cf/230

The cf-release v230 was released on January 27, 2016.

IMPORTANT

• v230 includes a fix for CVE-2016-0732, privilege escalation with UAA. A privilege escalation vulnerability has been identified with the identity zones feature of UAA. Users with the appropriate permissions in one zone can perform unauthorized operations on a different zone. Only instances of UAA configured with multiple identity zones are vulnerable. The mitigation is to upgrade to cf-release v230
• v230 contains a performance regression in Gorouter introduced in v228. At low request volume, the issue is not observable; only at higher request volumes (such as a load test) is the regression evident. The regression was fixed in v234.

Contents: - CC and Service Broker APIs - Runtime - Buildpacks and Stacks - Identity - Routing - Loggregator - Internal Components - Job Spec Changes - Recommended BOSH Stemcell Versions - Recommended diego-release Version - Recommended garden-linux-release Version - Recommended etcd-release Version

CC and Service Broker APIs

CC API Version: 2.48.0

Service Broker API Version: 2.8

Cloud Controller

• [Experimental] Work continues on /v3 and Application Process Types details
• [Experimental] Work continues on Tasks details
• Add disclaimers to api docs about redundant query filters included in the path details
• Fixed an issue introduced in cf-release 229 that caused existing apps to be completely restarted when scaling to additional instances or other updates to the app model. details
• Replace libmysqlclient with mariadb equivalent details

Runtime

No changes.

Buildpacks and Stacks

stacks

updated to 1.31.0 (from 1.29.0)

1.31.0

Notably, this release addresses USN-2879-1 “rsync vulnerability”: - CVE-2014-9512: rsync 3.1.1 allows remote attackers to write to arbitrary files via a symlink attack on a file in the synchronization path

1.30.0

Notably, this release addresses USN-2874-1 “Bind vulnerability” and USN-2875-1 “libxml2 vulnerabilities”: - CVE-2015-8704: Denial of service via APL data that could trigger an INSIST - CVE-2015-7499: Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors. - CVE-2015-8710: out of bounds memory access via unclosed html comment

go-buildpack

updated to v1.7.2 (from v1.7.1)

v1.7.2

Notably, this release includes go 1.5.3 which patches CVE-2015-8618. - Add support for go 1.5.3 and remove support for go1.5.1 (https://www.pivotaltracker.com/story/show/111646892) - Add support for Go patch version wildcard matching. (https://www.pivotaltracker.com/story/show/106117500) - Updated to Godep v45. (https://www.pivotaltracker.com/story/show/110776726)

Packaged binaries:

name	version	cf_stacks
go	1.4.1	cflinuxfs2
go	1.4.2	cflinuxfs2
go	1.4.3	cflinuxfs2
go	1.5.2	cflinuxfs2
go	1.5.3	cflinuxfs2
godep	v45	cflinuxfs2

• SHA256: c7de9ddacde4159862de9881590c813c77d6e421af167ac4ed3b991fa8281717

nodejs-buildpack

updated to v1.5.5 (from v1.5.4)

v1.5.5

• Added v4.2.5 and v5.5.0, removed v4.2.3 and v5.1.1. (https://www.pivotaltracker.com/story/show/111537310)
• Remove node 0.11.15 and 0.11.16 (https://www.pivotaltracker.com/story/show/109538496)

Packaged binaries:

name	version	cf_stacks
node	0.10.40	cflinuxfs2
node	0.10.41	cflinuxfs2
node	0.12.7	cflinuxfs2
node	0.12.9	cflinuxfs2
node	4.2.5	cflinuxfs2
node	5.5.0	cflinuxfs2

• SHA256: 9aa7fc28bb2146310295db2e52398041445ef6953c1958bb553919b187e823c8

php-buildpack

updated to v4.3.3 (from v4.3.2)

v4.3.3

• Show warning when composer.json and options.json both exist, to prevent conflicts (https://www.pivotaltracker.com/story/show/111962349)
• Make version 1.9.9 the default nginx version (https://www.pivotaltracker.com/story/show/110700942)
• Add versions 5.5.31, 5.6.17. (https://www.pivotaltracker.com/story/show/111532430)
• Remove versions 5.5.29, 5.6.15. (https://www.pivotaltracker.com/story/show/111532430)

Packaged binaries:

name	version	cf_stacks	modules
php	5.5.30	cflinuxfs2	amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php	5.5.31	cflinuxfs2	amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php	5.6.16	cflinuxfs2	amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php	5.6.17	cflinuxfs2	amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
hhvm	3.5.0	cflinuxfs2
hhvm	3.5.1	cflinuxfs2
hhvm	3.6.0	cflinuxfs2
hhvm	3.6.1	cflinuxfs2
composer	1.0.0-alpha10	cflinuxfs2
httpd	2.4.18	cflinuxfs2
newrelic	4.23.3.111	cflinuxfs2
nginx	1.8.0	cflinuxfs2
nginx	1.9.9	cflinuxfs2

• SHA256: 0a3fae06cd31ee4ff6fea964ba414a710225812785cc872b0a262bbd6ecde9ab

Identity

Updated to UAA Release 3.0.1

Routing

• Gorouter now uses cf-lager logging framework to stream logs to syslog details, more details
• Gorouter has been updated to golang 1.5.3 details
• Gorouter now supports a configurable wait time for the drain operation. When a shutdown is initiated, the healthcheck endpoint will report the server is not listening, however the server will accept new requests for the configured wait time. Thanks to CAFxX from Rakuten for the PR details
• Gorouter now better handles unauthorized errors from Routing API details
• Gorouter now logs when it fetches a token from UAA for use with Routing API details
• CC API now supports parameters with request to bind route to service instance details

Loggregator

• No change

Internal Components

consul

• When running as server, wait to write PID until after data sync. details

etcd

No functional changes.

etcd-metrics-server

No changes.

route_registrar

No functional changes.

Job Spec Changes

• Increased the default values of the cc.thresholds.api.alert_if_above_mb, cc.thresholds.api.restart_if_consistently_above_mb, and cc.thresholds.api.restart_if_above_mb properties in the cloud_controller_ng, cloud_controller_worker, and cloud_controller_clock jobs. details

Recommended BOSH Stemcell Versions

• AWS: light-bosh-stemcell-3184.1-aws-xen-hvm-ubuntu-trusty-go_agent
• vSphere: bosh-stemcell-3184.1-vsphere-esxi-ubuntu-trusty-go_agent
• OpenStack: bosh-stemcell-3184.1-openstack-kvm-ubuntu-trusty-go_agent
• BOSH-Lite: bosh-stemcell-3147-warden-boshlite-ubuntu-trusty-go_agent

These are soft recommendations; several different versions of the BOSH and stemcells are likely to work fine with this version of cf-release and the corresponding versions of diego-release, garden-linux-release, and etcd-release.

Recommended diego-release Version

• Diego final release v0.1450.0 · release notes

This is a soft recommendation; several different versions of diego-release may work fine with this version of cf-release.

Recommended garden-linux-release Version

• Garden-linux final release v0.330.0 · release notes

This is a soft recommendation; several different versions of the garden-linux-release may work fine with this version of cf-release and the aforementioned version of diego-release.

Recommended etcd-release Version

• etcd final release v27

This is a soft recommendation; several different versions of the etcd-release may work fine with this version of cf-release and the aforementioned version of diego-release.

- name: "cf"
  version: "230"
  url: "https://bosh.io/d/github.com/cloudfoundry/cf-release?v=230"
  sha1: "8af451d3c817df8ec29641f1fb035d0058985415"

bosh upload-release --sha1 8af451d3c817df8ec29641f1fb035d0058985415 \
  "https://bosh.io/d/github.com/cloudfoundry/cf-release?v=230"