -O https://bosh.io/d/github.com/cloudfoundry/cf-release?v=245

# or with wget...
$ wget --content-disposition https://bosh.io/d/github.com/cloudfoundry/cf-release?v=245