cf/229
You can find the source of this version on GitHub at cloudfoundry/cf-release. It was created based on the commit 7f7b9690.
Release Notes¶
The cf-release v229 was released on January 22, 2016.
IMPORTANT
- v229 includes a fix for CVE-2016-0713, a XSS vulnerability in Gorouter. In previous releases, if a malicious intermediary modified requests from client to router to contain malicious code, this code could be executed on the operating system of the client from where the request originated. To our knowledge, this vulnerability does not pose a risk for penetration or takeover of Cloud Foundry system components or applications hosted by Cloud Foundry. This vulnerability was introduced in v141. The Cloud Foundry project recommends that Cloud Foundry Deployments using Gorouter are upgraded to cf-release v229.
- In support of work in progress to enable developers to specify application ports when mapping routes, cf-release v229 introduces a database migration for CCDB. For deployments that use a PostgreSQL database for CCDB that is NOT the PostreSQL job that comes with cf-release, v229 introduces the following requirements. These requirements are applicable for subsequent releases. If you are using the PostgreSQL job that comes with cf-release, or if you are using MySQL as the backing db for CC, no action is necessary.
- v229 contains a performance regression in Gorouter introduced in v228. At low request volume, the issue is not observable; only at higher request volumes (such as a load test) is the regression evident. The regression was fixed in v234.
Contents: - CC and Service Broker APIs - Runtime - Buildpacks and Stacks - Identity - Routing - Loggregator - Internal Components - Job Spec Changes - Recommended BOSH Stemcell Versions - Recommended Diego Version - Recommended Garden Linux Version
CC and Service Broker APIs
CC API Version: 2.47.0
Service Broker API Version: 2.8
Cloud Controller
- [Experimental] Work continues on /v3 and Application Process Types details
- [Experimental] Work completed on Space Scoped Private Brokers details
- Remove experimental flag on space guid for private brokers details
- [Experimental] Work continues on Tasks details
- Cleanup spec/templates for unused properties details
- Allow use of the “IN” filter for organization_guid on routes details
- Do not incorrectly claim domains are queryable by space_guid details
- Disassociating users/roles from orgs by username returns 204 1,2,3,4
- Document interpretation of route existence endpoint return code details
Runtime
DEA
- Ruby 2.2.4
- nproc is configurable
Warden
- Ruby 2.2.4
HM9000
- Go 1.5
Buildpacks and Stacks
stacks
updated to 1.29.0 (from 1.28.0)
1.29.0
Notably, this release addresses USN-2869-1 “OpenSSH vulnerabilities”: - CVE-2016-0777: information leak in roaming support - CVE-2016-0778: buffer overflow in roaming support
java-buildpack
updated to v3.5.1 (from v3.4)
v3.5.1
I’m pleased to announce the release of the java-buildpack, version 3.5.1. This release contains minor improvements and updates to dependencies. It also addresses the critical vulnerability found in CVE-2016-0708.
- Secure JRebel (via @bssie)
- Improved documentation (via Daniel Mikusa, Violeta Georgieva)
- Logging in the Luna Security Provider
For a more detailed look at the changes in 3.5.1, please take a look at the commit log. Packaged versions of the buildpack, suitable for use with create-buildpack and update-buildpack, can be found attached to this release.
Packaged Dependencies
| Dependency | Version |
|---|---|
| AppDynamics Agent | 4.1.8_5 |
| GemFire | 8.2.0 |
| GemFire Modules | 8.2.0 |
| GemFire Modules Tomcat7 | 8.2.0 |
| GemFire Security | 8.2.0 |
| Groovy | 2.4.5 |
| JRebel | 6.3.1 |
| MariaDB JDBC | 1.3.3 |
Memory Calculator (mountainlion) |
2.0.1.RELEASE |
Memory Calculator (precise) |
2.0.1.RELEASE |
Memory Calculator (trusty) |
2.0.1.RELEASE |
| New Relic Agent | 3.24.1 |
OpenJDK JRE (mountainlion) |
1.8.0_65 |
OpenJDK JRE (precise) |
1.8.0_65 |
OpenJDK JRE (trusty) |
1.8.0_65 |
| Play Framework JPA Plugin | 1.10.0.RELEASE |
| PostgreSQL JDBC | 9.4.1207 |
| RedisStore | 1.2.0_RELEASE |
| SLF4J API | 1.5.8 |
| SLF4J JDK14 | 1.5.8 |
| Spring Auto-reconfiguration | 1.10.0_RELEASE |
| Spring Boot CLI | 1.3.1_RELEASE |
| Tomcat Access Logging Support | 2.4.0_RELEASE |
| Tomcat Lifecycle Support | 2.4.0_RELEASE |
| Tomcat Logging Support | 2.4.0_RELEASE |
| Tomcat | 8.0.30 |
| YourKit Profiler | 2015.15084.0 |
Identity
Updated to UAA release 3.0.0
Routing
Route Services (in progress) - CC now validates route service urls for user-provided service instances details
TCP Routing (in progress) - CC client can now specify an app port when mapping a TCP route to an app details - CC client can now specify an app port when mapping an HTTP route to an app details - Routing API will call UAA for new verification key when token can’t be validated details
Loggregator
No change
Internal Components
consul
- Ensure startup script terminates before monit runs another startup, so that only one is ever running at a time. details, details
- Bump to Golang 1.5.3 to address CVE-2015-8618. details
etcd
- Check DNS before etcd starts up in SSL mode. details
etcd-metrics-server
No changes.
route_registrar
No changes.
Job Spec Changes
- Zeroed the default values of the
name,build,version,support_address, anddescriptionproperties in thecloud_controller_ng,cloud_controller_worker, andcloud_controller_clockjobs. details - Removed
cc.info.name,cc.info.build,cc.info.version, andcc.info.descriptionproperties fromcloud_controller_ng,cloud_controller_worker, andcloud_controller_clockjobs. details - Removed
cc.info.customproperties fromcloud_controller_worker, andcloud_controller_clockjobs. details - Removed
cc.development_modeproperty fromcloud_controller_clockjob. details - Removed
consul.agent.sync_timeout_in_secondsproperty fromconsul_agentjob. details - Added
dea_next.instance_nproc_limitproperty todea_nextjob. details - Added
etcd.dns_health_check_hostproperty toetcdjob. details - Removed
uaa.jwt.policy.global.accessTokenValiditySecondsanduaa.jwt.policy.global.refreshTokenValiditySecondsproperties fromuaajob. details - Added
uaa.authentication.policy.global.lockoutAfterFailures,uaa.authentication.policy.global.countFailuresWithinSeconds,uaa.authentication.policy.global.lockoutPeriodSeconds,uaa.password.policy.global.minLength,uaa.password.policy.global.maxLength,uaa.password.policy.global.requireUpperCaseCharacter,uaa.password.policy.global.requireLowerCaseCharacter,uaa.password.policy.global.requireDigit,uaa.password.policy.global.requireSpecialCharacter,uaa.password.policy.global.expirePasswordInMonths,uaa.jwt.policy.global.accessTokenValiditySeconds, anduaa.jwt.policy.global.refreshTokenValiditySecondsproperties touaajob. details
Recommended BOSH Stemcell Versions
- AWS: light-bosh-stemcell-3181-aws-xen-hvm-ubuntu-trusty-go_agent
- vSphere: bosh-stemcell-3181-vsphere-esxi-ubuntu-trusty-go_agent
- OpenStack: bosh-stemcell-3181-openstack-kvm-ubuntu-trusty-go_agent
- BOSH-Lite: bosh-stemcell-3147-warden-boshlite-ubuntu-trusty-go_agent
These are soft recommendations; several different versions of the BOSH and stemcells are likely to work fine with this version of cf-release and the corresponding versions of diego-release, garden-linux-release, and etcd-release.
Recommended Diego Version
- Diego final release v0.1447.0 · release notes
This is a soft recommendation; several different versions of the diego-release may work fine with this version of cf-release.
Recommended Garden Linux Version
- Garden-linux final release v0.330.0 · release notes
This is a soft recommendation; several different versions of the garden-linux release may work fine with this version of cf-release and the aforementioned version of diego-release.
Recommended ETCD Version for Diego Deployment
- Etcd final release v22
This is a soft recommendation; several different versions of the etcd release may work fine with this version of cf-release and the aforementioned version of diego-release.
Usage¶
You can reference this release in your deployment manifest from the releases section:
- name: "cf" version: "229" url: "https://bosh.io/d/github.com/cloudfoundry/cf-release?v=229" sha1: "bb82f8f1a00f7cdf4ed603b58191b8a0fe579a9e"
Or upload it to your director with the upload-release command:
bosh upload-release --sha1 bb82f8f1a00f7cdf4ed603b58191b8a0fe579a9e \ "https://bosh.io/d/github.com/cloudfoundry/cf-release?v=229"
Jobs¶
- acceptance-tests
- cloud_controller_clock
- cloud_controller_ng
- cloud_controller_worker
- collector
- consul_agent
- dea_logging_agent
- dea_next
- debian_nfs_server
- doppler
- etcd
- etcd_metrics_server
- gorouter
- haproxy
- hm9000
- loggregator_trafficcontroller
- metron_agent
- nats
- nats_stream_forwarder
- nfs_mounter
- postgres
- route_registrar
- routing-api
- smoke-tests
- statsd-injector
- syslog_drain_binder
- uaa
Packages¶
- acceptance-tests
- buildpack_binary
- buildpack_go
- buildpack_java
- buildpack_java_offline
- buildpack_nodejs
- buildpack_php
- buildpack_python
- buildpack_ruby
- buildpack_staticfile
- cli
- cloud_controller_ng
- collector
- common
- confab
- consul
- consul-common
- dea_logging_agent
- dea_next
- debian_nfs_server
- doppler
- etcd
- etcd-common
- etcd_metrics_server
- gnatsd
- golang1.4
- golang1.5
- gorouter
- haproxy
- hm9000
- libpq
- loggregator_common
- loggregator_trafficcontroller
- metron_agent
- mysqlclient-5.5
- nats
- nginx
- nginx_newrelic_plugin
- postgres-9.4.5
- rootfs_cflinuxfs2
- route_registrar
- routing-api
- rtr
- ruby-2.1.8
- ruby-2.2.4
- smoke-tests
- statsd-injector
- syslog_drain_binder
- uaa
- uaa_utils
- warden