cf/247

The cf-release v247 was released on November 17, 2016.

Contents: - CC and Service Broker APIs - Identity - Routing - Loggregator - Buildpacks and Stacks - DEA-Warden-HM9000 Runtime - Internal Components - Recommended Versions of Additional Releases - Job Spec Changes - Recommended BOSH Stemcell Versions

CC and Service Broker APIs

Contains CAPI release v1.11.0. Release notes for v1.11.0

Identity

Updated to UAA 3.9.0

Routing

No changes

Loggregator

This release includes support for gRPC which enables TLS. For notes about setting up certs see: https://github.com/cloudfoundry/loggregator#generating-tls-certificates

Buildpacks and Stacks

stacks

updated to 1.90.0 (from 1.89.0)

1.90.0

Notably, this release addresses:

USN-3116-1: DBus vulnerabilities Ubuntu Security Notice USN-3116-1: - CVE-2015-0245: D-Bus 1.4.x through 1.6.x before 1.6.30, 1.8.x before 1.8.16, and 1.9.x before 1.9.10 does not validate the source of ActivationFailure signals, which allows local users to cause a denial of service (activation failure error returned) by leveraging a race condition involving sending an ActivationFailure signal before systemd responds.

USN-3117-1: GD library vulnerabilities Ubuntu Security Notice USN-3117-1: - CVE-2016-6911: invalid read in gdImageCreateFromTiffPtr() - CVE-2016-7568: Integer overflow in the gdImageWebpCtx function in gd_webp.c in the GD Graphics Library (aka libgd) through 2.2.3, as used in PHP through 7.0.11, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted imagewebp and imagedestroy calls. - CVE-2016-8670: Stack Buffer Overflow in GD dynamicGetbuf

USN-3119-1: Bind vulnerability Ubuntu Security Notice USN-3119-1: - CVE-2016-8864: A problem handling responses containing a DNAME answer can lead to an assertion failure

USN-3123-1: curl vulnerabilities Ubuntu Security Notice USN-3123-1: - CVE-2016-7141: curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420. - CVE-2016-7167: Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow. - CVE-2016-8615: cookie injection for other servers - CVE-2016-8616: case insensitive password comparison - CVE-2016-8617: OOB write via unchecked multiplication - CVE-2016-8618: double-free in curl_maprintf - CVE-2016-8619: double-free in krb5 code - CVE-2016-8620: glob parser write/read out of bounds - CVE-2016-8621: curl_getdate read out of bounds - CVE-2016-8622: URL unescape heap overflow via integer truncation - CVE-2016-8623: Use-after-free via shared cookies - CVE-2016-8624: invalid URL parsing with ‘#’

dotnet-core-buildpack

v1.0.5

CF v247 is the first CF release to include the .NET Core buildpack. This buildpack adds support for .NET Core apps on the cflinuxfs2 stack.

DEA-Warden-HM9000 Runtime

This section will be updated soon. If this section is not yet up-to-date, please reach out for information: - direct team email: runtime-og@cloudfoundry.org - CF Dev mailing list: https://lists.cloudfoundry.org/archives/list/cf-dev@lists.cloudfoundry.org/ - Slack channel: https://cloudfoundry.slack.com/messages/runtime_og/ - GitHub issues: https://github.com/cloudfoundry/dea-hm-workspace/issues

Internal Components

postgres-release (includes postgres job)

No changes.

etcd-release (includes etcd and etcd_metrics_server jobs)

• Bumped from v77 to v85. Functional changes:
  • Bump golang to 1.7.3 details
  • Properly set ulimit for the etcd process details
  • Make bind addresses configurable for etcd and proxy details
  • Fix submodule URL in etcd_metrics_server details

consul-release (includes consul_agent job)

• Bumped from v133 to v135. Functional changes:
  • Properly set ulimit for consul process details

nats-release (includes nats and nats_stream_forwarder jobs)

• No changes.

Recommended Versions of Additional Releases

These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release. - Diego release v0.1489.0. Release notes for v0.1489.0 · v0.1488.0. - Garden-Runc release v1.0.3. Release notes for v1.0.3 · v1.0.2 · v1.0.1. - etcd release v85. Release notes for v85 · v84 · v83 · v82 · v81 · v80 · v79. - cflinuxfs2-rootfs release v1.39.0. Release notes for v1.39.0.

Although it’s still considered experimental, we have started to test CF against the new netman release. It’s not recommended for production, but for those deploying it, here is the information for netman-release: - netman release v0.6.0. Release notes for v0.6.0.

Job Spec Changes

• Add etcd.client_ip and etcd.peer_ip to allow specifying the bind address for the etcd server details
• Add etcd_proxy.ip to allow specifying the bind address the the etcd proxy server details

Recommended BOSH Stemcell Versions

• real IaaS: 3309
• BOSH-Lite: 3309

Note: For AWS you should use the Xen-HVM stemcells rather than Xen.

These are soft recommendations; several different versions of the stemcells are likely to work fine with this version of cf-release and the corresponding versions of the additional releases listed above.

- name: "cf"
  version: "247"
  url: "https://bosh.io/d/github.com/cloudfoundry/cf-release?v=247"
  sha1: "5ce865925ed3696453a4bc0a8a54d076b01061b7"

bosh upload-release --sha1 5ce865925ed3696453a4bc0a8a54d076b01061b7 \
  "https://bosh.io/d/github.com/cloudfoundry/cf-release?v=247"