v248
The cf-release v248 was released on December 02, 2016.
IMPORTANT
BACKWARDS INCOMPATIBLE CHANGES
Starting with this release UAA no longer provides default values for the SAML Service Provider Certificate and JWT Signing Key as a security best practice. These need to be generated explicitly per deployment of UAA and are required for proper start-up and functioning of UAA.
These are standard artifacts which can be generated using openssl. Please refer the topic here on how to generate a self signed cert.
Please refer here for more details.
Contents:
- CC and Service Broker APIs
- Identity
- Routing
- Loggregator
- Buildpacks and Stacks
- DEA-Warden-HM9000 Runtime
- Internal Components
- Recommended Versions of Additional Releases
- Job Spec Changes
- Recommended BOSH Stemcell Versions
CC and Service Broker APIs
Contains CAPI release v1.11.0. Release notes for v1.11.0
Identity
This release includes UAA 3.9.2
Routing
No changes
Loggregator
This section will be updated soon. If this section is not yet up-to-date, please reach out for information:
- direct team email: [email protected]
- CF Dev mailing list: https://lists.cloudfoundry.org/archives/list/[email protected]/
- Slack channel: https://cloudfoundry.slack.com/messages/loggregator/
- GitHub issues: https://github.com/cloudfoundry/loggregator/issues
Buildpacks and Stacks
stacks
updated to 1.92.0 (from 1.90.0)
1.92.0
USN-3142-1 Ubuntu Security Notice USN-3142-1:
- CVE-2016-7799: mogrify global buffer overflow
- CVE-2016-7906: imagemagick mogrify heap use after free
- CVE-2016-8677: memory allocate failure in AcquireQuantumPixels
- CVE-2016-8862: memory allocation failure in AcquireMagickMemory (memory.c)
- CVE-2016-9556: Heap buffer overflow in heap-buffer-overflow in IsPixelGray
USN-3139-1 Ubuntu Security Notice USN-3139-1:
- CVE-2016-1248: vim before patch 8.0.0056 does not properly validate values for the 'filetype', 'syntax' and 'keymap' options, which may result in the execution of arbitrary code if a file with a specially crafted modeline is opened.
USN-3134-1 Ubuntu Security Notice USN-3134-1:
- CVE-2016-0772: The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
- CVE-2016-1000110: use of HTTP_PROXY flag supplied by attacker in CGI scripts
- CVE-2016-5636: Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.
- CVE-2016-5699: CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.
USN-3132-1 Ubuntu Security Notice USN-3132-1:
- CVE-2016-6321: Bypassing the extract path name
USN-3131-1 Ubuntu Security Notice USN-3131-1:
(81 CVEs addressed, see USN link)
1.91.0
dotnet-core-buildpack
updated to v1.0.5 (from v1.0.4)
v1.0.5
- Add bower 1.8.0, remove bower 1.7.9
- Serve libunwind from buildpacks.cloudfoundry.org
Default binary versions: node 6.9.1, bower 1.8.0, dotnet 1.0.0-preview2-003131
go-buildpack
updated to v1.7.15 (from v1.7.14)
v1.7.15
- Ensure all downloaded binaries have checksums verified
- Add godep v75, remove godep v74
Default binary versions: go 1.6.3
nodejs-buildpack
updated to v1.5.23 (from v1.5.22)
v1.5.23
- Add node 7.1.0, 7.0.0, 6.9.1, 4.6.2
- Remove node 6.8.1, 4.6.0, 0.10.47 (EOL), 0.10.48 (EOL)
- Ensure all downloaded binaries have checksums verified
- Remove vendored node binary executable
Default binary versions: node 4.6.2
php-buildpack
updated to v4.3.22 (from v4.3.21)
v4.3.22
- Ensure all downloaded binaries have checksums verified
- Add composer 1.2.2, remove composer 1.2.1
- Add APCu support to all PHP versions
- Warn and error when composer.json or composer.lock has invalid format
- Add support for phpiredis and phpredis in PHP7
Default binary versions: php 5.5.38, composer 1.2.2, httpd 2.4.23, newrelic 6.3.0.161, nginx 1.11.5
python-buildpack
updated to v1.5.12 (from v1.5.11)
v1.5.12
- Ensure all downloaded binaries have checksums verified
Default binary versions: python 2.7.12
ruby-buildpack
updated to v1.6.28 (from v1.6.27)
v1.6.28
- Add node 4.6.2, remove node 4.6.1
- Add bundler 1.13.6, remove bundler 1.13.5
- Add openjdk 1.8.0_111, remove openjdk 1.8.0_101
- Ensure all downloaded binaries have checksums verified
Default binary versions: ruby 2.3.1, node 4.6.2
staticfile-buildpack
updated to v1.3.13 (from v1.3.12)
v1.3.13
- Option to enable hosting of hidden dot-files
- Enable HSTS support
- Don't write hashed credentials from Staticfile.auth to the logs
DEA-Warden-HM9000 Runtime
This section will be updated soon. If this section is not yet up-to-date, please reach out for information:
- direct team email: [email protected]
- CF Dev mailing list: https://lists.cloudfoundry.org/archives/list/[email protected]/
- Slack channel: https://cloudfoundry.slack.com/messages/runtime_og/
- GitHub issues: https://github.com/cloudfoundry/dea-hm-workspace/issues
Internal Components
postgres-release
(includes postgres
job)
- No changes
etcd-release
(includes etcd
and etcd_metrics_server
jobs)
- Bumped from vXX to vXX. Functional changes:
consul-release
(includes consul_agent
job)
- Bumped from vXX to vXX. Functional changes:
nats-release
(includes nats
and nats_stream_forwarder
jobs)
- No changes
Recommended Versions of Additional Releases
These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release.
- Diego release v1.1.0.
Release notes for
v1.1.0 ·
v1.0.0 ·
v0.1491.0 ·
v0.1490.0. - Garden-Runc release v1.0.3.
Release notes for
v1.0.3. - etcd release v86. Release notes for
v86. - cflinuxfs2-rootfs release v1.41.0.
Release notes for
v1.41.0 ·
v1.40.0.
Job Spec Changes
Recommended BOSH Stemcell Versions
- real IaaS: 3312.6
- BOSH-Lite: 3312.6
Note: For AWS you should use the Xen-HVM stemcells rather than Xen.
These are soft recommendations; several different versions of the stemcells are likely to work fine with this version of cf-release and the corresponding versions of the additional releases listed above.