cf/241

The cf-release v241 was released on August 29, 2016.

IMPORTANT - UPDATE 2016-09-02 17:06 UTC - MySQL implicitly ends transactions before (and often after) certain statement including DDL statements. A Cloud Controller database migration in CF-241 is encrypting the specified buildpack of an application as this column could contain a Git url containing a username and password. To perform this migration, it creates new columns, encrypts the existing buildpack data and saves it to the new columns, then deletes the old column. This results in a period of time where Cloud Controllers running the code from a previous release can potentially write data to the old column, which is about to be deleted, when an app is pushed with a specified buildpack. While these sort of migrations are uncommon, this is not the first time Cloud Controller has made this sort of migration. Operators that are particularly sensitive to this can always scale their Cloud Controller to a single instance in order to take downtime while the migration is performed. The CAPI team intends to explore how we can make migrations on MySQL better in the future. - UPDATE 2016-09-01 21:36 UTC - The underlying Sequel gem automatically runs migrations in a transaction for RDBMs that support transactions for DDL statements. This means PostgreSQL will run the entire migration in a transaction, but MySQL will not. We are still determining the proper steps to take for MySQL. - UPDATE 2016-09-01 17:25 UTC - The Cloud Controller database migration in CF-241 is not wrapped in a transaction. During a rolling deploy of Cloud Controllers, API requests to Cloud Controllers with the previous code could result in data inconsistencies. We will update these release notes when we determine the proper resolution. - CVE-2016-6638: The Cloud Controller in CF-241 contains a database migration to encrypt an app’s specified buildpack at rest. Although it is not recommended, a user could specify a git buildpack url containing a username and password. This migration will cause /v2/apps API (or any API call that returns app resource data through inline-relations-depth or summary endpoints) to fail during the rolling deploy as the migration is performed before the updated Cloud Controller(s) are deployed. - This release updates the version of PostgreSQL used in the postgres job to 9.4.9 from 9.4.6. This also drops support for being able to upgrade from PostgreSQL 9.4.2. Before upgrading to this or later versions of cf-release, you must first upgrade to v226 or higher. - This release introduces official support for running the etcd cluster (shared by several components such as Routing API and the loggregator subsystem, but not Diego which uses its own secure cluster) in secure TLS mode. Upgrading an existing deployment with an insecure etcd cluster to a secure one with minimal downtime is non-trivial. Instructions and additional information for this procedure can be found here. If you are using the manifest generation scripts included within the cf-release repo to generate manifests, you’re strongly recommended to upgrade to a secure etcd cluster at this point. The instructions above assume you are upgrading to a secure etcd cluster from a pre-v241 Cloud Foundry deployment and will not apply as smoothly if you later attempt to upgrade a post-v241 non-TLS etcd cluster to a TLS cluster within the Cloud Foundry deployment.

Contents: - CC and Service Broker APIs - Identity - Routing - Loggregator - Buildpacks and Stacks - DEA-Warden-HM9000 Runtime - Internal Components - Recommended Versions of Additional Releases - Job Spec Changes - Recommended BOSH Stemcell Versions

CC and Service Broker APIs

Contains CAPI release v1.3.0. Release notes for v1.2.0 and v1.3.0

Identity

No Changes

Routing

Routing release bumped to 0.137.0 - Release Notes

Loggregator

• Loggregator now provides metron_agent_windows so you can run the Metron Agent on Microsoft Windows Diego Cells.
• Loggregator now supports dynamic IPs after fixing this issue.

Buildpacks and Stacks

stacks

updated to 1.78.0 (from 1.72.0)

1.78.0

USN-3067-1: HarfBuzz vulnerabilities Ubuntu Security Notice USN-3067-1: - CVE-2015-8947: hb-ot-layout-gpos-table.hh in HarfBuzz before 1.0.5 allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted data, a different vulnerability than CVE-2016-2052. - CVE-2016-2052: Multiple unspecified vulnerabilities in HarfBuzz before 1.0.6, as used in Google Chrome before 48.0.2564.82, allow attackers to cause a denial of service or possibly have other impact via crafted data, as demonstrated by a buffer over-read resulting from an inverted length check in hb-ot-font.cc, a different issue than CVE-2015-8947.

USN-3068-1: Libidn vulnerabilities Ubuntu Security Notice USN-3068-1: - CVE-2015-2059: The stringprep_utf8_to_ucs4 function in libin before 1.31, as used in jabberd2, allows context-dependent attackers to read system memory and possibly have other unspecified impact via invalid UTF-8 characters in a string, which triggers an out-of-bounds read. - CVE-2015-8948: Solve out-of-bounds-read when reading one zero byte as input - CVE-2016-6261: out-of-bounds stack read in idna_to_ascii_4i - CVE-2016-6262: Solve out-of-bounds-read when reading one zero byte as input - CVE-2016-6263: stringprep_utf8_nfkc_normalize reject invalid UTF-8

1.77.0

USN-3064-1: GnuPG vulnerability Ubuntu Security Notice USN-3064-1: - CVE-2016-6313: random number generator prediction

USN-3065-1: Libgcrypt vulnerability Ubuntu Security Notice USN-3065-1: - CVE-2016-6313: random number generator prediction

1.76.0

USN-3063-1: Fontconfig vulnerability Ubuntu Security Notice USN-3063-1: - CVE-2016-5384: fontconfig before 2.12.1 does not validate offsets, which allows localusers to trigger arbitrary free calls and consequently conduct double freeattacks and execute arbitrary code via a crafted cache file.

1.75.0

USN-3061-1: OpenSSH vulnerabilities Ubuntu Security Notice USN-3061-1: - CVE-2016-6210: User enumeration via covert timing channel - CVE-2016-6515: The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3does not limit password lengths for password authentication, which allowsremote attackers to cause a denial of service (crypt CPU consumption) via along string.

1.74.0

USN-3060-1: GD library vulnerabilities Ubuntu Security Notice USN-3060-1: - CVE-2016-6132: read out-of-bands was found in the parsing of TGA files using libgd - CVE-2016-6207: OOB or OOM in gdImageScale - CVE-2016-6214: read out-of-bounds issue

1.73.0

USN-3048-1: curl vulnerabilities Ubuntu Security Notice USN-3048-1: - CVE-2016-5419: TLS session resumption client cert bypass - CVE-2016-5420: Re-using connections with wrong client cert - CVE-2016-5421: use of connection struct after free

python-buildpack

updated to v1.5.9 (from v1.5.8)

v1.5.9

Highlights: - Add credential filtering for printed urls (https://www.pivotaltracker.com/n/projects/1042066/stories/126514693) - Add default_versions support for specifying python default version (https://www.pivotaltracker.com/n/projects/1042066/stories/126394947)

Default binary versions: python 2.7.12

ruby-buildpack

updated to v1.6.21 (from v1.6.20)

v1.6.21

Highlights: - Redact credentials from URLs in a cached buildpack’s output (https://www.pivotaltracker.com/story/show/127357631) - Redact credentials from URLs in an uncached buildpack’s output (https://www.pivotaltracker.com/story/show/126514693) - Add default_versions support to buildpack (https://www.pivotaltracker.com/story/show/126394819)

Default binary versions: ruby 2.3.1, node 4.4.7

DEA-Warden-HM9000 Runtime

• Create cgroups after rebooting a DEA VM details
• Fix DEA template to properly respect enable_ssl details
• Retry staging if the DEA is evacuating or shutting down details
• Fix memory leak on failed downloads details
• Starting only occurs after staging is marked successful details
• DEA waits for staging tasks to complete before shutting down details
• Ruby is updated to 2.3.1
• NATS clients have been updated
• direct team email: [email protected]
• CF Dev mailing list: https://lists.cloudfoundry.org/archives/list/[email protected]/
• Slack channel: https://cloudfoundry.slack.com/messages/runtime_og/
• GitHub issues: https://github.com/cloudfoundry/dea-hm-workspace/issues

Internal Components

postgres-release (includes postgres job)

• Bumped to v5. Functional changes:
  • Bumped from postgres-9.4.6 package to postgres-9.4.9. NOTE: this drops support for upgrading from PostgreSQL 9.4.2. details

etcd-release (includes etcd and etcd_metrics_server jobs)

• Bumped from v63 to v66. Functional changes:
  • Removed all /varz support from etcd_metrics_server. details

consul-release (includes consul_agent job)

• Bumped from v101 to v108. Functional changes:
  • Fixed consul_agent in client mode to use ephemeral disk instead of possibly-non-existent persistent disk for storing data such as gossip keyring data, avoiding issues such as having no space left on the root volume device. details
  • Added support for passing max_stale and allow_stale DNS config options through to Consul. details

nats-release (includes nats and nats_stream_forwarder jobs)

• Bumped to v8. Functional changes:
  • Bumped gnatsd dependency to v0.8.1. details
  • Minor fixes to log directory setup on job start scripts. details

Recommended Versions of Additional Releases

These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release. - Diego release v0.1483.0. Release notes for v0.1483.0 · v0.1482.0. - Garden-Linux release v0.342.0. Release notes for v0.342.0 · v0.341.0 · v0.340.0. - etcd release v66. Release notes for v66 · v65 · v64. - cflinuxfs2-rootfs release v1.27.0. Release notes for v1.27.0 · v1.26.0 · v1.25.0 · v1.24.0 · v1.23.0 · v1.22.0.

Job Spec Changes

• Removed etcd_metrics_server.nats.password, etcd_metrics_server.nats.username, etcd_metrics_server.nats.port, and etcd_metrics_server.nats.machines properties from etcd_metrics_server job. details

Recommended BOSH Stemcell Versions

• real IaaS: 3262.8
• BOSH-Lite: 3262.2

Note: For AWS you should use the Xen-HVM stemcells rather than Xen.

These are soft recommendations; several different versions of the stemcells are likely to work fine with this version of cf-release and the corresponding versions of the additional releases listed above.

- name: "cf"
  version: "241"
  url: "https://bosh.io/d/github.com/cloudfoundry/cf-release?v=241"
  sha1: "e31bf9e0f664687579a58837ff34bd64eadacfb9"

bosh upload-release --sha1 e31bf9e0f664687579a58837ff34bd64eadacfb9 \
  "https://bosh.io/d/github.com/cloudfoundry/cf-release?v=241"