release: github.com/cloudfoundry/cf-release / 256

Github source: b6343b5a or master branch

Contents - Notices - Job Spec Changes - CVEs - Compatible Releases and Stemcells - Subcomponent Updates

Notices

  • Updating GrootFS to v0.16.0, if running with GrootFS already, will require recreating the Diego cells.
  • The Postgres job will upgrade PostgreSQL to version 9.6.2. NOTE: this drops support for upgrading from PostgreSQL 9.4.5 Only upgrades from PostgreSQL 9.4.6 (since cf v232) and PostgreSQL 9.4.9 (since cf v241) are supported. Before deploying, please review considerations at postgres-release v15.
  • If you are running cf-networking-release, the value for cf_networking.garden_external_networker.cni_plugin_dir must be updated to /var/vcap/packages/silk/bin

Job Spec Changes

  • The router status endpoint is no longer optional. As such, router.status.password (which has been configurable for a long time) is now required.
  • cc_uploader now requires the following properties to be configured:
    • properties.capi.cc_uploader.cc.ca_cert
    • properties.capi.cc_uploader.cc.client_cert
    • properties.capi.cc_uploader.cc.client_key Diego manifest generation (as of Diego 1.11.0) has already required this property to be configured, so it’s likely that most deployers have already set these values. For deployers building their manifests some other way, these properties are now required by the components themselves.
  • In the postgres job, the default value for the databases.monit_timeout has been changed to 90 seconds.
  • The included version of Loggregator restricts ciphers to use only the following 4 ciphers. This is a breaking change for some operators and a configurable property for opting into more cipher suites was introduced in Loggregator 85 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Security Notices

Affecting v256

None recorded as of 2017-04-11.

Resolved in v256

  • CVE-2017-4970 in Staticfile buildpack versions v1.4.0 – v1.4.3 (high severity)

Known Issues

  • Users that belong to any space containing a user provided service instance are unable to view any specific service plan: /v2/service_plans/:guid. Users are still able to view the marketplace and provision service instances.

Subcomponent Updates

Compatible Releases and Stemcells

  • diego-release: v1.12.0. Release notes for v1.12.0.
  • garden-runc-release: v1.4.0. Release notes for v1.4.0.
  • cflinuxfs2-rootfs release v1.60.0. Release notes for v1.60.0
  • cf-networking-release: v0.19.0. Release notes for v0.19.0.
  • grootfs-release v0.16.0. Release notes for v0.16.0. Updating GrootFS to v0.16.0, if running with GrootFS already, will require recreating the Diego cells.
  • stemcell: 3363.15

Upload this release version to the Director:

$ bosh upload release https://bosh.io/d/github.com/cloudfoundry/cf-release?v=256

Modify deployment manifest to use this release in addition to any other used releases:

releases:
- {name: cf, version: "256"}

Finally add needed deployment jobs and specify values for required properties.

Optionally download sha1: 7eb583eb6dd08dfce8858d891b2571aebeb6b52c release tarball locally:

# ...or download it directly using curl
$ curl -L -J -O https://bosh.io/d/github.com/cloudfoundry/cf-release?v=256

# or with wget...
$ wget --content-disposition https://bosh.io/d/github.com/cloudfoundry/cf-release?v=256