release: github.com/cloudfoundry/cf-release / 248

Github source: 4e1caa34 or master branch

The cf-release v248 was released on December 02, 2016.

IMPORTANT

BACKWARDS INCOMPATIBLE CHANGES

Starting with this release UAA no longer provides default values for the SAML Service Provider Certificate and JWT Signing Key as a security best practice. These need to be generated explicitly per deployment of UAA and are required for proper start-up and functioning of UAA.

These are standard artifacts which can be generated using openssl. Please refer the topic here on how to generate a self signed cert.

Please refer here for more details.

Contents: - CC and Service Broker APIs - Identity - Routing - Loggregator - Buildpacks and Stacks - DEA-Warden-HM9000 Runtime - Internal Components - Recommended Versions of Additional Releases - Job Spec Changes - Recommended BOSH Stemcell Versions

CC and Service Broker APIs

Contains CAPI release v1.11.0. Release notes for v1.11.0

Identity

This release includes UAA 3.9.2

Routing

No changes

Loggregator

This section will be updated soon. If this section is not yet up-to-date, please reach out for information: - direct team email: cf-loggregator@pivotal.io - CF Dev mailing list: https://lists.cloudfoundry.org/archives/list/cf-dev@lists.cloudfoundry.org/ - Slack channel: https://cloudfoundry.slack.com/messages/loggregator/ - GitHub issues: https://github.com/cloudfoundry/loggregator/issues

Buildpacks and Stacks

stacks

updated to 1.92.0 (from 1.90.0)

1.92.0

USN-3142-1 Ubuntu Security Notice USN-3142-1: - CVE-2016-7799: mogrify global buffer overflow - CVE-2016-7906: imagemagick mogrify heap use after free - CVE-2016-8677: memory allocate failure in AcquireQuantumPixels - CVE-2016-8862: memory allocation failure in AcquireMagickMemory (memory.c) - CVE-2016-9556: Heap buffer overflow in heap-buffer-overflow in IsPixelGray

USN-3139-1 Ubuntu Security Notice USN-3139-1: - CVE-2016-1248: vim before patch 8.0.0056 does not properly validate values for the ‘filetype’, ‘syntax’ and ‘keymap’ options, which may result in the execution of arbitrary code if a file with a specially crafted modeline is opened.

USN-3134-1 Ubuntu Security Notice USN-3134-1: - CVE-2016-0772: The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.” - CVE-2016-1000110: use of HTTP_PROXY flag supplied by attacker in CGI scripts - CVE-2016-5636: Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow. - CVE-2016-5699: CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.

USN-3132-1 Ubuntu Security Notice USN-3132-1: - CVE-2016-6321: Bypassing the extract path name

USN-3131-1 Ubuntu Security Notice USN-3131-1: (81 CVEs addressed, see USN link)

1.91.0

dotnet-core-buildpack

updated to v1.0.5 (from v1.0.4)

v1.0.5

  • Add bower 1.8.0, remove bower 1.7.9
  • Serve libunwind from buildpacks.cloudfoundry.org

Default binary versions: node 6.9.1, bower 1.8.0, dotnet 1.0.0-preview2-003131

go-buildpack

updated to v1.7.15 (from v1.7.14)

v1.7.15

  • Ensure all downloaded binaries have checksums verified
  • Add godep v75, remove godep v74

Default binary versions: go 1.6.3

nodejs-buildpack

updated to v1.5.23 (from v1.5.22)

v1.5.23

  • Add node 7.1.0, 7.0.0, 6.9.1, 4.6.2
  • Remove node 6.8.1, 4.6.0, 0.10.47 (EOL), 0.10.48 (EOL)
  • Ensure all downloaded binaries have checksums verified
  • Remove vendored node binary executable

Default binary versions: node 4.6.2

php-buildpack

updated to v4.3.22 (from v4.3.21)

v4.3.22

  • Ensure all downloaded binaries have checksums verified
  • Add composer 1.2.2, remove composer 1.2.1
  • Add APCu support to all PHP versions
  • Warn and error when composer.json or composer.lock has invalid format
  • Add support for phpiredis and phpredis in PHP7

Default binary versions: php 5.5.38, composer 1.2.2, httpd 2.4.23, newrelic 6.3.0.161, nginx 1.11.5

python-buildpack

updated to v1.5.12 (from v1.5.11)

v1.5.12

  • Ensure all downloaded binaries have checksums verified

Default binary versions: python 2.7.12

ruby-buildpack

updated to v1.6.28 (from v1.6.27)

v1.6.28

  • Add node 4.6.2, remove node 4.6.1
  • Add bundler 1.13.6, remove bundler 1.13.5
  • Add openjdk 1.8.0_111, remove openjdk 1.8.0_101
  • Ensure all downloaded binaries have checksums verified

Default binary versions: ruby 2.3.1, node 4.6.2

staticfile-buildpack

updated to v1.3.13 (from v1.3.12)

v1.3.13

  • Option to enable hosting of hidden dot-files
  • Enable HSTS support
  • Don’t write hashed credentials from Staticfile.auth to the logs

DEA-Warden-HM9000 Runtime

This section will be updated soon. If this section is not yet up-to-date, please reach out for information: - direct team email: runtime-og@cloudfoundry.org - CF Dev mailing list: https://lists.cloudfoundry.org/archives/list/cf-dev@lists.cloudfoundry.org/ - Slack channel: https://cloudfoundry.slack.com/messages/runtime_og/ - GitHub issues: https://github.com/cloudfoundry/dea-hm-workspace/issues

Internal Components

postgres-release (includes postgres job)

  • No changes

etcd-release (includes etcd and etcd_metrics_server jobs)

  • Bumped from vXX to vXX. Functional changes:

consul-release (includes consul_agent job)

  • Bumped from vXX to vXX. Functional changes:

nats-release (includes nats and nats_stream_forwarder jobs)

  • No changes

Recommended Versions of Additional Releases

These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release. - Diego release v1.1.0. Release notes for v1.1.0 · v1.0.0 · v0.1491.0 · v0.1490.0. - Garden-Runc release v1.0.3. Release notes for v1.0.3. - etcd release v86. Release notes for v86. - cflinuxfs2-rootfs release v1.41.0. Release notes for v1.41.0 · v1.40.0.

Job Spec Changes

Recommended BOSH Stemcell Versions

  • real IaaS: 3312.6
  • BOSH-Lite: 3312.6

Note: For AWS you should use the Xen-HVM stemcells rather than Xen.

These are soft recommendations; several different versions of the stemcells are likely to work fine with this version of cf-release and the corresponding versions of the additional releases listed above.

Upload this release version to the Director:

$ bosh upload release https://bosh.io/d/github.com/cloudfoundry/cf-release?v=248

Modify deployment manifest to use this release in addition to any other used releases:

releases:
- {name: cf, version: "248"}

Finally add needed deployment jobs and specify values for required properties.

Optionally download sha1: bb7c7c54842ba079ccf74ddc8bcd58a486499969 release tarball locally:

# ...or download it directly using curl
$ curl -L -J -O https://bosh.io/d/github.com/cloudfoundry/cf-release?v=248

# or with wget...
$ wget --content-disposition https://bosh.io/d/github.com/cloudfoundry/cf-release?v=248