cf/244
You can find the source of this version on GitHub at cloudfoundry/cf-release. It was created based on the commit e2198e12
.
Release Notes¶
The cf-release v244 was released on September 28, 2016.
IMPORTANT
- From this release onwards, Loggregator is no longer registering it legacy logging_endpoint
with the router. This makes the legacy endpoints on Traffic Controller unaccessible.
Contents: - CC and Service Broker APIs - Identity - Routing - Loggregator - Buildpacks and Stacks - DEA-Warden-HM9000 Runtime - Internal Components - Recommended Versions of Additional Releases - Job Spec Changes - Recommended BOSH Stemcell Versions
CC and Service Broker APIs
No Change
Identity
Updated to UAA Release 3.7.4
Routing
No changes
Loggregator
- Metron attempts initial reconnection to etcd using exponential backoff strategy up to 15 times instead of panicking immediately.
- Property name changes in
loggregator_trafficcontroller/spec
doppler.uaa_client_id
replacesloggregator.uaa.client
uaa.clients.doppler.secret
replacesloggregator.uaa.client_secret
doppler.outgoing_port
replacesloggregator.doppler_port
- Property name changes in
metron_agent/spec
metron_agent.listening_port
replacesmetron_agent.dropsonde_incoming_port
- The Loggregator Consumer endpoint no longer gets a route registered in this release. This makes the Loggregator Consumer endpoint inaccessible in this release. The loggregator_consumer library is deprecated in favor of noaa which makes use of the new endpoints as described here.
Buildpacks and Stacks
stacks
updated to 1.84.0 (from 1.80.0)
1.84.0
Notably, this release addresses USN-3087-2: OpenSSL regression.
USN-3087-2 is a fix for a regression introduced by USN-3087-1, which was included in cflinuxfs2 1.83.0.
1.83.0
Notably, this release addresses USN-3087-1: OpenSSL vulnerabilities Ubuntu Security Notice USN-3087-1: - CVE-2016-2177: OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-bufferboundary checks, which might allow remote attackers to cause a denial ofservice (integer overflow and application crash) or possibly haveunspecified other impact by leveraging unexpected malloc behavior, relatedto s3_srvr.c, ssl_sess.c, and t1_lib.c. - CVE-2016-2178: The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through1.0.2h does not properly ensure the use of constant-time operations, whichmakes it easier for local users to discover a DSA private key via a timingside-channel attack. - CVE-2016-2179: The DTLS implementation in OpenSSL before 1.1.0 does not properly restrictthe lifetime of queue entries associated with unused out-of-order messages,which allows remote attackers to cause a denial of service (memoryconsumption) by maintaining many crafted DTLS sessions simultaneously,related to d1_lib.c, statem_dtls.c, statem_lib.c, and statem_srvr.c. - CVE-2016-2180: The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public KeyInfrastructure Time-Stamp Protocol (TSP) implementation in OpenSSL through1.0.2h allows remote attackers to cause a denial of service (out-of-boundsread and application crash) via a crafted time-stamp file that ismishandled by the “openssl ts” command. - CVE-2016-2181: The Anti-Replay feature in the DTLS implementation in OpenSSL before 1.1.0mishandles early use of a new epoch number in conjunction with a largesequence number, which allows remote attackers to cause a denial of service(false-positive packet drops) via spoofed DTLS records, related torec_layer_d1.c and ssl3_record.c. - CVE-2016-2182: The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 doesnot properly validate division results, which allows remote attackers tocause a denial of service (out-of-bounds write and application crash) orpossibly have unspecified other impact via unknown vectors. - CVE-2016-2183: The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSecprotocols and other protocols and products, have a birthday bound ofapproximately four billion blocks, which makes it easier for remoteattackers to obtain cleartext data via a birthday attack against along-duration encrypted session, as demonstrated by an HTTPS session usingTriple DES in CBC mode, aka a “Sweet32” attack. - CVE-2016-6302: The tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1.0does not consider the HMAC size during validation of the ticket length,which allows remote attackers to cause a denial of service via a ticketthat is too short. - CVE-2016-6303: Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c inOpenSSL before 1.1.0 allows remote attackers to cause a denial of service(out-of-bounds write and application crash) or possibly have unspecifiedother impact via unknown vectors. - CVE-2016-6304: OCSP Status Request extension unbounded memory growth - CVE-2016-6306: In ssl3_get_client_certificate, ssl3_get_server_certificate andssl3_get_certificate_request check we have enough roombefore reading a length.
1.82.0
To address RFC #36, this release upgrades Ruby from 2.2.4 to 2.3.1.
This release also addresses USN-3085-1: GDK-PixBuf vulnerabilities Ubuntu Security Notice USN-3085-1: - CVE-2015-7552: Heap-based buffer overflow in the gdk_pixbuf_flip function in gdk-pixbuf-scale.c in gdk-pixbuf 2.30.x allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted BMP file. - CVE-2015-8875: Multiple integer overflows in the (1) pixops_composite_nearest, (2)pixops_composite_color_nearest, and (3) pixops_process functions in pixops/pixops.c in gdk-pixbuf before 2.33.1 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted image, which triggers a heap-based buffer overflow. - CVE-2016-6352: Write out-of-bounds
1.81.0
No CVEs present.
binary-buildpack
updated to v1.0.4 (from v1.0.3)
v1.0.4
Highlights: - Updated various buildpack development dependencies
go-buildpack
updated to v1.7.13 (from v1.7.12)
v1.7.13
Highlights: - Add go 1.7.1
Default binary versions: go 1.6.3
nodejs-buildpack
updated to v1.5.20 (from v1.5.19)
v1.5.20
Highlights: - WARNING: This buildpack is vulnerable to high CVE 2016-6304. Please upgrade to 1.5.21 ASAP. - Add node 6.6.0, remove node 6.4.0
Default binary versions: node 4.5.0
php-buildpack
updated to v4.3.20 (from v4.3.19)
v4.3.20
Highlights: - Enable mssql and pdo-dblib support for PHP - Update modules: cassandra, xdebug, yaf, twig, php-protobuf - Updated dependencies: nginx, composer
Default binary versions: php 5.5.38, composer 1.2.1, httpd 2.4.23, newrelic 6.3.0.161, nginx 1.11.4
python-buildpack
updated to v1.5.10 (from v1.5.9)
v1.5.10
- Lock version of conda to 4.1.11
Default binary versions: python 2.7.12
ruby-buildpack
updated to v1.6.25 (from v1.6.24)
v1.6.25
- WARNING: This buildpack is vulnerable to high CVE 2016-6304. Please upgrade to 1.6.26 ASAP.
- Remove vendored libyaml
- Update bundler
Default binary versions: ruby 2.3.1, node 4.5.0
staticfile-buildpack
updated to v1.3.11 (from v1.3.10)
v1.3.11
- Update nginx
- Redact credentials from URLs in a cached and uncached buildpack output
DEA-Warden-HM9000 Runtime
No changes - direct team email: [email protected] - CF Dev mailing list: https://lists.cloudfoundry.org/archives/list/[email protected]/ - Slack channel: https://cloudfoundry.slack.com/messages/runtime_og/ - GitHub issues: https://github.com/cloudfoundry/dea-hm-workspace/issues
Internal Components
postgres-release
(includes postgres
job)
- No changes.
etcd-release
(includes etcd
and etcd_metrics_server
jobs)
- No changes
consul-release
(includes consul_agent
job)
- Bumped from v110 to v125. Functional changes:
- Bump consul to 0.7. details
- Add
consul.agent.dns_config.recursor_timeout
property. details - Add
drain
script. details - Significantly change the orchestration logic for starting consul servers. Consul will no longer use
bootstrap-expect
for determining which consul server should be the bootstrap node. This release will now programmatically determine which node to bootstrap, and in doing so paves the way for better and more advanced automatic failure recovery logic. details
nats-release
(includes nats
and nats_stream_forwarder
jobs)
- No change. Still v11. No functional changes.
Recommended Versions of Additional Releases
These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release. - Diego release v0.1486.0. Release notes for v0.1486.0. - Garden-Linux release v0.342.0. Release notes for v0.342.0. - etcd release v70. Release notes for v70 · v69 · v68. - cflinuxfs2-rootfs release v1.33.0. Release notes for v1.33.0 · v1.32.0 · v1.31.0 · v1.30.0.
Job Spec Changes
- Added
consul.agent.dns_config.recursor_timeout
property. details properties.uaa.clients.cc-service-dashboards.secret
– previously an optional field for opting in to SSO integration for services – is now a required field. details
Recommended BOSH Stemcell Versions
- real IaaS: 3263.2
- BOSH-Lite: 3262.2
Note: For AWS you should use the Xen-HVM stemcells rather than Xen.
These are soft recommendations; several different versions of the stemcells are likely to work fine with this version of cf-release and the corresponding versions of the additional releases listed above.
Usage¶
You can reference this release in your deployment manifest from the releases
section:
- name: "cf" version: "244" url: "https://bosh.io/d/github.com/cloudfoundry/cf-release?v=244" sha1: "e1666f711ef806399caa87f2fd72c669324c151e"
Or upload it to your director with the upload-release
command:
bosh upload-release --sha1 e1666f711ef806399caa87f2fd72c669324c151e \ "https://bosh.io/d/github.com/cloudfoundry/cf-release?v=244"
Jobs¶
- acceptance-tests
- binary-buildpack
- blobstore
- cc_uploader
- cloud_controller_clock
- cloud_controller_ng
- cloud_controller_worker
- collector
- consul_agent
- dea_logging_agent
- dea_next
- debian_nfs_server
- doppler
- etcd
- etcd_metrics_server
- go-buildpack
- gorouter
- haproxy
- hm9000
- java-buildpack
- java-offline-buildpack
- loggregator_trafficcontroller
- metron_agent
- metron_agent_windows
- nats
- nats_stream_forwarder
- nfs_mounter
- nodejs-buildpack
- nsync
- php-buildpack
- postgres
- python-buildpack
- route_registrar
- ruby-buildpack
- smoke-tests
- stager
- staticfile-buildpack
- statsd-injector
- syslog_drain_binder
- tps
- uaa
Packages¶
- acceptance-tests
- binary-buildpack
- blobstore_url_signer
- buildpack_java
- buildpack_java_offline
- capi_utils
- cc_uploader
- cli
- cloud_controller_ng
- collector
- common
- confab
- consul
- dea_logging_agent
- dea_next
- debian_nfs_server
- doppler
- etcd
- etcd-common
- etcd-dns-checker
- etcd_metrics_server
- gnatsd
- go-buildpack
- golang1.6
- golang1.7
- golang1.7-windows
- gorouter
- haproxy
- hm9000
- libmariadb
- libpq
- loggregator_common
- loggregator_trafficcontroller
- metron_agent
- metron_agent_windows
- nats
- nats-common
- nginx
- nginx_newrelic_plugin
- nginx_webdav
- nodejs-buildpack
- nsync
- php-buildpack
- postgres-9.4.9
- postgres-common
- python-buildpack
- rootfs_cflinuxfs2
- route_registrar
- routing_utils
- ruby-2.1.8
- ruby-2.2.5
- ruby-2.3
- ruby-buildpack
- smoke-tests
- stager
- staticfile-buildpack
- statsd-injector
- syslog_drain_binder
- tps
- uaa
- uaa_utils
- warden