The cf-release v245 was released on October 09, 2016.
IMPORTANT - This release fixes a critical security vulnerability pertaining to command injection. Please see the mailing list thread on CVE 2016-6655 for more details. Operators are strongly encouraged to update to this latest version of cf-release. - This release includes a significant migration of the CCDB that is the first step to releasing the CC V3 API. Please see the release notes for CAPI v1.6.0 for details. - CVE-2016-6658: The Cloud Controller in CF-245 contains a fix for a medium CVE where apps using custom buildpack urls could contain credentials. This fix ensures that urls containing credentials are either encrypted or stored in an obfuscated format at rest. This is a continuation of CVE-2016-6638 originally reported fixed in CF-241.
- The included version of CAPI Release contains an issue staging Python buildpack based apps and apps using any buildpack that doesn’t return process types in the staging result. We’ve prioritized this bug at the top of our backlog. Workaround is to add a Procfile containing any command, e.g.
Contents: - CC and Service Broker APIs - Identity - Routing - Loggregator - Buildpacks and Stacks - DEA-Warden-HM9000 Runtime - Internal Components - Recommended Versions of Additional Releases - Job Spec Changes - Recommended BOSH Stemcell Versions
CC and Service Broker APIs
Routing-release bumped to 0.140.0
Buildpacks and Stacks
updated to 1.86.0 (from 1.84.0)
Notably, this release addresses USN-3096-1: NTP vulnerabilities Ubuntu Security Notice USN-3096-1. As cflinuxfs2 only includes the
ntpdate package, many of these CVEs may not apply.
- CVE-2015-7973: Deja Vu: Replay attack on authenticated broadcast mode
- CVE-2015-7974: NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a “skeleton key.”
- CVE-2015-7975: ntpq buffer overflow
- CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames
- CVE-2015-7977: reslist NULL pointer dereference
- CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list
- CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode
- CVE-2015-8138: Zero Origin Timestamp Bypass, AKA: Additional KoD Checks
- CVE-2015-8158: Potential Infinite Loop in ntpq
- CVE-2016-0727: NTP statsdir cleanup cronjob insecure
- CVE-2016-1547: Validate crypto-NAKs, AKA: nak-dos
- CVE-2016-1548: Interleave-pivot
- CVE-2016-1550: Improve NTP security against buffer comparison timing attacks, authdecrypt-timing, AKA: authdecrypt-timing
- CVE-2016-2516: Duplicate IPs on unconfig directives will cause an assertion botch
- CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC
- CVE-2016-4954: The process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication.
- CVE-2016-4955: ntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers to cause a denial of service (peer-variable clearing and association outage) by sending (1) a spoofed crypto-NAK packet or (2) a packet with an incorrect MAC value at a certain time.
- CVE-2016-4956: ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (interleaved-mode transition and time change) via a spoofed broadcast packet. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-1548.
updated to v1.5.21 (from v1.5.20)
- Address USN-3087-1: OpenSSL vulnerabilities by updating node. The new versions of node included in this buildpack are built against the patched version of OpenSSL (https://www.pivotaltracker.com/story/show/130945067)
- Updated node: 0.10.47, 0.12.16, 4.6.0, 6.7.0
Default binary versions: node 4.6.0
updated to v1.6.26 (from v1.6.25)
- Address USN-3087-1: OpenSSL vulnerabilities by updating node. The new version of node included in this buildpack was built against the patched version of OpenSSL (https://www.pivotaltracker.com/story/show/130945067)
- Updated node: 4.6.0
Default binary versions: ruby 2.3.1, node 4.6.0
This section will be updated soon. If this section is not yet up-to-date, please reach out for information: - direct team email: firstname.lastname@example.org - CF Dev mailing list: https://email@example.com/ - Slack channel: https://cloudfoundry.slack.com/messages/runtime_og/ - GitHub issues: https://github.com/cloudfoundry/dea-hm-workspace/issues
- Bumped from v5 to v6. No functional changes.
- Bumped from v66 to v73. Functional changes:
- Bumped from v125 to v126. Functional changes:
consul_agentjob will now use
- No change, still at v11.
Recommended Versions of Additional Releases
These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release. - Diego release v0.1487.0. Release notes for v0.1487.0. - Garden-Linux release v0.342.0. Release notes for v0.342.0. - Garden-Runc release v0.9.0. Release notes for v0.9.0 · v0.8.0 · v0.7.0 · v0.6.0 · v0.5.0 · v0.4.0 · v0.3.0 · v0.2.0 · v0.1.0 · v0.0.0. - etcd release v73. Release notes for v73 · v72 · v71. - cflinuxfs2-rootfs release v1.35.0. Release notes for v1.35.0 · v1.34.0.
Job Spec Changes
- CAPI v1.6.0 Job Spec Changes
etcdjob with default value of
Recommended BOSH Stemcell Versions
- real IaaS: 3263.5
- BOSH-Lite: 3262.2
Note: For AWS you should use the Xen-HVM stemcells rather than Xen.
These are soft recommendations; several different versions of the stemcells are likely to work fine with this version of cf-release and the corresponding versions of the additional releases listed above.
Upload this release version to the Director:
$ bosh upload-release https://bosh.io/d/github.com/cloudfoundry/cf-release?v=245 --sha1 0c9f485f640c2b9e3136fcc89047b3d76dd6863c
Modify deployment manifest to use this release in addition to any other used releases:
releases: - name: cf version: "245"
Finally add needed deployment jobs and specify values for required properties.
Optionally download sha1: 0c9f485f640c2b9e3136fcc89047b3d76dd6863c release tarball locally:
# ...or download it directly using curl $ curl -L -J -O https://bosh.io/d/github.com/cloudfoundry/cf-release?v=245 # or with wget... $ wget --content-disposition https://bosh.io/d/github.com/cloudfoundry/cf-release?v=245