Releases: cloudfoundry-attic/cf-release
v257
Contents
Notices
- Warning: We've found an issue with the combination of releases recommended here, so we advise deployers to use CF 258 instead. Specifically, the recommended version of diego-release (1.13.0) does not allow deployers to configure
cleanup_process_dirs_on_wait
, which is required for healthy functioning of the recommended garden-runc-release (1.5.0). Diego-release 1.14.0 includes the ability to configure that property. - Changes in some jobs require using a BOSH Director v258 or newer.
- Changing the number of instances of doppler with restart Traffic Controllers resulting in disruption in Firehose throughput.
- The included version of Loggregator restricts ciphers to use only the following 4 ciphers. This is a breaking change for some operators and a configurable property for opting into more cipher suites was introduced in Loggregator 85
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Job Spec Changes
- The cc_uploader job has new required properties. Read here for details
Security Notices
Affecting v257
- None
Resolved in v257
- CVE-2017-4972: Blind SQL Injection in UAA (high severity)
- CVE-2017-4973: Privilege Escalation in UAA (high severity)
Subcomponent Updates
- Cloud Controller and Service Broker API:
- Identity:
- Routing:
- Loggregator:
- Java Buildpack:
- java-buildpack v3.15 (no change)
- Ruby Buildpack:
- ruby-buildpack v1.6.37 (no change)
- Go Buildpack:
- go-buildpack v1.7.19 (no change)
- Node.js Buildpack:
- nodejs-buildpack v1.5.31 (no change)
- Python Buildpack:
- python-buildpack v1.5.17 (no change)
- PHP Buildpack:
- php-buildpack v4.3.30 (no change)
- Staticfile Buildpack:
- staticfile-buildpack v1.4.4 (no change)
- Binary Buildpack:
- binary-buildpack v1.0.11 (no change)
- .Net Core Buildpack:
- dotnet-core-buildpack v1.0.15 (no change)
- RootFS:
- cflinuxfs2 v1.113.0 (no change)
- Consul:
- consul-release v152 (no change)
- Etcd:
- NATS:
- No change.
- Postgres:
- DEA-Warden-HM9000:
- No change.
Compatible Releases and Stemcells
CF 256
Contents
Notices
- Updating GrootFS to v0.16.0, if running with GrootFS already, will require recreating the Diego cells.
- The Postgres job will upgrade PostgreSQL to version 9.6.2.
NOTE: this drops support for upgrading from PostgreSQL 9.4.5
Only upgrades from PostgreSQL 9.4.6 (since cf v232) and PostgreSQL 9.4.9 (since cf v241) are supported.
Before deploying, please review considerations at postgres-release v15. - If you are running cf-networking-release, the value for
cf_networking.garden_external_networker.cni_plugin_dir
must be updated to/var/vcap/packages/silk/bin
Job Spec Changes
- The router status endpoint is no longer optional. As such,
router.status.password
(which has been configurable for a long time) is now required. - cc_uploader now requires the following properties to be configured:
properties.capi.cc_uploader.cc.ca_cert
properties.capi.cc_uploader.cc.client_cert
properties.capi.cc_uploader.cc.client_key
Diego manifest generation (as of Diego 1.11.0) has already required this property to be configured, so it's likely that most deployers have already set these values. For deployers building their manifests some other way, these properties are now required by the components themselves.
- In the postgres job, the default value for the
databases.monit_timeout
has been changed to 90 seconds. - The included version of Loggregator restricts ciphers to use only the following 4 ciphers. This is a breaking change for some operators and a configurable property for opting into more cipher suites was introduced in Loggregator 85
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Security Notices
Affecting v256
None recorded as of 2017-04-11.
Resolved in v256
- CVE-2017-4970 in Staticfile buildpack versions v1.4.0 – v1.4.3 (high severity)
Known Issues
- Users that belong to any space containing a user provided service instance are unable to view any specific service plan:
/v2/service_plans/:guid
. Users are still able to view the marketplace and provision service instances.
Subcomponent Updates
- Cloud Controller and Service Broker API:
- no change
- Identity:
- no change
- Routing:
- Loggregator:
- Java Buildpack:
- Ruby Buildpack:
- Go Buildpack:
- go-buildpack v1.7.19 (no change)
- Node.js Buildpack:
- Python Buildpack:
- PHP Buildpack:
- Staticfile Buildpack:
- Binary Buildpack:
- binary-buildpack v1.0.11 (no change)
- .Net Core Buildpack:
- RootFS:
- Consul:
- consul-release v152 (unchanged)
- Etcd:
- etcd-release v93 (unchanged)
- NATS:
- No changes
- Postgres:
- DEA-Warden-HM9000:
- No changes.
Compatible Releases and Stemcells
- diego-release: v1.12.0. Release notes for v1.12.0.
- garden-runc-release: v1.4.0. Release notes for v1.4.0.
- cflinuxfs2-rootfs release v1.60.0. Release notes for v1.60.0
- cf-networking-release: v0.19.0. Release notes for v0.19.0.
- grootfs-release v0.16.0. Release notes for v0.16.0. Updating GrootFS to v0.16.0, if running with GrootFS already, will require recreating the Diego cells.
- stemcell: 3363.15
v255
Contents
Notices
- MySQL UAA databases that were operating prior to UAA version 1.5.2 (released in early 2014) may be incompatible with migrations in this release, causing failures during the UAA job update. A manual fix for affected deployments can be found here.
- The included version of Loggregator restricts ciphers to use only the following 4 ciphers. This is a breaking change for some operators and a configurable property for opting into more cipher suites was introduced in Loggregator 85
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Job Spec Changes
- Diego's
cc_uploader
job has new required properties. Read here for details.
Security Notices
Affecting v255
- CVE-2017-4970 in Staticfile buildpack versions v1.4.0 – v1.4.3 (high severity)
Known Issues
- Users that belong to any space containing a user provided service instance are unable to view any specific service plan:
/v2/service_plans/:guid
. Users are still able to view the marketplace and provision service instances.
Subcomponent Updates
- Cloud Controller and Service Broker API:
- Identity:
- Routing: No changes
- Loggregator:
- Java Buildpack:
- java-buildpack v3.14 (no change)
- Ruby Buildpack:
- ruby-buildpack v1.6.35 (no change)
- Go Buildpack:
- go-buildpack v1.7.19 (no change)
- Node.js Buildpack:
- nodejs-buildpack v1.5.30 (no change)
- Python Buildpack:
- python-buildpack v1.5.16 (no change)
- PHP Buildpack:
- Staticfile Buildpack:
- Binary Buildpack:
- .Net Core Buildpack:
- RootFS:
- cflinuxfs2 v1.111.0 (Diego)
- cflinuxfs2 v1.112.0 (DEA)
- Consul:
- consul-release vCC (unchanged)
- Etcd:
- etcd-release vCC (unchanged)
- NATS: No changes.
- Postgres: No changes.
- DEA-Warden-HM9000: No changes.
Compatible Releases and Stemcells
CF 254
Contents
Notices
- Upcoming changes may require an update to your BOSH Director. Please update to BOSH v261.3 to ensure that future versions of cf-release can successfully deploy.
Details: Specifically, if your BOSH director uses a MySQL database as its data store, a version of cf-release that contains links for consul jobs will fail to deploy due to a bug in the database schema. BOSH v261.3 contains the necessary fix. We will likely wait until CF v256 to introduce the breaking change, so that operators can update their BOSH directors to 261.3 or greater. - This release adds functionality to allow multiple instances of the Cloud Controller clock job. If you're using the spiff templates, you'll see
clock_global
job replaces byclock_z1
andclock_z2
jobs. - This release is using an experimental new Loggreator-API when deploying to bosh-lite. It has been noted that metron is using unusually high CPU when utilizing this new API. This does not normal bosh deployments.
- The included version of Loggregator restricts ciphers to use only the following 4 ciphers. This is a breaking change for some operators and a configurable property for opting into more cipher suites was introduced in Loggregator 85
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Job Spec Changes
- Cloud Controller Clock now requires SSL configuration with the following properties, these properties became required for Cloud Controller in CF 253 so they may already be present in your deployment:
cc.mutual_tls.ca_cert
: PEM-encoded CA certificate for secure, mutually authenticated TLS communicationcc.mutual_tls.public_cert
: PEM-encoded certificate for secure, mutually authenticated TLS communicationcc.mutual_tls.private_key
: PEM-encoded key for secure, mutually authenticated TLS communication
CVEs
- None
Subcomponent Updates
- Cloud Controller and Service Broker API:
- Identity:
- Routing:
- Loggregator:
- Buildpacks and Stacks:
- Java:
- Ruby:
- Go:
- Node.js:
- Python:
- PHP:
- Staticfile:
- Binary:
- .NET Core:
- Stacks:
- Consul:
- No changes.
- Etcd:
- No changes.
- NATS:
- No changes.
- Postgres:
- DEA-Warden-HM9000:
- No changes.
Compatible Releases and Stemcells
- Diego release v1.10.1. Release notes for v1.10.1 · v1.10.0 · v1.9.0.
- Garden-Runc release v1.3.0. Release notes for v1.3.0 · v1.2.0.
- cflinuxfs2-rootfs release v1.57.0. Release notes for v1.57.0 · v1.56.0 · v1.55.0 · v1.54.0.
- cf-networking release v0.18.0. Release notes for v0.18.0 · v0.17.0.
- grootfs release v0.15.0. Release notes for v0.15.0
- stemcell: 3363.12
CF 253
Contents
Notices
-
Preparatory manifest changes: Both CF 253 and Diego 1.8.1 include changes to the manifest generation scripts that introduce the following line in a number of places:
consumes: { consul: nil }
This will allow the consul job to start providing a bosh link without having that link be consumed by the various consul jobs in the deployment. CF 254 will introduce a version of consul that requires these changes to the manifest, so please ensure that you deploy CF 253 and Diego 1.8.1 first before moving on to CF 254.
Job Spec Changes
-
cf-networking-release: If you are deploying cf-networking-release (which is still experimental), there will be some necessary changes to your manifest.
-
statsd-injector: To successfully deploy statsd-injector (part of loggregator), you'll need to generate the following properties:
loggregator.tls.statsd_injector.cert
loggregator.tls.statsd_injector.key
You can generate this keypair using this script. You'll need to provide the certificate and key for the CA that was used to sign the other loggregator certs. The certificate for that CA can also be found in
loggregator.tls.ca
. Deployers should have the private key stored securely. -
The included version of Loggregator restricts ciphers to use only the following 4 ciphers. This is a breaking change for some operators and a configurable property for opting into more cipher suites was introduced in Loggregator 85
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
CVEs
- None
Subcomponent Updates
- Cloud Controller and Service Broker API:
- Identity:
- Routing:
- Loggregator:
- Buildpacks and Stacks:
- Java:
- Ruby:
- Go:
- Node.js:
- Python:
- PHP:
- Staticfile:
- Binary:
- .Net Core:
- Stacks:
- Consul:
- no changes
- Etcd:
- NATS:
- No changes.
- Postgres:
- No changes.
- DEA-Warden-HM9000:
- No changes.
Compatible Releases and Stemcells
- Diego release v1.8.1. Release notes for v1.8.1 · v1.8.0 · v1.7.1 · v1.7.0.
- Garden-Runc release v1.2.0. Release notes for v1.2.0.
- cflinuxfs2-rootfs release v1.53.0. Release notes for v1.53.0 · v1.52.0 · v1.51.0 · v1.50.0 · v1.49.0.
- cf-networking release v0.17.0. Release notes for v0.17.0.
- stemcell: 3363.9
CF 252
Contents
Notices
- Manifest changes: netman-release has been renamed to cf-networking-release. If you're deploying netman-release (which is still experimental), there will be some necessary changes to your manifest.
- Slow API responses during deployment: Cloud Controller will be performing a migration on the events table to allow tracking additional user information on audit events. Because this table is often very large, some requests may be slower than normal. Additionally, there is a change to background processing that may cause asynchronous requests such as app and space deletion to take slightly longer until workers finish deploying.
- The default transport for
syslog_daemon_config
has changed from TCP to UDP for both themetron_agent
andmetron_agent_windows
jobs. This change was done on the metron_agent_windows job to enable Windows to write syslog. The change was also made to the metron_agent job to remain consistent between the two. These changes result in the same behavior for mixed windows and linux deployments. If you require TCP transport for component logs, you will need to explicitly set the propertysyslog_daemon_config.transport
totcp
in your deployment manifest. Otherwise your syslog server will have to be configured to accept syslog over UDP. - The included version of Loggregator restricts ciphers to use only the following 4 ciphers. This is a breaking change for some operators and a configurable property for opting into more cipher suites was introduced in Loggregator 85
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Job Spec Changes
- Cloud Controller now requires SSL configuration with the following properties, the CA cert should match the diego bbs ca cert and that ca cert should be used to sign the newly required public cert:
cc.mutual_tls.ca_cert
: PEM-encoded CA certificate for secure, mutually authenticated TLS communicationcc.mutual_tls.public_cert
: PEM-encoded certificate for secure, mutually authenticated TLS communicationcc.mutual_tls.private_key
: PEM-encoded key for secure, mutually authenticated TLS communication
- Postgres v10 job spec changes
- Loggregator now requires properties set for mutual auth with Cloud Controller. This is used for retrieving application names for inclusion in syslog drains and is set with the following new properties.
loggregator.tls.syslogdrainbinder.cert
: TLS certificate for syslogdrainbinder, signed by diego bbs CAloggregator.tls.syslogdrainbinder.key
: TLS key for syslogdrainbinder, signed by diego bbs CA- Use
<diego-bbs-ca.crt>
and<diego-bbs-ca.key>
when runninggenerate-loggregator-certs
. The diego BBS CA cert and key are typically generated separately from this script. - See the Loggregator README for more details on the new flag
CVEs
- Stacks version 1.99.0, included in v252, is vulnerable to USN-3193-1
Subcomponent Updates
- Cloud Controller and Service Broker API:
- Identity:
- Routing:
- Loggregator:
- Buildpacks and Stacks:
- Java: java-buildpack v3.12
- Ruby: ruby-buildpack v1.6.32 (no change)
- Go: go-buildpack v1.7.17 (no change)
- Node.js: nodejs-buildpack v1.5.27 (no change)
- Python: python-buildpack v1.5.14 (no change)
- PHP: php-buildpack v4.3.25 (no change)
- Staticfile: staticfile-buildpack v1.3.16 (no change)
- Binary: binary-buildpack v1.0.7 (no change)
- .Net Core: dotnet-core-buildpack v1.0.9 (no change)
- Stacks: stacks v1.99.0, stacks v1.98.0, stacks v1.97.0
- Consul:
- Etcd:
- NATS:
- No changes.
- Postgres:
- DEA-Warden-HM9000:
- No changes.
Compatible Releases and Stemcells
- Diego release v1.6.2. Release notes for v1.6.2 · v1.6.1 · v1.6.0 · v1.5.4.
- Garden-Runc release v1.1.1. Release notes for v1.1.1.
- cflinuxfs2-rootfs release v1.48.0. Release notes for v1.48.0 · v1.47.0 · v1.46.0.
- cf-networking release v0.16.0. Release notes for v0.16.0 · v0.15.0 · v0.14.0.
- Stemcell Version: 3312.17
v251
The cf-release v251 was released on January 18, 2017.
Contents:
- CC and Service Broker APIs
- Identity
- Routing
- Loggregator
- Buildpacks and Stacks
- DEA-Warden-HM9000 Runtime
- Internal Components
- Recommended Versions of Additional Releases
- Job Spec Changes
- Recommended BOSH Stemcell Versions
CC and Service Broker APIs
Contains CAPI release v1.15.0. Release notes for v1.15.0
Identity
No Changes
Routing
routing-release bumped to 0.143.0
Loggregator
Deprecated Debug Flags
This release includes the deprecation of the following debug flags. These flags use the gosteno library and produce debug logs for every single log and metric event. this hides useful debug information produced without a flag. The deprecated flags are
- traffic_controller.debug
- doppler.debug
- metron_agent.debug
- syslog_drain_binder.debug
New Certificates Required
In order to secure the transport of log messages going forward Loggregator will require Metron cert & key as well as the Loggregator CA cert. You won't be able to deploy the this and future versions of Loggregator if you don't have these configured. See our README with specifics for generating and setting up your certs.
New Features & Bug Fixes
- Improved service discovery for Dopplers
- Encrypted log transport Metron->Doppler (via gRPC)
- Pooled connections from Metron->Doppler (via gRPC)
- Changed retry strategy for connecting to with etcd
- Fixed an issue when metron fails over to UDP if provided with invalid certs. TrafficController and Doppler no longer panic if provided with invalid certs.
Buildpacks and Stacks
stacks
updated to 1.96.0 (from 1.95.0)
1.96.0
USN-3172-1 Ubuntu Security Notice USN-3172-1:
- CVE-2016-9131: A malformed response to an ANY query can cause an assertion failure during recursion
- CVE-2016-9147: An error handling a query response containing inconsistent DNSSEC information could cause an assertion failure
- CVE-2016-9444: An unusually-formed DS record response could cause an assertion failure
binary-buildpack
updated to v1.0.7 (from v1.0.5)
v1.0.7
- Add new version warning to binary buildpack
dotnet-core-buildpack
updated to v1.0.9 (from v1.0.6)
v1.0.9
- Add warning if downloaded dependency is not the latest patch version for a
given major and minor version - Add warning if buildpack version used to stage an app changes
- Add node 6.9.4, remove node 6.9.2
- Add .NET SDK 1.0.0-preview4-004233
Default binary versions: node 6.9.4, bower 1.8.0, dotnet 1.0.0-preview2-003156
From v1.0.8 and v1.0.7
- Fix self contained app regression (#128)
- Add warning if app was previously staged with a different version of
the buildpack - Add .NET SDK 1.0.0-preview2-003156, remove .NET SDK 1.0.0-preview2-003121
- Make .NET SDK 1.0.0-preview2-003156 the default SDK version
- Add .NET Core framework 1.0.3
- Allow project paths in .deployment file to start with ./
- Store process id in the PID environment variable
- Add MSBuild support
- Add .NET SDK 1.0.0-preview3-004056, which uses MSBuild
- Documented here: https://docs.cloudfoundry.org/buildpacks/dotnet-core/index.html#cli_tools
- Add F# support
- Package .NET Core runtimes and install separately from .NET Core SDK
- Add node 6.9.2, remove node 6.9.1
- Allow custom library path
go-buildpack
updated to v1.7.17 (from v1.7.16)
v1.7.17
- Add warning if downloaded dependency is not the latest patch version for a
given major and minor version - Add warning if buildpack version used to stage an app changes
- Add godep v76, remove godep v75
Default binary versions: go 1.7.4
java-buildpack
updated to v3.11 (from v3.10)
v3.11
I'm pleased to announce the release of the java-buildpack
, version 3.11
. This release features the addition of support for the Dyadic EKM. This release also disables (but does not remove) support for AppDynamics due to the fact that the Cloud Foundry Foundation cannot legally distribute the AppDynamics agent. This support can be reenabled by providing the agent and updating the configuration via environment variables or a fork.
- Dyadic EKM Support (via Saar Peer)
- Disabled AppDynamics by default
- Updated Dynatrace Support (via Alois Mayr and @Scoobed)
- Updated JRebel Support (via Tõnis Pool)
- Fixed typos in documentation (via @mmanciop)
For a more detailed look at the changes in 3.11
, please take a look at the commit log. Packaged versions of the buildpack, suitable for use with create-buildpack
and update-buildpack
, can be found attached to this release.
nodejs-buildpack
updated to v1.5.27 (from v1.5.24)
v1.5.27
- Catch excecptions from buildpack version warning scripts
- Under some non-standard CF deployment configurations, it was possible for these scripts to
error out. As they are purely informative, this should never happen.
- Under some non-standard CF deployment configurations, it was possible for these scripts to
Default binary versions: node 4.7.2
From v1.5.26 and v1.5.25
- Add warning if downloaded dependency is not the latest patch version for a
given major and minor version - Add new version warning to nodejs buildpack
- Yarn support added, activated if yarn.lock file present
- Add node 7.4.0, 7.3.0 remove node 7.2.1, 7.2.0, 7.1.0
- Add node 6.9.4, 6.9.3 remove node 6.9.2, 6.9.1, 6.9.0
- Add node 4.7.2, 4.7.1, remove node 4.7.0, 4.6.2, 4.6.1
- Add node 0.12.18, remove node 0.12.16
Default binary versions: node 4.7.0
php-buildpack
updated to v4.3.25 (from v4.3.23)
v4.3.25
- Add warning if downloaded dependency is not the latest patch version for a
given major and minor version - Add new version warning to PHP buildpack
- Add composer 1.3.0, remove composer 1.2.4
- Add nginx 1.11.8, remove nginx 1.11.7
- Add httpd 2.4.25, remove httpd 2.4.23
Default binary versions: php 5.5.38, composer 1.3.0, httpd 2.4.25, newrelic 6.3.0.161, nginx 1.11.8
From v4.3.24
- Add PHP 7.0.14, remove PHP 7.0.12
- Add PHP 5.6.29, remove PHP 5.6.27
- Add nginx 1.11.7, remove nginx 1.11.6
- Use rebuilt HTTPD 2.4.23 with proper LDAP support
- Add composer 1.2.4, remove composer 1.2.2
python-buildpack
updated to v1.5.14 (from v1.5.13)
v1.5.14
- Add warning if downloaded dependency is not the latest patch version for a
given major and minor version - Add warning if buildpack version used to stage an app changes
- Add python 3.6.0
- Add python 2.7.13, remove python 2.7.11
- Update setuptools version to 32.1.0
- Update miniconda to 4.2.12
- Update pip version to 9.0.1
Default binary versions: python 2.7.12
ruby-buildpack
updated to v1.6.32 (from v1.6.29)
v1.6.32
- Add warning if downloaded dependency is not the latest patch version for a
given major and minor version - Add new version warning to Ruby buildpack
- Add bundler 1.13.7, remove bundler 1.13.6
- Add ruby 2.4.0
- Add node 4.7.2, remove node 4.7.0
Default binary versions: ruby 2.3.3, node 4.7.2
From v1.6.30
- Add jruby 9.1.5.0, remove jruby 9.1.2.0
- Add node 4.7.0, remove node 4.6.2
...
v250
The cf-release v250 was released on December 22, 2016.
IMPORTANT
- The CAPI Release included in CF-250 has several new manifest properties that aren’t meant to be required yet. We’ve discovered an issue with BOSH directors before v257 where these properties must still be set. One of the following workarounds should be applied:
- Upgrade your BOSH deployment to v257 or later
- Set the following properties to
””
in your CF Deployment manifest:cc.mutual_tls.ca_cert
,cc.mutual_tls.public_cert
, andcc.mutual_tls.private_key
- The Loggregator bosh properties for
loggregator.tls.metron.cert
andloggregator.tls.metron.key
do not need to be set for this release. They were added for documentation that a future version of cf-release will require these properties.
The Loggregator release
Contents:
- CC and Service Broker APIs
- Identity
- Routing
- Loggregator
- Buildpacks and Stacks
- DEA-Warden-HM9000 Runtime
- Internal Components
- Recommended Versions of Additional Releases
- Job Spec Changes
- Recommended BOSH Stemcell Versions
CC and Service Broker APIs
Contains CAPI release v1.14.0. Release notes for v1.12.0, v1.13.0, and v1.14.0
Identity
No Changes
Routing
No changes
Loggregator
No changes
Buildpacks and Stacks
stacks
updated to 1.95.0 (from 1.92.0)
1.95.0
1.94.0
USN-3156-1 Ubuntu Security Notice USN-3156-1:
- CVE-2016-1252: A man-in-the-middle attacker could circumvent the InRelease signature of a repository, leading to a malicious package being installed and, therefore, remote arbitrary code execution.
1.93.0
dotnet-core-buildpack
updated to v1.0.6 (from v1.0.5)
v1.0.6
Highlights:
- Add dotnet 1.0.0-preview2-1-003177, remove .NET SDK 1.0.0-preview2-1-003155
Default binary versions: node 6.9.1, bower 1.8.0, dotnet 1.0.0-preview2-003131
go-buildpack
updated to v1.7.16 (from v1.7.15)
v1.7.16
Highlights:
- Add go 1.6.4, 1.7.4, remove go 1.6.2, 1.7.1
Default binary versions: go 1.7.4
nodejs-buildpack
updated to v1.5.24 (from v1.5.23)
v1.5.24
Highlights:
- Add node 7.2.0, remove node 7.0.0
Default binary versions: node 4.6.2
php-buildpack
updated to v4.3.23 (from v4.3.22)
v4.3.23
Highlights:
- Add rdkafka for PHP5, ioncube for PHP 7
- Add nginx 1.11.6, remove nginx 1.11.5
- Add php 5.6.28, 7.0.13, remove php 5.6.26, 7.0.11
Default binary versions: php 5.5.38, composer 1.2.2, httpd 2.4.23, newrelic 6.3.0.161, nginx 1.11.6
python-buildpack
updated to v1.5.13 (from v1.5.12)
v1.5.13
Default binary versions: python 2.7.12
ruby-buildpack
updated to v1.6.29 (from v1.6.28)
v1.6.29
Highlights:
- Add ruby 2.1.10, 2.2.6, 2.3.2, 2.3.3, remove ruby 2.1.8, 2.2.4, 2.3.1
Default binary versions: ruby 2.3.3, node 4.6.2
staticfile-buildpack
updated to v1.3.14 (from v1.3.13)
v1.3.14
Highlights:
- Enable 'Vary: Accept-Encoding' header
- Add nginx 1.11.6, remove nginx 1.11.5
Default binary versions: nginx 1.11.6
DEA-Warden-HM9000 Runtime
This section will be updated soon. If this section is not yet up-to-date, please reach out for information:
- direct team email: [email protected]
- CF Dev mailing list: https://lists.cloudfoundry.org/archives/list/[email protected]/
- Slack channel: https://cloudfoundry.slack.com/messages/runtime_og/
- GitHub issues: https://github.com/cloudfoundry/dea-hm-workspace/issues
Internal Components
postgres-release
(includes postgres
job)
- No changes
etcd-release
(includes etcd
and etcd_metrics_server
jobs)
- No changes
consul-release
(includes consul_agent
job)
- Bumped from v135 to v145. Functional changes:
** Now includes consul 0.7.1(was 0.7.0)
** Changes to support running consul_agent on windows in client mode.
nats-release
(includes nats
and nats_stream_forwarder
jobs)
- No changes.
Recommended Versions of Additional Releases
These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release.
- Diego release v1.4.1.
Release notes for
v1.4.1 ·
v1.4.0 ·
v1.3.1 ·
v1.3.0. - Garden-Runc release v1.0.4.
Release notes for
v1.0.4. - cflinuxfs2-rootfs release v1.44.0.
Release notes for
v1.44.0 ·
v1.43.0 ·
v1.42.0.
Job Spec Changes
Recommended BOSH Stemcell Version
- 3312.12
Note: For AWS you should use the Xen-HVM stemcells rather than Xen.
These are soft recommendations; several different versions of the stemcells are likely to work fine with this version of cf-release and the corresponding versions of the additional releases listed above.
v249
The cf-release v249 was released on December 10, 2016.
Important
- This release patches
- This release has a known issue that
login.saml.serviceProviderKeyPassword
need to be set to "" explicitly if thelogin.saml.serviceProviderKey
is not passphrase protected. This will be addressed in the next release.
login.saml.serviceProviderKeyPassword:
description: "Password to protect the service provider private key."
Contents:
- CC and Service Broker APIs
- Identity
- Routing
- Loggregator
- Buildpacks and Stacks
- DEA-Warden-HM9000 Runtime
- Internal Components
- Recommended Versions of Additional Releases
- Job Spec Changes
- Recommended BOSH Stemcell Versions
CC and Service Broker APIs
Contains CAPI release v1.11.0. Release notes for v1.11.0
Identity
UAA Release bumped to v24 aka UAA Release v3.9.3
Routing
Routing-release was bumped to 0.142.0
Loggregator
This section will be updated soon. If this section is not yet up-to-date, please reach out for information:
- Updated to golang 1.7.4
- Improved Cipher Suites
- Update to TLS versions being used
Buildpacks and Stacks
- No changes
DEA-Warden-HM9000 Runtime
- No changes
Internal Components
postgres-release
(includes postgres
job)
- No changes
etcd-release
(includes etcd
and etcd_metrics_server
jobs)
- Bumped from v86 to v87. Functional changes:
The proxy for TLS migration now responds to/v2/members
, fixing an issue in consumers that get peers via the API instead of via bosh properties.
consul-release
(includes consul_agent
job)
- No changes.
nats-release
(includes nats
and nats_stream_forwarder
jobs)
- No changes.
Recommended Versions of Additional Releases
These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release.
- Diego release v1.2.0.
Release notes for
v1.2.0 ·
v1.1.0. - Garden-Runc release v1.04.
Release notes for
v1.0.4 ·
v1.0.3. - cflinuxfs2-rootfs release v1.41.0.
Release notes for
v1.41.0 ·
v1.40.0.
Job Spec Changes
Recommended BOSH Stemcell Versions
- real IaaS: 3312.7
- BOSH-Lite: 3312.7
Note: For AWS you should use the Xen-HVM stemcells rather than Xen.
These are soft recommendations; several different versions of the stemcells are likely to work fine with this version of cf-release and the corresponding versions of the additional releases listed above.
v248
The cf-release v248 was released on December 02, 2016.
IMPORTANT
BACKWARDS INCOMPATIBLE CHANGES
Starting with this release UAA no longer provides default values for the SAML Service Provider Certificate and JWT Signing Key as a security best practice. These need to be generated explicitly per deployment of UAA and are required for proper start-up and functioning of UAA.
These are standard artifacts which can be generated using openssl. Please refer the topic here on how to generate a self signed cert.
Please refer here for more details.
Contents:
- CC and Service Broker APIs
- Identity
- Routing
- Loggregator
- Buildpacks and Stacks
- DEA-Warden-HM9000 Runtime
- Internal Components
- Recommended Versions of Additional Releases
- Job Spec Changes
- Recommended BOSH Stemcell Versions
CC and Service Broker APIs
Contains CAPI release v1.11.0. Release notes for v1.11.0
Identity
This release includes UAA 3.9.2
Routing
No changes
Loggregator
This section will be updated soon. If this section is not yet up-to-date, please reach out for information:
- direct team email: [email protected]
- CF Dev mailing list: https://lists.cloudfoundry.org/archives/list/[email protected]/
- Slack channel: https://cloudfoundry.slack.com/messages/loggregator/
- GitHub issues: https://github.com/cloudfoundry/loggregator/issues
Buildpacks and Stacks
stacks
updated to 1.92.0 (from 1.90.0)
1.92.0
USN-3142-1 Ubuntu Security Notice USN-3142-1:
- CVE-2016-7799: mogrify global buffer overflow
- CVE-2016-7906: imagemagick mogrify heap use after free
- CVE-2016-8677: memory allocate failure in AcquireQuantumPixels
- CVE-2016-8862: memory allocation failure in AcquireMagickMemory (memory.c)
- CVE-2016-9556: Heap buffer overflow in heap-buffer-overflow in IsPixelGray
USN-3139-1 Ubuntu Security Notice USN-3139-1:
- CVE-2016-1248: vim before patch 8.0.0056 does not properly validate values for the 'filetype', 'syntax' and 'keymap' options, which may result in the execution of arbitrary code if a file with a specially crafted modeline is opened.
USN-3134-1 Ubuntu Security Notice USN-3134-1:
- CVE-2016-0772: The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
- CVE-2016-1000110: use of HTTP_PROXY flag supplied by attacker in CGI scripts
- CVE-2016-5636: Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.
- CVE-2016-5699: CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.
USN-3132-1 Ubuntu Security Notice USN-3132-1:
- CVE-2016-6321: Bypassing the extract path name
USN-3131-1 Ubuntu Security Notice USN-3131-1:
(81 CVEs addressed, see USN link)
1.91.0
dotnet-core-buildpack
updated to v1.0.5 (from v1.0.4)
v1.0.5
- Add bower 1.8.0, remove bower 1.7.9
- Serve libunwind from buildpacks.cloudfoundry.org
Default binary versions: node 6.9.1, bower 1.8.0, dotnet 1.0.0-preview2-003131
go-buildpack
updated to v1.7.15 (from v1.7.14)
v1.7.15
- Ensure all downloaded binaries have checksums verified
- Add godep v75, remove godep v74
Default binary versions: go 1.6.3
nodejs-buildpack
updated to v1.5.23 (from v1.5.22)
v1.5.23
- Add node 7.1.0, 7.0.0, 6.9.1, 4.6.2
- Remove node 6.8.1, 4.6.0, 0.10.47 (EOL), 0.10.48 (EOL)
- Ensure all downloaded binaries have checksums verified
- Remove vendored node binary executable
Default binary versions: node 4.6.2
php-buildpack
updated to v4.3.22 (from v4.3.21)
v4.3.22
- Ensure all downloaded binaries have checksums verified
- Add composer 1.2.2, remove composer 1.2.1
- Add APCu support to all PHP versions
- Warn and error when composer.json or composer.lock has invalid format
- Add support for phpiredis and phpredis in PHP7
Default binary versions: php 5.5.38, composer 1.2.2, httpd 2.4.23, newrelic 6.3.0.161, nginx 1.11.5
python-buildpack
updated to v1.5.12 (from v1.5.11)
v1.5.12
- Ensure all downloaded binaries have checksums verified
Default binary versions: python 2.7.12
ruby-buildpack
updated to v1.6.28 (from v1.6.27)
v1.6.28
- Add node 4.6.2, remove node 4.6.1
- Add bundler 1.13.6, remove bundler 1.13.5
- Add openjdk 1.8.0_111, remove openjdk 1.8.0_101
- Ensure all downloaded binaries have checksums verified
Default binary versions: ruby 2.3.1, node 4.6.2
staticfile-buildpack
updated to v1.3.13 (from v1.3.12)
v1.3.13
- Option to enable hosting of hidden dot-files
- Enable HSTS support
- Don't write hashed credentials from Staticfile.auth to the logs
DEA-Warden-HM9000 Runtime
This section will be updated soon. If this section is not yet up-to-date, please reach out for information:
- direct team email: [email protected]
- CF Dev mailing list: https://lists.cloudfoundry.org/archives/list/[email protected]/
- Slack channel: https://cloudfoundry.slack.com/messages/runtime_og/
- GitHub issues: https://github.com/cloudfoundry/dea-hm-workspace/issues
Internal Components
postgres-release
(includes postgres
job)
- No changes
etcd-release
(includes etcd
and etcd_metrics_server
jobs)
- Bumped from vXX to vXX. Functional changes:
consul-release
(includes consul_agent
job)
- Bumped from vXX to vXX. Functional changes:
nats-release
(includes nats
and nats_stream_forwarder
jobs)
- No changes
Recommended Versions of Additional Releases
These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release.
- Diego release v1.1.0.
Release notes for
v1.1.0 ·
v1.0.0 ·
v0.1491.0 ·
v0.1490.0. - Garden-Runc release v1.0.3.
Release notes for
v1.0.3. - etcd release v86. Release notes for
v86. - cflinuxfs2-rootfs release v1.41.0.
Release notes for
v1.41.0 ·
[v1.40.0](https://github.com/cloudfoundry/cflinuxfs2-rootfs-release/relea...