Skip to content
This repository has been archived by the owner on Jan 21, 2022. It is now read-only.

v248

Compare
Choose a tag to compare
released this 06 Dec 01:46
· 948 commits to master since this release

The cf-release v248 was released on December 02, 2016.

IMPORTANT

BACKWARDS INCOMPATIBLE CHANGES

Starting with this release UAA no longer provides default values for the SAML Service Provider Certificate and JWT Signing Key as a security best practice. These need to be generated explicitly per deployment of UAA and are required for proper start-up and functioning of UAA.

These are standard artifacts which can be generated using openssl. Please refer the topic here on how to generate a self signed cert.

Please refer here for more details.

Contents:

CC and Service Broker APIs

Contains CAPI release v1.11.0. Release notes for v1.11.0

Identity

This release includes UAA 3.9.2

Routing

No changes

Loggregator

This section will be updated soon. If this section is not yet up-to-date, please reach out for information:

Buildpacks and Stacks

stacks

updated to 1.92.0 (from 1.90.0)

1.92.0

USN-3142-1 Ubuntu Security Notice USN-3142-1:

USN-3139-1 Ubuntu Security Notice USN-3139-1:

  • CVE-2016-1248: vim before patch 8.0.0056 does not properly validate values for the 'filetype', 'syntax' and 'keymap' options, which may result in the execution of arbitrary code if a file with a specially crafted modeline is opened.

USN-3134-1 Ubuntu Security Notice USN-3134-1:

  • CVE-2016-0772: The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
  • CVE-2016-1000110: use of HTTP_PROXY flag supplied by attacker in CGI scripts
  • CVE-2016-5636: Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.
  • CVE-2016-5699: CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.

USN-3132-1 Ubuntu Security Notice USN-3132-1:

USN-3131-1 Ubuntu Security Notice USN-3131-1:
(81 CVEs addressed, see USN link)

1.91.0

dotnet-core-buildpack

updated to v1.0.5 (from v1.0.4)

v1.0.5

  • Add bower 1.8.0, remove bower 1.7.9
  • Serve libunwind from buildpacks.cloudfoundry.org

Default binary versions: node 6.9.1, bower 1.8.0, dotnet 1.0.0-preview2-003131

go-buildpack

updated to v1.7.15 (from v1.7.14)

v1.7.15

  • Ensure all downloaded binaries have checksums verified
  • Add godep v75, remove godep v74

Default binary versions: go 1.6.3

nodejs-buildpack

updated to v1.5.23 (from v1.5.22)

v1.5.23

  • Add node 7.1.0, 7.0.0, 6.9.1, 4.6.2
  • Remove node 6.8.1, 4.6.0, 0.10.47 (EOL), 0.10.48 (EOL)
  • Ensure all downloaded binaries have checksums verified
  • Remove vendored node binary executable

Default binary versions: node 4.6.2

php-buildpack

updated to v4.3.22 (from v4.3.21)

v4.3.22

  • Ensure all downloaded binaries have checksums verified
  • Add composer 1.2.2, remove composer 1.2.1
  • Add APCu support to all PHP versions
  • Warn and error when composer.json or composer.lock has invalid format
  • Add support for phpiredis and phpredis in PHP7

Default binary versions: php 5.5.38, composer 1.2.2, httpd 2.4.23, newrelic 6.3.0.161, nginx 1.11.5

python-buildpack

updated to v1.5.12 (from v1.5.11)

v1.5.12

  • Ensure all downloaded binaries have checksums verified

Default binary versions: python 2.7.12

ruby-buildpack

updated to v1.6.28 (from v1.6.27)

v1.6.28

  • Add node 4.6.2, remove node 4.6.1
  • Add bundler 1.13.6, remove bundler 1.13.5
  • Add openjdk 1.8.0_111, remove openjdk 1.8.0_101
  • Ensure all downloaded binaries have checksums verified

Default binary versions: ruby 2.3.1, node 4.6.2

staticfile-buildpack

updated to v1.3.13 (from v1.3.12)

v1.3.13

  • Option to enable hosting of hidden dot-files
  • Enable HSTS support
  • Don't write hashed credentials from Staticfile.auth to the logs

DEA-Warden-HM9000 Runtime

This section will be updated soon. If this section is not yet up-to-date, please reach out for information:

Internal Components

postgres-release (includes postgres job)

  • No changes

etcd-release (includes etcd and etcd_metrics_server jobs)

  • Bumped from vXX to vXX. Functional changes:

consul-release (includes consul_agent job)

  • Bumped from vXX to vXX. Functional changes:

nats-release (includes nats and nats_stream_forwarder jobs)

  • No changes

Recommended Versions of Additional Releases

These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release.

Job Spec Changes

Recommended BOSH Stemcell Versions

  • real IaaS: 3312.6
  • BOSH-Lite: 3312.6

Note: For AWS you should use the Xen-HVM stemcells rather than Xen.

These are soft recommendations; several different versions of the stemcells are likely to work fine with this version of cf-release and the corresponding versions of the additional releases listed above.