Skip to content

cf/232

You can find the source of this version on GitHub at cloudfoundry/cf-release. It was created based on the commit 67a5f78e.

Release Notes

The cf-release v232 was released on March 16, 2016.

Important: - This release is a pre-release, and should not be used. Metron was refactored in preparation for full multi-protocol support of UDP, TCP and TLS. This introduced a defect where Metron opens a new connection to each Doppler for every Doppler heartbeat sent to etcd (every 10 seconds). For small deployments (2 Dopplers), the kernel cleans up the extra connections fast enough to prevent overload, but in larger configurations, the connection list grows beyond the process ulimit and Metron crashes. - This release includes a fix for CVE-2016-0781 UAA Persistent XSS Vulnerability. The UAA OAuth approval pages are vulnerable to an XSS attack by specifying malicious java script content in either the OAuth scopes (SCIM groups) or SCIM group descriptions. Please use cf-release v233 for remediation. - This release includes a fix for CVE-2016-2165 - Loggregator Request URL Paths. 404 responses from Loggregator endpoints include the URL sent, and are vulnerable to an XSS attack. - This release extracts the Java buildpacks from being package dependencies of the Cloud Controller to being “package-only” jobs from a separate release, colocated with the Cloud Controllers. The release is submoduled into cf-release with appropriate symlinks so that it also appears as a job in cf-release, and requires minimal changes to your manifest. This was already done for all the other buildpacks in v231. details - The UAA job leverages a “post-deploy hook” feature of BOSH as of this release, which is not supported in older versions of the BOSH Director. Please ensure you are using a sufficiently recent version of the BOSH Director. - The UAA job is also leveraging new health-check functionality in the Route Registrar. details. - The cf client listed under the uaa.clients property should not have implicit as one of its authorized-grant-types and autoapprove should no longer be set to true. details - The tcp_emitter and tcp_router clients listed under the uaa.clients property should have the routing.router_groups.read authority add to their list of authorities. details - v233 includes a fix for CVE-2016-0780 Cloud Controller Disk Quota Enforcement. It was discovered that Cloud Foundry does not properly enforce disk quotas in certain cases. An attacker could use an improper disk quota value to bypass enforcement and consume all the disk on DEAs/Diego Cells causing a potential denial of service for other applications. - v232 contains a performance regression in Gorouter introduced in v228. At low request volume, the issue is not observable; only at higher request volumes (such as a load test) is the regression evident. The regression was fixed in v234.

Contents: - CC and Service Broker APIs - DEA-Warden-HM9000 Runtime - Buildpacks and Stacks - Identity - Routing - Loggregator - Internal Components - Job Spec Changes - Recommended BOSH Stemcell Versions - Recommended diego-release Version - Recommended garden-linux-release Version - Recommended etcd-release Version

CC and Service Broker APIs

CC API Version: 2.52.0

Service Broker API Version: 2.8

IMPORTANT - Manifest changes required for all deployments, whether using nfs or other blobstore. - See document describing all required manifest changes. details - Simplify webdav configuration by only requiring secure_link.secret only on the blobstore - WebDAV can be configured to use TLS: blobstore.tls.cert, blobstore.tls.port, blobstore.tls.private_key - Operator can configure tasks over X age to be pruned: cc.completed_tasks.cutoff_age_in_days defaults to 31 days

Cloud Controller

  • Fix for CVE-2016-0780 Cloud Controller Disk Quota Enforcement
  • [Experimental] Work continues on /v3 and Application Process Types details
  • make webdav the default blobstore details
  • Created cloud controller wiki details
  • Allow SpaceDevelopers to purge space scoped instances details
  • Allow SpaceDevelopers to purge space scoped service offerings details
  • Delete route bindings when purging service instances details
  • Stopping/Deleting an application shouldn’t fail if we get an error from Diego details
  • creating an app with multiple ports when diego is default returns an error details
  • Added feature flag space_developer_env_var_visibility to control whether a space developer can access /v2/apps/:guid/env and /v3/apps/:guid/env details
  • client author should be able to follow CC API docs to discover the app ports routes are mapped to details
  • client author should be able to follow CC API docs to update the app port for a route_mapping as a SpaceDeveloper details
  • cc api client author should be able to follow docs to delete a route mapping details
  • DEA heartbeats to HM9K over http details
  • Use dea.advertise only, kill staging.advertise details
  • CC client author should receive an error when moving an app from diego to DEA, and multiple app ports are mapped to routes details
  • As a space developer, I can map a route to a specific process type details
  • client author should be able to follow CC API docs to discover the app ports routes are mapped to details
  • Require that shared domain have hosts details
  • Simplify webdav configuration by only requiring secure_link.secret only on the blobstore details
  • client author should be able to follow CC API docs to discover the app ports routes are mapped to details
  • As an operator, I expect tasks completed X days ago to be pruned. cc.completed_tasks.cutoff_age_in_days defaults to 31 days details
  • client author should be able to follow CC API docs to discover the app ports routes are mapped to details
  • client author should be able to follow CC API docs to discover the app ports routes are mapped to details
  • Bump railties to 4.2.5.2 - Addresses CVE-2016-2097 and CVE-2016-2098 details Not exposed in the manifest yet. Requires this story
  • Enable https for internal webdav server details blobstore.tls.cert, blobstore.tls.port, blobstore.tls.private_key
Pull Requests and Issues
  • cloudfoundry/cloud_controller_ng#537: Updating an application does not document enable_ssh request payload details
  • cloudfoundry/cloud_controller_ng#538: Use consistent local-ip detection added to vcap-common v 4.0.3 details
  • cloudfoundry/cloud_controller_ng#542: Add quotas for service keys details total_service_keys on Org Quota and Space Quota manages the max number of service keys per Org or Space
  • cloudfoundry/cloud_controller_ng#543: List all Service Bindings for the User Provided Service Instance documents invalid query parameter details
  • cloudfoundry/cloud_controller_ng#544: HCF-516: Make the name of the CCNG hostname configurable details
  • cloudfoundry/cloud_controller_ng#545: Update User Provided Service Instance misdocuments payload parameter details
  • cloudfoundry/cloud_controller_ng#554: Allow specifying a reserved set of private domains details

DEA-Warden-HM9000 Runtime

  • Metrics for DEA and HM9000 are sent via Loggregator.

Buildpacks and Stacks

stacks

updated to 1.44.0 (from 1.36.0)

1.44.0

Notably, this release addresses USN-2927-1: graphite2 vulnerabilities Ubuntu Security Notice USN-2927-1: - CVE-2016-1977: Graphite2 Machine::Code::decoder::analysis::set_ref stack out ofbounds bit set - CVE-2016-2790: Use of uninitialised memory in [@graphite2::TtfUtil::GetTableInfo] - CVE-2016-2791: graphite2: heap-buffer-overflow read in [@graphite2::GlyphCache::glyph] - CVE-2016-2792: graphite2: heap-buffer-overflow read in [@graphite2::Slot::getAttr] Slot.cpp:232 - CVE-2016-2793: graphite2: heap-buffer-overflow read in CachedCmap.cpp - CVE-2016-2794: heap-buffer-overflow read in [@graphite2::TtfUtil::CmapSubtable12NextCodepoint] - CVE-2016-2795: Use of uninitialised memory in [@graphite2::FileFace::get_table_fn] - CVE-2016-2796: graphite2: heap-buffer-overflow write in [@graphite2::vm::Machine::Code::Code] - CVE-2016-2797: graphite2: heap-buffer-overflow read in [@graphite2::TtfUtil::CmapSubtable12Lookup] - CVE-2016-2798: graphite2: heap-buffer-overflow read in [@graphite2::GlyphCache::Loader::Loader] - CVE-2016-2799: graphite2: heap-buffer-overflow write in [@graphite2::Slot::setAttr] - CVE-2016-2800: graphite2: heap-buffer-overflow read in [@graphite2::Slot::getAttr] Slot.cpp:234 - CVE-2016-2801: graphite2: heap-buffer-overflow read in [@graphite2::TtfUtil::CmapSubtable12Lookup] TtfUtil.cpp:1126 - CVE-2016-2802: graphite2: heap-buffer-overflow read in [@graphite2::TtfUtil::CmapSubtable4NextCodepoint]

1.43.0

Notably, this release addresses USN-2925-1: Bind vulnerabilities Ubuntu Security Notice USN-2925-1: - CVE-2016-1285: named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 allowsremote attackers to cause a denial of service (assertion failure and daemonexit) via a malformed packet to the rndc (aka control channel) interface,related to alist.c and sexpr.c. - CVE-2016-1286: named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 allowsremote attackers to cause a denial of service (assertion failure and daemonexit) via a crafted signature record for a DNAME record, related to db.cand resolver.c.

1.42.0

Notably, this release upgrades the version of the packaged ruby from version 1.9.3 to version 2.2.4

1.41.0

Notably, this release addresses USN-2919-1: JasPer vulnerabilities Ubuntu Security Notice USN-2919-1: - CVE-2016-1577: Double free vulnerability in the jas_iccattrval_destroy function in JasPer1.900.1 and earlier allows remote attackers to cause a denial of service(crash) or possibly execute arbitrary code via a crafted ICC color profilein a JPEG 2000 image file, a different vulnerability than CVE-2014-8137. - CVE-2016-2116: Memory leak in the jas_iccprof_createfrombuf function in JasPer 1.900.1and earlier allows remote attackers to cause a denial of service (memoryconsumption) via a crafted ICC color profile in a JPEG 2000 image file.

and USN-2918-1: pixman vulnerability Ubuntu Security Notice USN-2918-1: - CVE-2014-9766: integer overflow in create_bits

1.40.0

Notably, this release addresses USN-2916-1: Perl vulnerabilities Ubuntu Security Notice USN-2916-1: - CVE-2013-7422: Integer underflow in regcomp.c in Perl before 5.20, as used in Apple OS Xbefore 10.10.5 and other products, allows context-dependent attackers toexecute arbitrary code or cause a denial of service (application crash) viaa long digit string associated with an invalid backreference within aregular expression. - CVE-2014-4330: The Dumper method in Data::Dumper before 2.154, as used in Perl 5.20.1 andearlier, allows context-dependent attackers to cause a denial of service(stack consumption and crash) via an Array-Reference with many nestedArray-References, which triggers a large number of recursive calls to theDD_dump function. - CVE-2016-2381: environment variable confusion

1.39.0

Notably, this release addresses USN-2914-1 OpenSSL vulnerabilities: - CVE-2016-0702: Side channel attack on modular exponentiation (AKA CacheBleed) - CVE-2016-0705: DSA private key flaws including a double-free - CVE-2016-0797: BN_hex2bn/BNdec2bn NULL pointer deref/heap corruption - CVE-2016-0798: Memory leak in SRP database lookups - CVE-2016-0799: Memory issues in BIO*printf functions

1.38.0

Notably, this release provides non-critical ca-certificates updates. For more information, please see: - USN-2913-1: CA-certificates update - USN-2913-2: Glib-networking update - USN-2913-3: OpenSSL update - USN-2913-4: GnuTLS update

1.37.0

Notably, this release addresses USN-2906-1 “cpio vulnerabilities”: - CVE-2015-1197: cpio 2.11, when using the –no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive. - CVE-2016-2037: out-of-bounds write with cpio 2.11

go-buildpack

updated to v1.7.3 (from v1.7.2)

v1.7.3

Packaged binaries:

name version cf_stacks
go 1.4.2 cflinuxfs2
go 1.4.3 cflinuxfs2
go 1.5.2 cflinuxfs2
go 1.5.3 cflinuxfs2
go 1.6 cflinuxfs2
godep v55 cflinuxfs2
  • SHA256: 986af858450fc66e4e61e48218c18aa3b75a24efaddd05e1981b8c7f9edd9aee

nodejs-buildpack

updated to v1.5.7 (from v1.5.5)

v1.5.7

Packaged binaries:

name version cf_stacks
node 0.10.42 cflinuxfs2
node 0.10.43 cflinuxfs2
node 0.12.10 cflinuxfs2
node 0.12.11 cflinuxfs2
node 4.3.2 cflinuxfs2
node 5.7.1 cflinuxfs2
  • SHA256: 34e574f0f35d0c0879875909cb02ab259a504f1f5efc29effe095ae75709d2fc

v1.5.6

Packaged binaries:

name version cf_stacks
node 0.10.41 cflinuxfs2
node 0.10.42 cflinuxfs2
node 0.12.10 cflinuxfs2
node 0.12.9 cflinuxfs2
node 4.3.1 cflinuxfs2
node 5.7.0 cflinuxfs2
  • SHA256: 0330d713b3f4261a3e39433a659edb3a9f04c247daa73c84a42563c2761df623

php-buildpack

updated to v4.3.6 (from v4.3.5)

v4.3.6

Packaged binaries:

name version cf_stacks modules
php 5.5.32 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 5.5.33 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 5.6.18 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 5.6.19 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 7.0.3 cflinuxfs2 bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, imap, ldap, lua, mailparse, mbstring, mcrypt, mongodb, msgpack, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, pspell, snmp, soap, sockets, xsl, yaf, zip, zlib
php 7.0.4 cflinuxfs2 bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, imap, ldap, lua, mailparse, mbstring, mcrypt, mongodb, msgpack, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, pspell, snmp, soap, sockets, xsl, yaf, zip, zlib
composer 1.0.0-alpha11 cflinuxfs2
httpd 2.4.18 cflinuxfs2
newrelic 4.23.3.111 cflinuxfs2
nginx 1.8.1 cflinuxfs2
nginx 1.9.12 cflinuxfs2
  • SHA256: 6eb0f94f8d49b07d78f3865150fe8d6b1d31fc7fa7fdeb6edddfb541b85b89f4

ruby-buildpack

updated to v1.6.14 (from v1.6.13)

v1.6.14

Packaged binaries:

name version cf_stacks
ruby 2.1.7 cflinuxfs2
ruby 2.1.8 cflinuxfs2
ruby 2.2.3 cflinuxfs2
ruby 2.2.4 cflinuxfs2
ruby 2.3.0 cflinuxfs2
jruby ruby-1.9.3-jruby-1.7.24 cflinuxfs2
jruby ruby-2.0.0-jruby-1.7.24 cflinuxfs2
jruby ruby-2.2.3-jruby-9.0.5.0 cflinuxfs2
node 0.12.7 cflinuxfs2
bundler 1.11.2 cflinuxfs2
libyaml 0.1.6 cflinuxfs2
openjdk1.8-latest 1.8.0_73 cflinuxfs2
rails3_serve_static_assets - cflinuxfs2
rails_log_stdout - cflinuxfs2
  • SHA256: 2a6e73085e066ace8c38612d4dd6cc50d2b425ba297b77b586562bd940ca19d2

staticfile-buildpack

updated to v1.3.2 (from v1.3.1)

v1.3.2

Note that nginx 1.9.12 is mainly a feature / bugfix release

Packaged binaries:

name version cf_stacks
nginx 1.9.12 cflinuxfs2

Note that nginx 1.9.12 is mainly a feature / bugfix release

Packaged binaries:

name version cf_stacks
nginx 1.9.12 cflinuxfs2
  • SHA256: 52127a3324f021e00c6d9cd0fddc9456703410286c743fb28b628dfd0a73e113

Identity

Updated to UAA Release 3.2.1 from 3.1.0 - Release Notes 3.2.0 - Release Notes 3.2.1

Routing

Multiple App Ports (in progress) - Bug fix: using CC API to create an app with multiple ports when diego is the default now succeeds details - CC client author can now follow API docs to discover the app ports routes are mapped to details - CC client author can now follow API docs to update the app port for a route_mapping as a SpaceDeveloper details - CC client author can now follow API docs to delete a route mapping details - CC client author will now receive an error when moving an app from diego to DEA when multiple app ports are mapped to routes details - CATS now has coverage for multiple app ports with HTTP routes details

Route Services - Routing and Route Services are now independent test suites in cf-acceptance-tests details - Gorouter no longer uses SHA-1 for generation of the Route Services encryption key details

Gorouter Misc - When router.routing_api_enabled:true and routing-api.auth_disabled:false, Gorouter connects to UAA over TLS to fetch a token for use with Routing API details

Loggregator

This is a Pre-Release for Loggregator and is not safe to use in large configurations - Metron was refactored in preparation for full multi-protocol support of UDP, TCP and TLS. This introduced a defect where Metron opens a new connection to each Doppler for every Doppler heartbeat sent to etcd (every 10 seconds). For small deployments (2 Dopplers), the kernel cleans up the extra connections fast enough to prevent overload, but in larger configurations, the connection list grows beyond the process ulimit and Metron crashes. - pprof http endpoints were added to Metron, Doppler and Traffic Controller - Fixed CVE-2016-2165 - Loggregator Request URL Paths

Internal Components

consul

No functional changes.

etcd

  • etcd job supports configuring the advertise URL DNS suffix. details

etcd-metrics-server

No functional changes.

postgres

route_registrar

  • Support running health check scripts that don’t provide a shebang line. details
  • Improve route configuration validation error messaging. details

Job Spec Changes

  • For UAA Job spec changes please see here
  • Added etcd.advertise_urls_dns_suffix property to etcd job. details
  • Manifest changes required for all deployments, whether using nfs or other blobstore.
    • See document describing all required manifest changes. details
    • Simplify webdav configuration by only requiring secure_link.secret only on the blobstore
    • WebDAV can be configured to use TLS: blobstore.tls.cert, blobstore.tls.port, blobstore.tls.private_key
  • Operator can configure tasks over X age to be pruned: cc.completed_tasks.cutoff_age_in_days defaults to 31 days

Recommended BOSH Stemcell Versions

  • AWS: light-bosh-stemcell-3213-aws-xen-hvm-ubuntu-trusty-go_agent
  • vSphere: bosh-stemcell-3213-vsphere-esxi-ubuntu-trusty-go_agent
  • OpenStack: N/A
  • BOSH-Lite: bosh-stemcell-3147-warden-boshlite-ubuntu-trusty-go_agent

These are soft recommendations; several different versions of the stemcells are likely to work fine with this version of cf-release and the corresponding versions of diego-release, garden-linux-release, and etcd-release.

Recommended diego-release Version

This is a soft recommendation; several different versions of diego-release may work fine with this version of cf-release.

Recommended garden-linux-release Version

This is a soft recommendation; several different versions of the garden-linux-release may work fine with this version of cf-release and the aforementioned version of diego-release.

Recommended etcd-release Version

  • etcd final release v38

This is a soft recommendation; several different versions of the etcd-release may work fine with this version of cf-release and the aforementioned version of diego-release.

Usage

You can reference this release in your deployment manifest from the releases section:

- name: "cf"
  version: "232"
  url: "https://bosh.io/d/github.com/cloudfoundry/cf-release?v=232"
  sha1: "6fb6d5a42ac8255e7a1bf96909a351b0634c4824"

Or upload it to your director with the upload-release command:

bosh upload-release --sha1 6fb6d5a42ac8255e7a1bf96909a351b0634c4824 \
  "https://bosh.io/d/github.com/cloudfoundry/cf-release?v=232"

Jobs

Packages