cf/244

The cf-release v244 was released on September 28, 2016.

IMPORTANT - From this release onwards, Loggregator is no longer registering it legacy logging_endpoint with the router. This makes the legacy endpoints on Traffic Controller unaccessible.

Contents: - CC and Service Broker APIs - Identity - Routing - Loggregator - Buildpacks and Stacks - DEA-Warden-HM9000 Runtime - Internal Components - Recommended Versions of Additional Releases - Job Spec Changes - Recommended BOSH Stemcell Versions

CC and Service Broker APIs

No Change

Identity

Updated to UAA Release 3.7.4

Routing

No changes

Loggregator

• Metron attempts initial reconnection to etcd using exponential backoff strategy up to 15 times instead of panicking immediately.
• Property name changes in loggregator_trafficcontroller/spec
  • doppler.uaa_client_id replaces loggregator.uaa.client
  • uaa.clients.doppler.secret replaces loggregator.uaa.client_secret
  • doppler.outgoing_port replaces loggregator.doppler_port
• Property name changes in metron_agent/spec
  • metron_agent.listening_port replacesmetron_agent.dropsonde_incoming_port
• The Loggregator Consumer endpoint no longer gets a route registered in this release. This makes the Loggregator Consumer endpoint inaccessible in this release. The loggregator_consumer library is deprecated in favor of noaa which makes use of the new endpoints as described here.

Buildpacks and Stacks

stacks

updated to 1.84.0 (from 1.80.0)

1.84.0

Notably, this release addresses USN-3087-2: OpenSSL regression.

USN-3087-2 is a fix for a regression introduced by USN-3087-1, which was included in cflinuxfs2 1.83.0.

1.83.0

Notably, this release addresses USN-3087-1: OpenSSL vulnerabilities Ubuntu Security Notice USN-3087-1: - CVE-2016-2177: OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-bufferboundary checks, which might allow remote attackers to cause a denial ofservice (integer overflow and application crash) or possibly haveunspecified other impact by leveraging unexpected malloc behavior, relatedto s3_srvr.c, ssl_sess.c, and t1_lib.c. - CVE-2016-2178: The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through1.0.2h does not properly ensure the use of constant-time operations, whichmakes it easier for local users to discover a DSA private key via a timingside-channel attack. - CVE-2016-2179: The DTLS implementation in OpenSSL before 1.1.0 does not properly restrictthe lifetime of queue entries associated with unused out-of-order messages,which allows remote attackers to cause a denial of service (memoryconsumption) by maintaining many crafted DTLS sessions simultaneously,related to d1_lib.c, statem_dtls.c, statem_lib.c, and statem_srvr.c. - CVE-2016-2180: The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public KeyInfrastructure Time-Stamp Protocol (TSP) implementation in OpenSSL through1.0.2h allows remote attackers to cause a denial of service (out-of-boundsread and application crash) via a crafted time-stamp file that ismishandled by the “openssl ts” command. - CVE-2016-2181: The Anti-Replay feature in the DTLS implementation in OpenSSL before 1.1.0mishandles early use of a new epoch number in conjunction with a largesequence number, which allows remote attackers to cause a denial of service(false-positive packet drops) via spoofed DTLS records, related torec_layer_d1.c and ssl3_record.c. - CVE-2016-2182: The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 doesnot properly validate division results, which allows remote attackers tocause a denial of service (out-of-bounds write and application crash) orpossibly have unspecified other impact via unknown vectors. - CVE-2016-2183: The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSecprotocols and other protocols and products, have a birthday bound ofapproximately four billion blocks, which makes it easier for remoteattackers to obtain cleartext data via a birthday attack against along-duration encrypted session, as demonstrated by an HTTPS session usingTriple DES in CBC mode, aka a “Sweet32” attack. - CVE-2016-6302: The tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1.0does not consider the HMAC size during validation of the ticket length,which allows remote attackers to cause a denial of service via a ticketthat is too short. - CVE-2016-6303: Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c inOpenSSL before 1.1.0 allows remote attackers to cause a denial of service(out-of-bounds write and application crash) or possibly have unspecifiedother impact via unknown vectors. - CVE-2016-6304: OCSP Status Request extension unbounded memory growth - CVE-2016-6306: In ssl3_get_client_certificate, ssl3_get_server_certificate andssl3_get_certificate_request check we have enough roombefore reading a length.

1.82.0

To address RFC #36, this release upgrades Ruby from 2.2.4 to 2.3.1.

This release also addresses USN-3085-1: GDK-PixBuf vulnerabilities Ubuntu Security Notice USN-3085-1: - CVE-2015-7552: Heap-based buffer overflow in the gdk_pixbuf_flip function in gdk-pixbuf-scale.c in gdk-pixbuf 2.30.x allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted BMP file. - CVE-2015-8875: Multiple integer overflows in the (1) pixops_composite_nearest, (2)pixops_composite_color_nearest, and (3) pixops_process functions in pixops/pixops.c in gdk-pixbuf before 2.33.1 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted image, which triggers a heap-based buffer overflow. - CVE-2016-6352: Write out-of-bounds

1.81.0

No CVEs present.

binary-buildpack

updated to v1.0.4 (from v1.0.3)

v1.0.4

Highlights: - Updated various buildpack development dependencies

go-buildpack

updated to v1.7.13 (from v1.7.12)

v1.7.13

Highlights: - Add go 1.7.1

Default binary versions: go 1.6.3

nodejs-buildpack

updated to v1.5.20 (from v1.5.19)

v1.5.20

Highlights: - WARNING: This buildpack is vulnerable to high CVE 2016-6304. Please upgrade to 1.5.21 ASAP. - Add node 6.6.0, remove node 6.4.0

Default binary versions: node 4.5.0

php-buildpack

updated to v4.3.20 (from v4.3.19)

v4.3.20

Highlights: - Enable mssql and pdo-dblib support for PHP - Update modules: cassandra, xdebug, yaf, twig, php-protobuf - Updated dependencies: nginx, composer

Default binary versions: php 5.5.38, composer 1.2.1, httpd 2.4.23, newrelic 6.3.0.161, nginx 1.11.4

python-buildpack

updated to v1.5.10 (from v1.5.9)

v1.5.10

• Lock version of conda to 4.1.11

Default binary versions: python 2.7.12

ruby-buildpack

updated to v1.6.25 (from v1.6.24)

v1.6.25

• WARNING: This buildpack is vulnerable to high CVE 2016-6304. Please upgrade to 1.6.26 ASAP.
• Remove vendored libyaml
• Update bundler

Default binary versions: ruby 2.3.1, node 4.5.0

staticfile-buildpack

updated to v1.3.11 (from v1.3.10)

v1.3.11

• Update nginx
• Redact credentials from URLs in a cached and uncached buildpack output

DEA-Warden-HM9000 Runtime

No changes - direct team email: runtime-og@cloudfoundry.org - CF Dev mailing list: https://lists.cloudfoundry.org/archives/list/cf-dev@lists.cloudfoundry.org/ - Slack channel: https://cloudfoundry.slack.com/messages/runtime_og/ - GitHub issues: https://github.com/cloudfoundry/dea-hm-workspace/issues

Internal Components

postgres-release (includes postgres job)

• No changes.

etcd-release (includes etcd and etcd_metrics_server jobs)

• No changes

consul-release (includes consul_agent job)

• Bumped from v110 to v125. Functional changes:
  • Bump consul to 0.7. details
  • Add consul.agent.dns_config.recursor_timeout property. details
  • Add drain script. details
  • Significantly change the orchestration logic for starting consul servers. Consul will no longer use bootstrap-expect for determining which consul server should be the bootstrap node. This release will now programmatically determine which node to bootstrap, and in doing so paves the way for better and more advanced automatic failure recovery logic. details

nats-release (includes nats and nats_stream_forwarder jobs)

• No change. Still v11. No functional changes.

Recommended Versions of Additional Releases

These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release. - Diego release v0.1486.0. Release notes for v0.1486.0. - Garden-Linux release v0.342.0. Release notes for v0.342.0. - etcd release v70. Release notes for v70 · v69 · v68. - cflinuxfs2-rootfs release v1.33.0. Release notes for v1.33.0 · v1.32.0 · v1.31.0 · v1.30.0.

Job Spec Changes

• Added consul.agent.dns_config.recursor_timeout property. details
  
• properties.uaa.clients.cc-service-dashboards.secret – previously an optional field for opting in to SSO integration for services – is now a required field. details

Recommended BOSH Stemcell Versions

• real IaaS: 3263.2
• BOSH-Lite: 3262.2

Note: For AWS you should use the Xen-HVM stemcells rather than Xen.

These are soft recommendations; several different versions of the stemcells are likely to work fine with this version of cf-release and the corresponding versions of the additional releases listed above.

- name: "cf"
  version: "244"
  url: "https://bosh.io/d/github.com/cloudfoundry/cf-release?v=244"
  sha1: "e1666f711ef806399caa87f2fd72c669324c151e"

bosh upload-release --sha1 e1666f711ef806399caa87f2fd72c669324c151e \
  "https://bosh.io/d/github.com/cloudfoundry/cf-release?v=244"