cf/233

The cf-release v233 was released on March 18, 2016.

Important: - v233 includes a fix for CVE-2016-0781 UAA Persistent XSS Vulnerability. The UAA OAuth approval pages are vulnerable to an XSS attack by specifying malicious java script content in either the OAuth scopes (SCIM groups) or SCIM group descriptions. - v233 also includes a fix for CVE-2016-2165 - Loggregator Request URL Paths. 404 responses from Loggregator endpoints include the URL sent, and are vulnerable to an XSS attack. - v233 includes a fix for CVE-2016-0780 Cloud Controller Disk Quota Enforcement. It was discovered that Cloud Foundry does not properly enforce disk quotas in certain cases. An attacker could use an improper disk quota value to bypass enforcement and consume all the disk on DEAs/Diego Cells causing a potential denial of service for other applications. - v233 has a potential for only delivering partial sets of log messages for an app, or to the firehose. This can happen if multiple Dopplers have restarted since the Traffic Controllers were deployed. If you suspect you are missing logs, the workaround is to restart the Traffic Controllers. - v233 contains a performance regression in Gorouter introduced in v228. At low request volume, the issue is not observable; only at higher request volumes (such as a load test) is the regression evident. The regression was fixed in v234. - v233 includes a change in cflinuxfs2 that removes support for libmysqlclient in favor of libmariadb. This will require a clearing of buildpack cache and a restaging of apps for the changes to take place.

Contents: - CC and Service Broker APIs - DEA-Warden-HM9000 Runtime - Buildpacks and Stacks - Identity - Routing - Loggregator - Internal Components - Job Spec Changes - Recommended BOSH Stemcell Versions - Recommended diego-release Version - Recommended garden-linux-release Version - Recommended etcd-release Version

CC and Service Broker APIs

CC API Version: 2.52.0

Service Broker API Version: 2.8

Cloud Controller

• Fix for CVE-2016-0780 Cloud Controller Disk Quota Enforcement
• Update ruby-nats client details
• SpaceManagers, SpaceAuditors, OrgManagers should be able to view process stats details
• Cloud Controller shouldn’t fail app scale operations when backend is not available, rely on eventual consistency details

Pull Requests and Issues

• cloudfoundry/cloud_controller_ng#420: CC doesn’t always stop details
• cloudfoundry/cloud_controller_ng#454: staging_failed_reason and staging_failed_description type information missing details

DEA-Warden-HM9000 Runtime

• No changes

Buildpacks and Stacks

stacks

updated to 1.45.0 (from 1.43.0)

1.45.0

This release includes two changes: 1. cflinuxfs2 has dropped support for libmysqlclient in favor of libmariadb 2. This release addresses USN-2935-1: PAM vulnerabilities Ubuntu Security Notice USN-2935-1 and USN-2935-2: PAM regression Ubuntu Security Notice USN-2935-2: - CVE-2013-7041: The pam_userdb module for Pam uses a case-insensitive method to comparehashed passwords, which makes it easier for attackers to guess the passwordvia a brute force attack. - CVE-2014-2583: Multiple directory traversal vulnerabilities in pam_timestamp.c in thepam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users tocreate aribitrary files or possibly bypass authentication via a .. (dotdot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTYvalue to the check_tty funtion, which is used by the format_timestamp_namefunction. - CVE-2015-3238: The _unix_run_helper_binary function in the pam_unix module in Linux-PAM(aka pam) before 1.2.1, when unable to directly access passwords, allowslocal users to enumerate usernames or cause a denial of service (hang) viaa large password.

1.44.0

Notably, this release addresses USN-2927-1: graphite2 vulnerabilities Ubuntu Security Notice USN-2927-1: - CVE-2016-1977: Graphite2 Machine::Code::decoder::analysis::set_ref stack out ofbounds bit set - CVE-2016-2790: Use of uninitialised memory in [@graphite2::TtfUtil::GetTableInfo] - CVE-2016-2791: graphite2: heap-buffer-overflow read in [@graphite2::GlyphCache::glyph] - CVE-2016-2792: graphite2: heap-buffer-overflow read in [@graphite2::Slot::getAttr] Slot.cpp:232 - CVE-2016-2793: graphite2: heap-buffer-overflow read in CachedCmap.cpp - CVE-2016-2794: heap-buffer-overflow read in [@graphite2::TtfUtil::CmapSubtable12NextCodepoint] - CVE-2016-2795: Use of uninitialised memory in [@graphite2::FileFace::get_table_fn] - CVE-2016-2796: graphite2: heap-buffer-overflow write in [@graphite2::vm::Machine::Code::Code] - CVE-2016-2797: graphite2: heap-buffer-overflow read in [@graphite2::TtfUtil::CmapSubtable12Lookup] - CVE-2016-2798: graphite2: heap-buffer-overflow read in [@graphite2::GlyphCache::Loader::Loader] - CVE-2016-2799: graphite2: heap-buffer-overflow write in [@graphite2::Slot::setAttr] - CVE-2016-2800: graphite2: heap-buffer-overflow read in [@graphite2::Slot::getAttr] Slot.cpp:234 - CVE-2016-2801: graphite2: heap-buffer-overflow read in [@graphite2::TtfUtil::CmapSubtable12Lookup] TtfUtil.cpp:1126 - CVE-2016-2802: graphite2: heap-buffer-overflow read in [@graphite2::TtfUtil::CmapSubtable4NextCodepoint]

nodejs-buildpack

updated to v1.5.8 (from v1.5.7)

v1.5.8

• Add v0.12.12, v4.4.0, and v5.8.0, removed v0.12.10, v4.3.2, and v5.7.1 (https://www.pivotaltracker.com/story/show/114974911)
• Revert upstream pre/post build scripts (https://www.pivotaltracker.com/story/show/1115592677)
• Remove old log message about resolving version via semver.io (https://www.pivotaltracker.com/story/show/114725733)

Packaged binaries:

name	version	cf_stacks
node	0.10.42	cflinuxfs2
node	0.10.43	cflinuxfs2
node	0.12.11	cflinuxfs2
node	0.12.12	cflinuxfs2
node	4.4.0	cflinuxfs2
node	5.8.0	cflinuxfs2

• SHA256: c416cff626aab10894543568e0a4ea68d1b721ebda0f9c3b719ae1c09cadb4e1

php-buildpack

updated to v4.3.7 (from v4.3.6)

v4.3.7

• Updates composer version from 1.0.0-alpha11 to 1.0.0-beta1 (https://www.pivotaltracker.com/story/show/115175869)

Packaged binaries:

name	version	cf_stacks	modules
php	5.5.32	cflinuxfs2	amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php	5.5.33	cflinuxfs2	amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php	5.6.18	cflinuxfs2	amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php	5.6.19	cflinuxfs2	amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php	7.0.3	cflinuxfs2	bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, imap, ldap, lua, mailparse, mbstring, mcrypt, mongodb, msgpack, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, pspell, snmp, soap, sockets, xsl, yaf, zip, zlib
php	7.0.4	cflinuxfs2	bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, imap, ldap, lua, mailparse, mbstring, mcrypt, mongodb, msgpack, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, pspell, snmp, soap, sockets, xsl, yaf, zip, zlib
composer	1.0.0-beta1	cflinuxfs2
httpd	2.4.18	cflinuxfs2
newrelic	4.23.3.111	cflinuxfs2
nginx	1.8.1	cflinuxfs2
nginx	1.9.12	cflinuxfs2

• SHA256: 47d07c02c729c4775cc608bf9a7a22996322d46ab38ab0276bb5846a1bb6607e

staticfile-buildpack

updated to v1.3.3 (from v1.3.2)

v1.3.3

• Reduce disk usage by moving files instead of copying them into the public directory (https://www.pivotaltracker.com/story/show/112908945)

Packaged binaries:

name	version	cf_stacks
nginx	1.9.12	cflinuxfs2

• SHA256: bc4486c2382b54296a98a51655a9da4a50753f23e2c057f2dc18862e0fe29c65

Identity

Updated to UAA Release 3.2.1 from 3.1.0 - Release Notes 3.2.0 - Release Notes 3.2.1

Routing

TCP Routing (in progress) - Operator may now use manifest property routing_api.enabled to control whether the routing endpoint is included in the response for GET /v2/info. This property will also control validations on other endpoints related to management of TCP routes details

Loggregator

• Defect fixed that could allow runaway creation of connections from Metrons to Dopplers.
• Fixed CVE-2016-2165 - Loggregator Request URL Paths

Internal Components

No functional changes.

Job Spec Changes

• For UAA Job spec changes please see here
  

## Recommended BOSH Stemcell Versions - AWS: light-bosh-stemcell-3215-aws-xen-hvm-ubuntu-trusty-go_agent - vSphere: bosh-stemcell-3215-vsphere-esxi-ubuntu-trusty-go_agent - OpenStack: N/A - BOSH-Lite: bosh-stemcell-3147-warden-boshlite-ubuntu-trusty-go_agent

These are soft recommendations; several different versions of the stemcells are likely to work fine with this version of cf-release and the corresponding versions of diego-release, garden-linux-release, and etcd-release.

Recommended diego-release Version

• Diego final release v0.1460.0 · release notes

This is a soft recommendation; several different versions of diego-release may work fine with this version of cf-release.

Recommended garden-linux-release Version

• Garden-linux final release v0.334.0 · release notes

This is a soft recommendation; several different versions of the garden-linux-release may work fine with this version of cf-release and the aforementioned version of diego-release.

Recommended etcd-release Version

• etcd final release v38

This is a soft recommendation; several different versions of the etcd-release may work fine with this version of cf-release and the aforementioned version of diego-release.

- name: "cf"
  version: "233"
  url: "https://bosh.io/d/github.com/cloudfoundry/cf-release?v=233"
  sha1: "611b0e37f5c8a61948e547630f3c218c0c465cc0"

bosh upload-release --sha1 611b0e37f5c8a61948e547630f3c218c0c465cc0 \
  "https://bosh.io/d/github.com/cloudfoundry/cf-release?v=233"