cf/228

The cf-release v228 was released on January 15, 2016.

IMPORTANT

Due to CVE-2016-0708 [1] and CVE-2016-0715 [2], if you are running applications with automated buildpack detection that staged when java buildpack v2.0 through v3.4 was a system buildpack, it is strongly recommended to configure running DEAs and Diego Cells to protect applications from remote disclosure of information until they are restaged with Java Buildpack v3.5.1 [3] registered as a system buildpack. Once you are sure that all applications have been staged with Java Buildpack v3.5.1 or higher as a system buildpack, you may remove this particular configuration and deploy again.

If you are using DEAs, configure the deployment manifest segment for DEAs as shown:

properties:
  dea_next:
    post_setup_hook: "rm -f app/.java-buildpack.log app/**/.java-buildpack.log >/dev/null 2>&1"

If you are using the manifest generation scripts in the cf-release repository, and you do not wish to directly merge configuration into your manifest, first make sure you have the correct version of the repository checked out (e.g. if using v228 of cf-release, check out the v228 tag); you include the same configuration above in your stub.

If you are using Diego with diego-release v0.1446.0, add the following properties to your BOSH deployment manifest for Diego:

properties:
  diego:
    executor:
      post_setup_hook: sh -c "rm -f /home/vcap/app/.java-buildpack.log /home/vcap/app/**/.java-buildpack.log"
      post_setup_user: "root"

If you are using the manifest generation scripts in the diego-release repository [4], then rather than directly including the above configuration in your manifest, add the following properties to your property-overrides stub:

property_overrides:
  executor:
    post_setup_hook: sh -c "rm -f /home/vcap/app/.java-buildpack.log /home/vcap/app/**/.java-buildpack.log"
    post_setup_user: "root"

[1] https://pivotal.io/security/cve-2016-0708 [2] https://pivotal.io/security/cve-2016-0715 [3] https://github.com/cloudfoundry/java-buildpack/releases/tag/v3.5.1 [4] https://github.com/cloudfoundry-incubator/diego-release/blob/v0.1446.0/scripts/generate-deployment-manifest

A performance regression in Gorouter was introduced in v228. At low request volume, the issue is not observable; only at higher request volumes (such as a load test) is the regression evident. The regression was fixed in v234.

Contents: - CC and Service Broker APIs - Runtime - Buildpacks and Stacks - Identity - Routing - Loggregator - Internal Components - Job Spec Changes - Recommended BOSH Stemcell Versions - Recommended Diego Version - Recommended Garden Linux Version

CC and Service Broker APIs

CC API Version: 2.47.0 - NOTE: Support for v1 service brokers removed in this cf-release.

Service Broker API Version: 2.8

Cloud Controller

• [Experimental] Work continues on /v3 and Application Process Types details
• [Experimental] Work continues on Private Brokers details
• [Experimental] Work started on Tasks details
  • New feature flag task_creation added, defaults to false
• Allow using BOSH default cert store for all HTTP outgoing communication in CC details
• Increase size of rules field in security_groups to 16 mb details
• Remove support for v1 service brokers detail
  • Removed POST /v2/service_plans endpoint
  • Users can only update the public field on update for PUT /v2/service_plans
  • Remove POST/PUT /v2/services

Runtime

DEA

• Added post_setup_hook

Warden

No changes.

HM9000

No changes.

Buildpacks and Stacks

stacks

updated to 1.28.0 (from 1.24.0)

1.28.0

Notably, this release addresses USN-2868-1 “DHCP vulnerability”: - CVE-2015-8605: A badly formed packet with an invalid IPv4 UDP length field can cause a DHCP server, client, or relay program to terminate abnormally.

1.27.0

Notably, this release addresses USN-2865-1 “GnuTLS vulnerability”: - CVE-2015-7575: MD5 signatures accepted within TLS 1.2 ServerKeyExchange in server signature

1.26.0

Release due to erroneous deploy. Contains no changes. Same as Release 1.25.0

1.25.0

Notably, this release addresses USN-2861-1 “libpng vulnerabilities”: - CVE-2015-8540: underflow read in png_check_keyword in pngwutil.c - CVE-2015-8472: Incomplete fix for CVE-2015-8126

java-buildpack

updated to v3.4 (from v3.3.1)

v3.4

I’m pleased to announce the release of the java-buildpack, version 3.4. This release focuses on developer diagnostic tools. - JMX Support with cf ssh - Debugging Support with cf ssh (via Mike Youngstrom) - YourKit Profiling Support with cf ssh - Improved Tomcat documentation (via Violeta Georgieva) - Improved Tomcat testing (via Violeta Georgieva) - Improved AppDynamics config (via Nikhil Katre)

For a more detailed look at the changes in 3.4, please take a look at the commit log. Packaged versions of the buildpack, suitable for use with create-buildpack and update-buildpack, can be found attached to this release.

Packaged Dependencies

Dependency	Version
AppDynamics Agent	4.1.7_1
GemFire	8.2.0
GemFire Modules	8.2.0
GemFire Modules Tomcat7	8.2.0
GemFire Security	8.2.0
Groovy	2.4.5
JRebel	6.3.0
MariaDB JDBC	1.3.2
Memory Calculator (mountainlion)	2.0.1.RELEASE
Memory Calculator (precise)	2.0.1.RELEASE
Memory Calculator (trusty)	2.0.1.RELEASE
New Relic Agent	3.22.0
OpenJDK JRE (mountainlion)	1.8.0_65
OpenJDK JRE (precise)	1.8.0_65
OpenJDK JRE (trusty)	1.8.0_65
Play Framework JPA Plugin	1.10.0.RELEASE
PostgreSQL JDBC	9.4.1206
RedisStore	1.2.0_RELEASE
SLF4J API	1.5.8
SLF4J JDK14	1.5.8
Spring Auto-reconfiguration	1.10.0_RELEASE
Spring Boot CLI	1.3.0_RELEASE
Tomcat Access Logging Support	2.4.0_RELEASE
Tomcat Lifecycle Support	2.4.0_RELEASE
Tomcat Logging Support	2.4.0_RELEASE
Tomcat	8.0.29
YourKit Profiler	2015.15080

php-buildpack

updated to v4.3.2 (from v4.3.1)

v4.3.2

• Add nginx 1.9.9, drop nginx 1.9.7 (https://www.pivotaltracker.com/story/show/110627098)
• Add httpd 2.4.18, drop httpd 2.4.17 (https://www.pivotaltracker.com/story/show/110627098)

Packaged binaries:

name	version	cf_stacks	modules
php	5.5.29	cflinuxfs2	amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php	5.5.30	cflinuxfs2	amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php	5.6.15	cflinuxfs2	amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php	5.6.16	cflinuxfs2	amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
hhvm	3.5.0	cflinuxfs2
hhvm	3.5.1	cflinuxfs2
hhvm	3.6.0	cflinuxfs2
hhvm	3.6.1	cflinuxfs2
composer	1.0.0-alpha10	cflinuxfs2
httpd	2.4.18	cflinuxfs2
newrelic	4.23.3.111	cflinuxfs2
nginx	1.8.0	cflinuxfs2
nginx	1.9.9	cflinuxfs2

• SHA256: 85c91281f762d2be37c729cf708040c96ceac764cce6e5f3392ef667e86d9342

python-buildpack

updated to v1.5.4 (from v1.5.3)

v1.5.4

• Added 3.4.4, removed 3.4.2 (https://www.pivotaltracker.com/story/show/111145834)
• Revert to v1.5.2 of pip-install script to prevent issue where pip contacts the internet in the cached buildpack. (https://www.pivotaltracker.com/n/projects/1042066/stories/111018262)
  • This fixes a defect that would cause a python app to fail to stage when in a disconnected environment.

Packaged binaries:

name	version	cf_stacks
python	2.7.10	cflinuxfs2
python	2.7.11	cflinuxfs2
python	3.3.5	cflinuxfs2
python	3.3.6	cflinuxfs2
python	3.4.3	cflinuxfs2
python	3.4.4	cflinuxfs2
python	3.5.0	cflinuxfs2
python	3.5.1	cflinuxfs2
libffi	3.1	cflinuxfs2
libmemcache	1.0.18	cflinuxfs2

• SHA256: 9841ba3dde6778782471597aa8462bf0c5ccd455181b8e91802071b18acbc65c

ruby-buildpack

updated to v1.6.12 (from v1.6.11)

v1.6.12

• add Ruby 2.3.0 (https://www.pivotaltracker.com/story/show/110759512)

Packaged binaries:

name	version	cf_stacks
ruby	2.0.0	cflinuxfs2
ruby	2.1.7	cflinuxfs2
ruby	2.1.8	cflinuxfs2
ruby	2.2.3	cflinuxfs2
ruby	2.2.4	cflinuxfs2
ruby	2.3.0	cflinuxfs2
jruby	ruby-1.9.3-jruby-1.7.23	cflinuxfs2
jruby	ruby-2.0.0-jruby-1.7.23	cflinuxfs2
jruby	ruby-2.2.2-jruby-9.0.4.0	cflinuxfs2
node	0.12.7	cflinuxfs2
bundler	1.9.7	cflinuxfs2
libyaml	0.1.6	cflinuxfs2
openjdk1.8-latest	1.8.0_65	cflinuxfs2
rails3_serve_static_assets	-	cflinuxfs2
rails_log_stdout	-	cflinuxfs2

• SHA256: 790409854a1bd73661c822ae4a46a8a2e08f89b7c01016155cd86b041d789885

staticfile-buildpack

updated to v1.3.0 (from v1.2.3)

v1.3.0

Item of note: - We’ve updated the version of this release to 1.3.0 to represent a new milestone of tracking nginx mainline releases. - added nginx 1.9.9, drop 1.8.0 (https://www.pivotaltracker.com/story/show/110627622) - correctly redirect http to https

Packaged binaries:

name	version	cf_stacks
nginx	1.9.9	cflinuxfs2

• SHA256: 7616b0339149743cf18b36cd87ae83ffc76095aa9221465c8d27e244a3be4c27

Identity

• No changes

Routing

• Deploy fails fast if gorouter.enable_routing_api:true and on startup gorouter fails to authenticate with routing api details
• Routing API is no longer deployed with cf-release. For the time being, this component will be deployed with cf-routing-release details

Loggregator

• No changes

Internal Components

consul

• Delete PIDFILE on monit stop. details
• Fix nameserver insertion into /etc/resolv.conf. details
• Insert 127.0.0.1 as the first line of /etc/resolv.conf.d/head instead of re-writing the file. details

etcd

• Several changes to make etcd startup more robust, especially in “SSL mode” where it has a dependency on the local consul agent. details, details, details

etcd-metrics-server

No changes.

route_registrar

• Deregister routes on shutdown instead of just leaving TTL to expire. details
• INCOMPLETE: Introduce healthcheck contract for processes whose routes are being registered. details

Job Spec Changes

• Added dea_next.post_setup_hook to dea_next job; note this property is immediately DEPRECATED and was only added to mitigate the CVE mentioned at the top of these release notes. details
• Removed etcd.log_sync_timeout_in_seconds property from etcd jobs. details
• Added hm9000.port property to hm9000 job. details
• Updated route_registrar.routes property in route_registrar job to accept healthcheck and healthcheck.timeout. details
• Removed uaa.jwt.verification_key property from routing-api job. details
• Added uaa.port property to routing-api job. details

Recommended BOSH Stemcell Versions

• AWS: light-bosh-stemcell-3177-aws-xen-hvm-ubuntu-trusty-go_agent
• vSphere: bosh-stemcell-3177-vsphere-esxi-ubuntu-trusty-go_agent
• OpenStack: bosh-stemcell-3177-openstack-kvm-ubuntu-trusty-go_agent
• BOSH-Lite: bosh-stemcell-3147-warden-boshlite-ubuntu-trusty-go_agent

These are soft recommendations; several different versions of the BOSH and stemcells are likely to work fine with this version of cf-release and the corresponding versions of diego-release, garden-linux-release, and etcd-release.

Recommended Diego Version

• Diego final release v0.1446.0 · release notes

This is a soft recommendation; several different versions of the diego-release may work fine with this version of cf-release.

Recommended Garden Linux Version

• Garden-linux final release v0.330.0 · release notes

This is a soft recommendation; several different versions of the garden-linux release may work fine with this version of cf-release and the aforementioned version of diego-release.

Recommended ETCD Version for Diego Deployment

• Etcd final release v22

This is a soft recommendation; several different versions of the etcd release may work fine with this version of cf-release and the aforementioned version of diego-release.

- name: "cf"
  version: "228"
  url: "https://bosh.io/d/github.com/cloudfoundry/cf-release?v=228"
  sha1: "cc9d5930f67e48c6862b686c628730a0846bd9e3"

bosh upload-release --sha1 cc9d5930f67e48c6862b686c628730a0846bd9e3 \
  "https://bosh.io/d/github.com/cloudfoundry/cf-release?v=228"