Releases: cloudfoundry-attic/cf-release
v247
The cf-release v247 was released on November 17, 2016.
Contents:
- CC and Service Broker APIs
- Identity
- Routing
- Loggregator
- Buildpacks and Stacks
- DEA-Warden-HM9000 Runtime
- Internal Components
- Recommended Versions of Additional Releases
- Job Spec Changes
- Recommended BOSH Stemcell Versions
CC and Service Broker APIs
Contains CAPI release v1.11.0. Release notes for v1.11.0
Identity
Updated to UAA 3.9.0
Routing
No changes
Loggregator
This release includes support for gRPC which enables TLS. For notes about setting up certs see: https://github.com/cloudfoundry/loggregator#generating-tls-certificates
Buildpacks and Stacks
stacks
updated to 1.90.0 (from 1.89.0)
1.90.0
Notably, this release addresses:
USN-3116-1: DBus vulnerabilities Ubuntu Security Notice USN-3116-1:
- CVE-2015-0245: D-Bus 1.4.x through 1.6.x before 1.6.30, 1.8.x before 1.8.16, and 1.9.x before 1.9.10 does not validate the source of ActivationFailure signals, which allows local users to cause a denial of service (activation failure error returned) by leveraging a race condition involving sending an ActivationFailure signal before systemd responds.
USN-3117-1: GD library vulnerabilities Ubuntu Security Notice USN-3117-1:
- CVE-2016-6911: invalid read in gdImageCreateFromTiffPtr()
- CVE-2016-7568: Integer overflow in the gdImageWebpCtx function in gd_webp.c in the GD Graphics Library (aka libgd) through 2.2.3, as used in PHP through 7.0.11, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted imagewebp and imagedestroy calls.
- CVE-2016-8670: Stack Buffer Overflow in GD dynamicGetbuf
USN-3119-1: Bind vulnerability Ubuntu Security Notice USN-3119-1:
- CVE-2016-8864: A problem handling responses containing a DNAME answer can lead to an assertion failure
USN-3123-1: curl vulnerabilities Ubuntu Security Notice USN-3123-1:
- CVE-2016-7141: curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420.
- CVE-2016-7167: Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow.
- CVE-2016-8615: cookie injection for other servers
- CVE-2016-8616: case insensitive password comparison
- CVE-2016-8617: OOB write via unchecked multiplication
- CVE-2016-8618: double-free in curl_maprintf
- CVE-2016-8619: double-free in krb5 code
- CVE-2016-8620: glob parser write/read out of bounds
- CVE-2016-8621: curl_getdate read out of bounds
- CVE-2016-8622: URL unescape heap overflow via integer truncation
- CVE-2016-8623: Use-after-free via shared cookies
- CVE-2016-8624: invalid URL parsing with '#'
dotnet-core-buildpack
v1.0.5
CF v247 is the first CF release to include the .NET Core buildpack. This buildpack adds support for .NET Core apps on the cflinuxfs2 stack.
DEA-Warden-HM9000 Runtime
This section will be updated soon. If this section is not yet up-to-date, please reach out for information:
- direct team email: [email protected]
- CF Dev mailing list: https://lists.cloudfoundry.org/archives/list/[email protected]/
- Slack channel: https://cloudfoundry.slack.com/messages/runtime_og/
- GitHub issues: https://github.com/cloudfoundry/dea-hm-workspace/issues
Internal Components
postgres-release
(includes postgres
job)
No changes.
etcd-release
(includes etcd
and etcd_metrics_server
jobs)
- Bumped from v77 to v85. Functional changes:
consul-release
(includes consul_agent
job)
nats-release
(includes nats
and nats_stream_forwarder
jobs)
- No changes.
Recommended Versions of Additional Releases
These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release.
- Diego release v0.1489.0.
Release notes for
v0.1489.0 ·
v0.1488.0. - Garden-Runc release v1.0.3.
Release notes for
v1.0.3 ·
v1.0.2 ·
v1.0.1. - etcd release v85. Release notes for
v85 ·
v84 ·
v83 ·
v82 ·
v81 ·
v80 ·
v79. - cflinuxfs2-rootfs release v1.39.0.
Release notes for
v1.39.0.
Although it's still considered experimental, we have started to test CF against the new netman release. It's not recommended for production, but for those deploying it, here is the information for netman-release:
Job Spec Changes
- Add
etcd.client_ip
andetcd.peer_ip
to allow specifying the bind address for the etcd server details - Add
etcd_proxy.ip
to allow specifying the bind address the the etcd proxy server details
Recommended BOSH Stemcell Versions
- real IaaS: 3309
- BOSH-Lite: 3309
Note: For AWS you should use the Xen-HVM stemcells rather than Xen.
These are soft recommendations; several di...
v246
The cf-release v246 was released on November 03, 2016.
IMPORTANT
- With this release UAA defaults to enforcing signature validation on Incoming SAML Assertions. Please make sure any SAML Identity configured for UAA is sending only signed SAML assertions
Contents:
- CC and Service Broker APIs
- Identity
- Routing
- Loggregator
- Buildpacks and Stacks
- DEA-Warden-HM9000 Runtime
- Internal Components
- Recommended Versions of Additional Releases
- Job Spec Changes
- Recommended BOSH Stemcell Versions
CC and Service Broker APIs
Contains CAPI release v1.10.0. Release notes for v1.8.0, v1.9.0, and v1.10.0
Identity
Updated to UAA Release 3.8.0
Spec changes can be found here
Routing
Routing-release bumped to 0.141.0
Loggregator
No changes.
Buildpacks and Stacks
stacks
updated to 1.89.0 (from 1.86.0)
1.89.0
No CVEs present. Notably, this release introduces the libsasl2-dev
package.
1.88.0
No CVEs present.
1.87.0
No CVEs present.
binary-buildpack
updated to v1.0.5 (from v1.0.4)
v1.0.5
- binary-buildpack BOSH release now available on bosh.io at
http://bosh.io/releases/github.com/cloudfoundry/binary-buildpack-release
(https://www.pivotaltracker.com/story/show/130040305)
go-buildpack
updated to v1.7.14 (from v1.7.13)
v1.7.14
- go-buildpack BOSH release now available on bosh.io at
http://bosh.io/releases/github.com/cloudfoundry/go-buildpack-release - Add go 1.7.3, remove go 1.7
- go 1.7.2 is a faulty release and should not be used:
https://github.com/golang/go/blob/release-branch.go1.7/doc/devel/release.html#L52-L56
- go 1.7.2 is a faulty release and should not be used:
- Add glide v0.12.3, remove glide v0.11.1
- Do not glide install if vendor with subdirs present
- Use
godep go install
if a go1.6 app has a Godeps/Godeps.json and a
Godeps/_workspace directory - Copy Go toolchain into container if GO_INSTALL_TOOLS_IN_IMAGE is set
- Set $GOPATH in the runtime container if GO_SETUP_GO_PATH_IN_IMAGE is set
Default binary versions: go 1.6.3
java-buildpack
updated to v3.10 (from v3.9)
v3.10
I'm pleased to announce the release of the java-buildpack
, version 3.10
. This release updates the Dynatrace frameworks.
- Updated Dynatrace Frameworks (via Alois Mayr)
For a more detailed look at the changes in 3.10
, please take a look at the commit log. Packaged versions of the buildpack, suitable for use with create-buildpack
and update-buildpack
, can be found attached to this release.
nodejs-buildpack
updated to v1.5.22 (from v1.5.21)
v1.5.22
- Add node 6.9.0 and 6.8.1, remove node 6.6.0 and 6.7.0
- Add node 0.10.48, remove node 0.10.46
- Add node 0.12.17, remove node 0.12.15
- Add node 4.6.1, remove node 4.5.0
- Address USN-3087-1: OpenSSL vulnerabilities with node 6.8.1 and 6.9.0
- NOTICE: Node.js 0.10 will be removed after October 31, 2016 due to end of LTS
Default binary versions: node 4.6.0
php-buildpack
updated to v4.3.21 (from v4.3.20)
v4.3.21
- Address USN-3095-1 and associated CVEs with PHP 5.6.27 and 7.0.12
- Add support for rdkafka in PHP 7
- Add php 5.6.26 and 5.6.27, remove php 5.6.24 and 5.6.25
- Add php 7.0.11 and 7.0.12, remove php 7.0.9 and 7.0.10
- Add nginx 1.11.5, remove nginx 1.11.4
- Add nginx 1.10.2, remove nginx 1.10.1
Default binary versions: php 5.5.38, composer 1.2.1, httpd 2.4.23, newrelic 6.3.0.161, nginx 1.11.5
python-buildpack
updated to v1.5.11 (from v1.5.10)
v1.5.11
- python-buildpack BOSH release now available on bosh.io at
http://bosh.io/releases/github.com/cloudfoundry/python-buildpack-release
Default binary versions: python 2.7.12
ruby-buildpack
updated to v1.6.27 (from v1.6.26)
v1.6.27
- Add node 4.6.1, remove node 4.6.0
- Add bundler 1.13.5, remove bundler 1.13.1
Default binary versions: ruby 2.3.1, node 4.6.1
staticfile-buildpack
updated to v1.3.12 (from v1.3.11)
v1.3.12
- Add nginx 1.11.5, remove nginx 1.11.4
- staticfile-buildpack BOSH release now available on bosh.io at
http://bosh.io/releases/github.com/cloudfoundry/staticfile-buildpack-release
DEA-Warden-HM9000 Runtime
- Fixed container startup issues with Linux 4.4
- Improved HM9000 actual state processing time for large number of instances (> 10k)
- Reduced connection count to etcd on start when there is a stampede on start ( 35k -> 65)
Internal Components
postgres-release
(includes postgres
job)
- No changes.
etcd-release
(includes etcd
and etcd_metrics_server
jobs)
consul-release
(includes consul_agent
job)
- Bumped from v126 to v133. Functional changes:
consul_agent
job only drains when in server mode, not in client mode. details- Set performance raft_multiplier to 1 for Consul process. details
- Change default value of
consul.agent.dns_config.allow_stale
to true andconsul.agent.dns_config.max_stale
to 30s inconsul_agent
job. details consul_agent
job running inmode: server
no longer needs to be configured withconsul.agent_cert
orconsul.agent_key
properties. details
nats-release
(includes nats
and nats_stream_forwarder
jobs)
- Bumped from v11 to v14. Functional changes: bump to golang 1.7, enables forwarding of nats logs to a syslog drain
Recommended Versions of Additional Releases
These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release.
- Diego release v0.1487.0.
Release notes for
v0.1487.0. - Garden-Runc release v1.0.0.
Release notes for
v1.0.0 ·
v0.9.2 ·
v0.9.1. - etcd release v78. Release notes for
v78 ·
v77 ·
v76 ·
v75 ·
v74. - cflinuxfs2-rootfs release v1.38.0.
Release notes for
v1.38.0 ·
v1.37.0 ·
v1.36.0.
Job Spec Changes
- CAPI v1.9.0 Job Spec Changes and v1.10.0 Job Spec Changes
- Add
etcd.network_diagnostics_duration_in_seconds
property with default 30 toetcd
job property to avoid filling up log aggregation services. [details](https://pivotaltracker.com/story/show/13268683...
v245
The cf-release v245 was released on October 09, 2016.
IMPORTANT
- This release fixes a critical security vulnerability pertaining to command injection. Please see the mailing list thread on CVE 2016-6655 for more details. Operators are strongly encouraged to update to this latest version of cf-release.
- This release includes a significant migration of the CCDB that is the first step to releasing the CC V3 API. Please see the release notes for CAPI v1.6.0 for details.
- CVE-2016-6658: The Cloud Controller in CF-245 contains a fix for a medium CVE where apps using custom buildpack urls could contain credentials. This fix ensures that urls containing credentials are either encrypted or stored in an obfuscated format at rest. This is a continuation of CVE-2016-6638 originally reported fixed in CF-241.
KNOWN ISSUES
- The included version of CAPI Release contains an issue staging Python buildpack based apps and apps using any buildpack that doesn't return process types in the staging result. We've prioritized this bug at the top of our backlog. Workaround is to add a Procfile containing any command, e.g.
web: foo
.
Contents:
- CC and Service Broker APIs
- Identity
- Routing
- Loggregator
- Buildpacks and Stacks
- DEA-Warden-HM9000 Runtime
- Internal Components
- Recommended Versions of Additional Releases
- Job Spec Changes
- Recommended BOSH Stemcell Versions
CC and Service Broker APIs
Contains CAPI release v1.7.0. Release notes for v1.6.0 and v1.7.0
Identity
No Changes
Routing
Routing-release bumped to 0.140.0
Loggregator
No Changes
Buildpacks and Stacks
stacks
updated to 1.86.0 (from 1.84.0)
1.86.0
Notably, this release addresses USN-3096-1: NTP vulnerabilities Ubuntu Security Notice USN-3096-1. As cflinuxfs2 only includes the ntpdate
package, many of these CVEs may not apply.
- CVE-2015-7973: Deja Vu: Replay attack on authenticated broadcast mode
- CVE-2015-7974: NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key."
- CVE-2015-7975: ntpq buffer overflow
- CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames
- CVE-2015-7977: reslist NULL pointer dereference
- CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list
- CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode
- CVE-2015-8138: Zero Origin Timestamp Bypass, AKA: Additional KoD Checks
- CVE-2015-8158: Potential Infinite Loop in ntpq
- CVE-2016-0727: NTP statsdir cleanup cronjob insecure
- CVE-2016-1547: Validate crypto-NAKs, AKA: nak-dos
- CVE-2016-1548: Interleave-pivot
- CVE-2016-1550: Improve NTP security against buffer comparison timing attacks, authdecrypt-timing, AKA: authdecrypt-timing
- CVE-2016-2516: Duplicate IPs on unconfig directives will cause an assertion botch
- CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC
- CVE-2016-4954: The process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication.
- CVE-2016-4955: ntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers to cause a denial of service (peer-variable clearing and association outage) by sending (1) a spoofed crypto-NAK packet or (2) a packet with an incorrect MAC value at a certain time.
- CVE-2016-4956: ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (interleaved-mode transition and time change) via a spoofed broadcast packet. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-1548.
1.85.0
Notably, this release addresses USN-3088-1: Bind vulnerability Ubuntu Security Notice USN-3088-1:
- CVE-2016-2776: Assertion Failure in buffer.c
nodejs-buildpack
updated to v1.5.21 (from v1.5.20)
v1.5.21
- Address USN-3087-1: OpenSSL vulnerabilities by updating node.
The new versions of node included in this buildpack are built
against the patched version of OpenSSL
(https://www.pivotaltracker.com/story/show/130945067) - Updated node: 0.10.47, 0.12.16, 4.6.0, 6.7.0
Default binary versions: node 4.6.0
ruby-buildpack
updated to v1.6.26 (from v1.6.25)
v1.6.26
- Address USN-3087-1: OpenSSL vulnerabilities by updating node.
The new version of node included in this buildpack was built
against the patched version of OpenSSL
(https://www.pivotaltracker.com/story/show/130945067) - Updated node: 4.6.0
Default binary versions: ruby 2.3.1, node 4.6.0
DEA-Warden-HM9000 Runtime
This section will be updated soon. If this section is not yet up-to-date, please reach out for information:
- direct team email: [email protected]
- CF Dev mailing list: https://lists.cloudfoundry.org/archives/list/[email protected]/
- Slack channel: https://cloudfoundry.slack.com/messages/runtime_og/
- GitHub issues: https://github.com/cloudfoundry/dea-hm-workspace/issues
Internal Components
postgres-release
(includes postgres
job)
- Bumped from v5 to v6. No functional changes.
etcd-release
(includes etcd
and etcd_metrics_server
jobs)
- Bumped from v66 to v73. Functional changes:
- Added
-debug
flag to uses ofetcdtcl
CLI to improve debuggability. details - Added
etcd_consistency_checker
process toetcd
job. details - Added etcd network diagnostics logging to
etcd
job. details
- Added
consul-release
(includes consul_agent
job)
- Bumped from v125 to v126. Functional changes:
consul_agent
job will now usesed
instead ofawk -W
inagent_ctl
script. details
nats-release
(includes nats
and nats_stream_forwarder
jobs)
- No change, still at v11.
Recommended Versions of Additional Releases
These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release.
v244
The cf-release v244 was released on September 28, 2016.
IMPORTANT
- From this release onwards, Loggregator is no longer registering it legacy
logging_endpoint
with the router. This makes the legacy endpoints on Traffic Controller unaccessible.
Contents:
- CC and Service Broker APIs
- Identity
- Routing
- Loggregator
- Buildpacks and Stacks
- DEA-Warden-HM9000 Runtime
- Internal Components
- Recommended Versions of Additional Releases
- Job Spec Changes
- Recommended BOSH Stemcell Versions
CC and Service Broker APIs
No Change
Identity
Updated to UAA Release 3.7.4
Routing
No changes
Loggregator
- Metron attempts initial reconnection to etcd using exponential backoff strategy up to 15 times instead of panicking immediately.
- Property name changes in
loggregator_trafficcontroller/spec
doppler.uaa_client_id
replacesloggregator.uaa.client
uaa.clients.doppler.secret
replacesloggregator.uaa.client_secret
doppler.outgoing_port
replacesloggregator.doppler_port
- Property name changes in
metron_agent/spec
metron_agent.listening_port
replacesmetron_agent.dropsonde_incoming_port
- The Loggregator Consumer endpoint no longer gets a route registered in this release. This makes the Loggregator Consumer endpoint inaccessible in this release. The loggregator_consumer library is deprecated in favor of noaa which makes use of the new endpoints as described here.
Buildpacks and Stacks
stacks
updated to 1.84.0 (from 1.80.0)
1.84.0
Notably, this release addresses USN-3087-2: OpenSSL regression.
USN-3087-2 is a fix for a regression introduced by USN-3087-1, which was included in cflinuxfs2 1.83.0.
1.83.0
Notably, this release addresses USN-3087-1: OpenSSL vulnerabilities Ubuntu Security Notice USN-3087-1:
- CVE-2016-2177: OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-bufferboundary checks, which might allow remote attackers to cause a denial ofservice (integer overflow and application crash) or possibly haveunspecified other impact by leveraging unexpected malloc behavior, relatedto s3_srvr.c, ssl_sess.c, and t1_lib.c.
- CVE-2016-2178: The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through1.0.2h does not properly ensure the use of constant-time operations, whichmakes it easier for local users to discover a DSA private key via a timingside-channel attack.
- CVE-2016-2179: The DTLS implementation in OpenSSL before 1.1.0 does not properly restrictthe lifetime of queue entries associated with unused out-of-order messages,which allows remote attackers to cause a denial of service (memoryconsumption) by maintaining many crafted DTLS sessions simultaneously,related to d1_lib.c, statem_dtls.c, statem_lib.c, and statem_srvr.c.
- CVE-2016-2180: The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public KeyInfrastructure Time-Stamp Protocol (TSP) implementation in OpenSSL through1.0.2h allows remote attackers to cause a denial of service (out-of-boundsread and application crash) via a crafted time-stamp file that ismishandled by the "openssl ts" command.
- CVE-2016-2181: The Anti-Replay feature in the DTLS implementation in OpenSSL before 1.1.0mishandles early use of a new epoch number in conjunction with a largesequence number, which allows remote attackers to cause a denial of service(false-positive packet drops) via spoofed DTLS records, related torec_layer_d1.c and ssl3_record.c.
- CVE-2016-2182: The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 doesnot properly validate division results, which allows remote attackers tocause a denial of service (out-of-bounds write and application crash) orpossibly have unspecified other impact via unknown vectors.
- CVE-2016-2183: The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSecprotocols and other protocols and products, have a birthday bound ofapproximately four billion blocks, which makes it easier for remoteattackers to obtain cleartext data via a birthday attack against along-duration encrypted session, as demonstrated by an HTTPS session usingTriple DES in CBC mode, aka a "Sweet32" attack.
- CVE-2016-6302: The tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1.0does not consider the HMAC size during validation of the ticket length,which allows remote attackers to cause a denial of service via a ticketthat is too short.
- CVE-2016-6303: Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c inOpenSSL before 1.1.0 allows remote attackers to cause a denial of service(out-of-bounds write and application crash) or possibly have unspecifiedother impact via unknown vectors.
- CVE-2016-6304: OCSP Status Request extension unbounded memory growth
- CVE-2016-6306: In ssl3_get_client_certificate, ssl3_get_server_certificate andssl3_get_certificate_request check we have enough roombefore reading a length.
1.82.0
To address RFC #36, this release upgrades Ruby from 2.2.4 to 2.3.1.
This release also addresses USN-3085-1: GDK-PixBuf vulnerabilities Ubuntu Security Notice USN-3085-1:
- CVE-2015-7552: Heap-based buffer overflow in the gdk_pixbuf_flip function in gdk-pixbuf-scale.c in gdk-pixbuf 2.30.x allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted BMP file.
- CVE-2015-8875: Multiple integer overflows in the (1) pixops_composite_nearest, (2)pixops_composite_color_nearest, and (3) pixops_process functions in pixops/pixops.c in gdk-pixbuf before 2.33.1 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted image, which triggers a heap-based buffer overflow.
- CVE-2016-6352: Write out-of-bounds
1.81.0
No CVEs present.
binary-buildpack
updated to v1.0.4 (from v1.0.3)
v1.0.4
Highlights:
- Updated various buildpack development dependencies
go-buildpack
updated to v1.7.13 (from v1.7.12)
v1.7.13
Highlights:
- Add go 1.7.1
Default binary versions: go 1.6.3
nodejs-buildpack
updated to v1.5.20 (from v1.5.19)
v1.5.20
Highlights:
- WARNING: This buildpack is vulnerable to high CVE 2016-6304. Please upgrade to 1.5.21 ASAP.
- Add node 6.6.0, remove node 6.4.0
Default binary versions: node 4.5.0
php-buildpack
updated to v4.3.20 (from v4.3.19)
v4.3.20
Highlights:
- Enable mssql and pdo-dblib support for PHP
- Update modules: cassandra, xdebug, yaf, twig, php-protobuf
- Updated dependencies: nginx, composer
Default binary versions: php 5.5.38, composer 1.2.1, httpd 2.4.23, newrelic 6.3.0.161, nginx 1.11.4
python-buildpack
updated to v1.5.10 (from v1.5.9)
v1.5.10
- Lock version of conda to 4.1.11
Default binary versions: python 2.7.12
ruby-buildpack
updated to v1.6.25 (from v1.6.24)
v1.6.25
- WARNING: This buildpack is vulnerable to high CVE 2016-6304. Please upgrade to 1.6.26 ASAP.
- Remove vendored libyaml
- Update bundler
Default binary versions: ruby 2.3.1, node 4.5.0
staticfile-buildpack
updated to v1.3.11 (from v1.3.10)
v1.3.11
- Update nginx
- Redact credentials from URLs in a cached and uncached buildpack output
DEA-Warden-HM9000 Runtime
No changes
- direct team email: [email protected]
- CF Dev mailing list: https://lists.cloudfoundry.org/archives/list/[email protected]/
- Slack channel: https://cloudfoundry.slack.com/messages/...
v243
The cf-release v243 was released on September 21, 2016.
IMPORTANT
- This release addresses CVE-2016-6651 Privilege Escalation in UAA
Contents:
- CC and Service Broker APIs
- Identity
- Routing
- Loggregator
- Buildpacks and Stacks
- DEA-Warden-HM9000 Runtime
- Internal Components
- Recommended Versions of Additional Releases
- Job Spec Changes
- Recommended BOSH Stemcell Versions
CC and Service Broker APIs
No Change
Identity
This release includes UAA 3.7.3
This is a security release which addresses CVE-2016-6651 Privilege Escalation in UAA
Routing
Routing-release bumped to 0.138.0
Loggregator
No changes
Buildpacks and Stacks
java-buildpack
updated to v3.9 (from v3.8.1)
v3.9
I'm pleased to announce the release of the java-buildpack
, version 3.9
. This release has no theme per se, but has a number of important updates collected within it.
- Dependencies are now hosted at https://java-buildpack.cloudfoundry.org (long live the Cloud Foundry Foundation!)
- Azule Zulu JRE Support (via Ekaterina Blatova)
- Updated Dynatrace support (via Alois Mayr)
For a more detailed look at the changes in 3.9
, please take a look at the commit log.
DEA-Warden-HM9000 Runtime
No Change
Internal Components
postgres-release
(includes postgres
job)
- No changes, still at v5.
etcd-release
(includes etcd
and etcd_metrics_server
jobs)
- No changes, still at v66.
consul-release
(includes consul_agent
job)
- No changes, still at v110.
nats-release
(includes nats
and nats_stream_forwarder
jobs)
- No changes, still at v11.
Recommended Versions of Additional Releases
These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release.
- Diego release v0.1485.0.
Release notes for
v0.1485.0. - Garden-Linux release v0.342.0.
Release notes for
v0.342.0. - etcd release v67. Release notes for
v67. - cflinuxfs2-rootfs release v1.29.0.
Release notes for
v1.29.0.
Job Spec Changes
Recommended BOSH Stemcell Versions
- real IaaS: 3262.14
- BOSH-Lite: 3262.2
Note: For AWS you should use the Xen-HVM stemcells rather than Xen.
These are soft recommendations; several different versions of the stemcells are likely to work fine with this version of cf-release and the corresponding versions of the additional releases listed above.
v242
The cf-release v242 was released on September 13, 2016.
IMPORTANT
-
Starting with this release the format for bootstrapping UAA Users and Groups has been switched from a Pipe format to a struct format.
The previous format for uaa.scim.users was:
- marissa|koala|[email protected]|Marissa|Bloggs|scim.write,scim.read,openid
The new format for uaa.scim.users is:
- name: marissa password: koala email: [email protected] firstName: Marissa lastName: Bloggs groups: - scim.write - scim.read - openid
The previous format for uaa.scim.groups was:
group1,group2,group3
The new format is for uaa.scim.groups is:
group1: 'My test group description' group2: 'My other test group description' group3: 'My next group description'
Contents:
- CC and Service Broker APIs
- Identity
- Routing
- Loggregator
- Buildpacks and Stacks
- DEA-Warden-HM9000 Runtime
- Internal Components
- Recommended Versions of Additional Releases
- Job Spec Changes
- Recommended BOSH Stemcell Versions
CC and Service Broker APIs
Contains CAPI release v1.5.0. Release notes for v1.4.0 and v1.5.0
Identity
Routing
No change.
Loggregator
- Loggregator Traffic Controllers now run
consul_agent
template to be discoverable via consul DNS. dea_logging_agent
now lives in its own repository. It is now submoduled within loggregator for backward compatibility. However, the intention is to move it directly undercf-release
and out of Loggregator.- Loggregator components are now packaged with golang1.7
DopplerServer.sentMessagesFirehose
no longer appends thesubscription_id
to the metric name, instead it addssubscription_id
as a tag.- No longer supporting message aggregation of
HttpStart
andHttpStop
messages in Metron Agent.
Buildpacks and Stacks
stacks
updated to 1.80.0 (from 1.78.0)
1.80.0
Minor curl and ISC DHCP updates. No CVEs present.
1.79.0
Minor Linux kernel header upgrade. No CVEs present.
go-buildpack
updated to v1.7.12 (from v1.7.11)
v1.7.12
Highlights:
- Add go 1.7
(https://www.pivotaltracker.com/story/show/128376229) - Filter credentials from dependency urls printed during staging
(https://www.pivotaltracker.com/story/show/127362787)
Default binary versions: go 1.6.3
nodejs-buildpack
updated to v1.5.19 (from v1.5.18)
v1.5.19
Highlights:
- Add support for New Relic configuration through service binding
(https://www.pivotaltracker.com/story/show/110040634) - Filter credentials from dependency urls printed during staging
(https://www.pivotaltracker.com/story/show/126514693) - Add default_versions support for specifying node default version
(https://www.pivotaltracker.com/story/show/126394943)
Default binary versions: node 4.5.0
php-buildpack
updated to v4.3.19 (from v4.3.17)
v4.3.19
Highlights:
- Add phalcon support to php7
(https://www.pivotaltracker.com/story/show/128835133) - Fix ioncube for php5 and php7
(https://www.pivotaltracker.com/story/show/128040077)
Default binary versions: php 5.5.38, composer 1.2.0, httpd 2.4.23, newrelic 6.3.0.161, nginx 1.11.3
v4.3.18
Highlights:
- Redact credentials from HTTP(S) URLs in staging output and filenames
(https://www.pivotaltracker.com/story/show/126514693) - Introduce
default_versions
support
(https://www.pivotaltracker.com/story/show/126394949) - Add Cassandra pecl 1.2.1
(https://www.pivotaltracker.com/story/show/126683747) - Execute
.profile
file instead of publicly hosting it (CVE-2016-6639)
(https://www.pivotaltracker.com/story/show/127923697)
(https://www.pivotaltracker.com/story/show/127921845)
(https://www.pivotaltracker.com/story/show/128244503)
Default binary versions: php 5.5.38, composer 1.2.0, httpd 2.4.23, newrelic 6.3.0.161, nginx 1.11.3
ruby-buildpack
updated to v1.6.24 (from v1.6.21)
v1.6.24
Default binary versions: ruby 2.3.1, node 4.5.0
v1.6.23
Highlights:
- Fix crash in staging when Gemfile contains a gemspec with a relative path
(https://www.pivotaltracker.com/story/show/129458773)
Default binary versions: ruby 2.3.1, node 4.5.0
v1.6.22
Highlights:
- Ruby runtime selection respects
BUNDLE_GEMFILE
environment variable
(https://www.pivotaltracker.com/story/show/128974739)
Default binary versions: ruby 2.3.1, node 4.5.0
DEA-Warden-HM9000 Runtime
No changes
Internal Components
postgres-release
(includes postgres
job)
- No changes.
etcd-release
(includes etcd
and etcd_metrics_server
jobs)
- No changes.
consul-release
(includes consul_agent
job)
- Bumped from v108 to v110. No major functional changes, but several implementation changes from pull request to support
consul_agent
job on BOSH Windows stemcells.
nats-release
(includes nats
and nats_stream_forwarder
jobs)
- Bumped from v8 to v11. Functional changes:
- Introduce BOSH links for
nats.user
,nats.password
,nats.port
(and implicitly,nats.machines
) properties onnats
job, including adding default value of4222
tonats.port
property. details
- Introduce BOSH links for
Recommended Versions of Additional Releases
These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release.
- Diego release v0.1485.0.
Release notes for
v0.1485.0 ·
v0.1484.0. - Garden-Linux release v0.342.0.
Release notes for
v0.342.0. - etcd release v67. Release notes for
v67. - cflinuxfs2-rootfs release v1.29.0.
Release notes for
v1.29.0 ·
v1.28.0.
Job Spec Changes
- UAA Spec Changes
- Added default value of
4222
tonats.port
property innats
job. details
Recommended BOSH Stemcell Versions
- real IaaS: 3262.12
- BOSH-Lite: 3262.2
Note: For AWS you should use the Xen-HVM stemcells rather than Xen.
These are soft recommendations; several different versions of the stemcells are likely to work fine with this version of cf-release and the corresponding versions of the additional releases listed above.
v241
The cf-release v241 was released on August 29, 2016.
IMPORTANT
- UPDATE 2016-09-02 17:06 UTC - MySQL implicitly ends transactions before (and often after) certain statement including DDL statements. A Cloud Controller database migration in CF-241 is encrypting the specified buildpack of an application as this column could contain a Git url containing a username and password. To perform this migration, it creates new columns, encrypts the existing buildpack data and saves it to the new columns, then deletes the old column. This results in a period of time where Cloud Controllers running the code from a previous release can potentially write data to the old column, which is about to be deleted, when an app is pushed with a specified buildpack. While these sort of migrations are uncommon, this is not the first time Cloud Controller has made this sort of migration. Operators that are particularly sensitive to this can always scale their Cloud Controller to a single instance in order to take downtime while the migration is performed. The CAPI team intends to explore how we can make migrations on MySQL better in the future.
- UPDATE 2016-09-01 21:36 UTC - The underlying Sequel gem automatically runs migrations in a transaction for RDBMs that support transactions for DDL statements. This means PostgreSQL will run the entire migration in a transaction, but MySQL will not. We are still determining the proper steps to take for MySQL.
- UPDATE 2016-09-01 17:25 UTC - The Cloud Controller database migration in CF-241 is not wrapped in a transaction. During a rolling deploy of Cloud Controllers, API requests to Cloud Controllers with the previous code could result in data inconsistencies. We will update these release notes when we determine the proper resolution.
- CVE-2016-6638: The Cloud Controller in CF-241 contains a database migration to encrypt an app's specified buildpack at rest. Although it is not recommended, a user could specify a git buildpack url containing a username and password. This migration will cause
/v2/apps
API (or any API call that returns app resource data through inline-relations-depth or summary endpoints) to fail during the rolling deploy as the migration is performed before the updated Cloud Controller(s) are deployed. - This release updates the version of PostgreSQL used in the
postgres
job to 9.4.9 from 9.4.6. This also drops support for being able to upgrade from PostgreSQL 9.4.2. Before upgrading to this or later versions ofcf-release
, you must first upgrade to v226 or higher. - This release introduces official support for running the etcd cluster (shared by several components such as Routing API and the loggregator subsystem, but not Diego which uses its own secure cluster) in secure TLS mode. Upgrading an existing deployment with an insecure etcd cluster to a secure one with minimal downtime is non-trivial. Instructions and additional information for this procedure can be found here. If you are using the manifest generation scripts included within the
cf-release
repo to generate manifests, you're strongly recommended to upgrade to a secure etcd cluster at this point. The instructions above assume you are upgrading to a secure etcd cluster from a pre-v241 Cloud Foundry deployment and will not apply as smoothly if you later attempt to upgrade a post-v241 non-TLS etcd cluster to a TLS cluster within the Cloud Foundry deployment.
Contents:
- CC and Service Broker APIs
- Identity
- Routing
- Loggregator
- Buildpacks and Stacks
- DEA-Warden-HM9000 Runtime
- Internal Components
- Recommended Versions of Additional Releases
- Job Spec Changes
- Recommended BOSH Stemcell Versions
CC and Service Broker APIs
Contains CAPI release v1.3.0. Release notes for v1.2.0 and v1.3.0
Identity
No Changes
Routing
Routing release bumped to 0.137.0 - Release Notes
Loggregator
- Loggregator now provides
metron_agent_windows
so you can run the Metron Agent on Microsoft Windows Diego Cells. - Loggregator now supports dynamic IPs after fixing this issue.
Buildpacks and Stacks
stacks
updated to 1.78.0 (from 1.72.0)
1.78.0
USN-3067-1: HarfBuzz vulnerabilities Ubuntu Security Notice USN-3067-1:
- CVE-2015-8947: hb-ot-layout-gpos-table.hh in HarfBuzz before 1.0.5 allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted data, a different vulnerability than CVE-2016-2052.
- CVE-2016-2052: Multiple unspecified vulnerabilities in HarfBuzz before 1.0.6, as used in Google Chrome before 48.0.2564.82, allow attackers to cause a denial of service or possibly have other impact via crafted data, as demonstrated by a buffer over-read resulting from an inverted length check in hb-ot-font.cc, a different issue than CVE-2015-8947.
USN-3068-1: Libidn vulnerabilities Ubuntu Security Notice USN-3068-1:
- CVE-2015-2059: The stringprep_utf8_to_ucs4 function in libin before 1.31, as used in jabberd2, allows context-dependent attackers to read system memory and possibly have other unspecified impact via invalid UTF-8 characters in a string, which triggers an out-of-bounds read.
- CVE-2015-8948: Solve out-of-bounds-read when reading one zero byte as input
- CVE-2016-6261: out-of-bounds stack read in idna_to_ascii_4i
- CVE-2016-6262: Solve out-of-bounds-read when reading one zero byte as input
- CVE-2016-6263: stringprep_utf8_nfkc_normalize reject invalid UTF-8
1.77.0
USN-3064-1: GnuPG vulnerability Ubuntu Security Notice USN-3064-1:
- CVE-2016-6313: random number generator prediction
USN-3065-1: Libgcrypt vulnerability Ubuntu Security Notice USN-3065-1:
- CVE-2016-6313: random number generator prediction
1.76.0
USN-3063-1: Fontconfig vulnerability Ubuntu Security Notice USN-3063-1:
- CVE-2016-5384: fontconfig before 2.12.1 does not validate offsets, which allows localusers to trigger arbitrary free calls and consequently conduct double freeattacks and execute arbitrary code via a crafted cache file.
1.75.0
USN-3061-1: OpenSSH vulnerabilities Ubuntu Security Notice USN-3061-1:
- CVE-2016-6210: User enumeration via covert timing channel
- CVE-2016-6515: The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3does not limit password lengths for password authentication, which allowsremote attackers to cause a denial of service (crypt CPU consumption) via along string.
1.74.0
USN-3060-1: GD library vulnerabilities Ubuntu Security Notice USN-3060-1:
- CVE-2016-6132: read out-of-bands was found in the parsing of TGA files using libgd
- CVE-2016-6207: OOB or OOM in gdImageScale
- CVE-2016-6214: read out-of-bounds issue
1.73.0
USN-3048-1: curl vulnerabilities Ubuntu Security Notice USN-3048-1:
- CVE-2016-5419: TLS session resumption client cert bypass
- CVE-2016-5420: Re-using connections with wrong client cert
- CVE-2016-5421: use of connection struct after free
python-buildpack
updated to v1.5.9 (from v1.5.8)
v1.5.9
Highlight...
v240
The cf-release v240 was released on August 09, 2016.
Contents:
- CC and Service Broker APIs
- DEA-Warden-HM9000 Runtime
- Buildpacks and Stacks
- Identity
- Routing
- Loggregator
- Internal Components
- Job Spec Changes
- Recommended BOSH Stemcell Versions
- Recommended Versions of Additional Releases
CC and Service Broker APIs
Contains CAPI release v1.1.0. Release notes for v1.1.0
DEA-Warden-HM9000 Runtime
- No changes
Buildpacks and Stacks
stacks
updated to 1.72.0 (from 1.69.0)
1.72.0
1.71.0
1.70.0
binary-buildpack
updated to v1.0.3 (from v1.0.2)
v1.0.3
go-buildpack
updated to v1.7.11 (from v1.7.8)
v1.7.11
v1.7.10
v1.7.9
nodejs-buildpack
updated to v1.5.18 (from v1.5.15)
v1.5.18
v1.5.17
v1.5.16
php-buildpack
updated to v4.3.17 (from v4.3.14)
v4.3.17
v4.3.16
v4.3.15
python-buildpack
updated to v1.5.8 (from v1.5.7)
v1.5.8
ruby-buildpack
updated to v1.6.20 (from v1.6.19)
v1.6.20
staticfile-buildpack
updated to v1.3.10 (from v1.3.9)
v1.3.10
Identity
Updated to UAA release 3.4.2
Routing
Routing release bumped to 0.136.0 - Release Notes
- Authors of components that use
route-registrar
can now provide aroute_service_url
so that requests to the route are proxied to the route service details route-registrar
process is no longer run as root detailsroute-registrar
source has been moved to routing-release and is symlinked in cf-release details, more details
Loggregator
- BOSH HM Forwarder donated to Loggregator OSS. Forward BOSH health metrics to firehose.
noaa
library reliability improvements, including support for auto-refresh of the access token.- Expose Metron URL Through Bosh 2.0 Links
- Removed AZ property from Traffic Controller - never used
Internal Components
postgres-release
(includes postgres
job)
- Extracted this release out of cf-release into its own separate release (with no functional changes). [repo][bosh.io][details]
etcd-release
(includes etcd
and etcd_metrics_server
jobs)
- Bumped from v58 to v63. Functional changes:
- Bumped version of Golang used by this release from 1.6.1 to 1.6.3 details
consul-release
(includes consul_agent
job)
- Bumped from v92 to v101. Functional changes:
- Fix
consul_agent
job when running on BOSH VMs with multiple dynamic networks. details - Bumped version of Golang used by this release from 1.6.1 to 1.6.3 details
- BOSH manifest configuration for consul_agent job only requires certificates and keys necessary for the configured mode of operation, i.e. in "server" mode, client certificate and signing key does not need to be configured, and in "client" mode, server certificate and key does not need to be configured. details
- The
consul_agent
job in server mode is now resilient to job name changes, to support transitioning from a "BOSH 1.0"-style deployment to a "BOSH 2.0"-style deployment that is likely to collapse multiple jobs across AZs into a single instance group using themigrated_from
andazs
features. details
- Fix
nats-release
(includes nats
and nats_stream_forwarder
jobs)
- Bumped from 219e93bd to 6c1a563b. Functional changes:
- Bumped version of Golang used by this release from 1.6.1 to 1.6.3 details
Job Spec Changes
- Added
cc.run_prestart_migrations
(defaulttrue
) that can be disabled on deployments where the CCDB is collocated with the Cloud Controller and is unavailable during pre-start.
Recommended BOSH Stemcell Versions
- real IaaS: 3262.4
- BOSH-Lite: 3262.2
Note: For AWS you should use the Xen-HVM stemcells rather than Xen.
These are soft recommendations; several different versions of the stemcells are likely to work fine with this version of cf-release and the corresponding versions of the additional releases listed below.
Recommended Versions of Additional Releases
These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release.
v239
The cf-release v239 was released on July 13, 2016.
IMPORTANT
- Known issue: The WebDAV blobstore and Cloud Controller API / Clock / Worker jobs are unable to start after a VM restart because creation of the run directory for each process,
/var/vcap/data/sys/run/*
, was moved to the bosh pre-start script. The jobs are unable to start because/var/vcap/data/sys/run
is mounted on a temporary file-system and the bosh pre-start script is not executed on VM restart, only deployment. A fix is in the pipeline for CF-240. To workaround this issue, operators can do abosh deploy
, which will recognize the failing jobs and properly create the run directory. - In an effort to not run processes as a privileged user, the WebDAV blobstore must now run on unprivileged ports. By default, internal access has been moved to port 4443 and the external access to port 8080. As the WebDAV blobstore is a SPOF, internal components using the blobstore will not be able to reach the blobstore until all processes have been reconfigured to use the new internal port. This will cause limited downtime in the sense that anything needing to reach the blobstore will fail until the deployment is complete, including app pushes, app restaging, and app restarting. This will happen automatically for users of CF manifest generation scripts. See Job Spec Changes.
- Cloud Foundry now defaults to run containers on Diego in unprivileged mode. One known incompatibility is running applications that use FUSE file system support. See Job Spec Changes for instructions on how to continue running containers in privileged mode.
- The
noaa
library for connecting to the firehose has a number of reliability improvements. If you use it, it is recommended that you upgrade to the latest version.
Contents:
- CC and Service Broker APIs
- DEA-Warden-HM9000 Runtime
- Buildpacks and Stacks
- Identity
- Routing
- Loggregator
- Internal Components
- Job Spec Changes
- Recommended BOSH Stemcell Versions
- Recommended Versions of Additional Releases
CC and Service Broker APIs
CC API Version: 2.58.0
Service Broker API Version: 2.9
CAPI Release
- As an operator, I expect all CF processes to run as least privileged user details
- As a CF operator, I would like to be able to configure whether or not Diego / Garden creates privileged containers for LRPs and Tasks details
- Monit hangs when nfs is not available details
- As a CF user, I would like Diego to validate the SHA checksum of my droplet before running it details
Cloud Controller
- operator should be able to use a manifest property to seed a shared domain and associate it with a TCP router group on deploy of cf-release details
- operator should be able to use manifest property to configure reservable route port quota for initial deploys details
- As an admin, I expect to be able to disable access to /v2/apps/:guid/env and /v3/apps/:guid/env for all users with a feature flag details
- As an Operator, I would like files in my S3 blobstore to be encrypted at rest using SSE-S3 details
- app_stop, app_start are potentially not locking properly, especially when iterating over processes details
- Users can remove themselves from Orgs and Spaces details
- Authentication failures should not show as api errors in new relic details
- Docker apps should not be pushable by admin when diego_docker is turned off. details
TPS
- As a CF user, I expect to see an uptime of 0 and no container metrics for crashed app instances on Diego details
Pull Requests and Issues
- cloudfoundry/cloud_controller_ng#598: CloudController still chooses the DEA which is almost full to do app staging if the DEA number is less than 5 details
- cloudfoundry/cloud_controller_ng#602: Listing of user-provided service instances by organization GUID does not work with IN operator details
DEA-Warden-HM9000 Runtime
- dmesg has been locked down [details](https://www.pivotaltracker.com/story/show/ 122067135)
DEA
- Fix order of magnitude in CPU consumption reported by cf app details
- DEA is guaranteed to heartbeat during evacuation details
- Update ruby to version 2.3.1
Warden
- Warden containers' dns_servers can be specified details
- Update ruby version to 2.3.1
HM9000
- when an evacuating heartbeat is received send a start message for each app instance details
- Start messages to Cloud Controller are over HTTPS
- Evacuator now sends start messages after creation details
- Sender now sends stop messages over http details
- All messages from HM9000 to Cloud Controller are over HTTPS
Buildpacks and Stacks
stacks
updated to 1.69.0 (from 1.67.0)
1.69.0
1.68.0
java-buildpack
updated to v3.8.1 (from v3.7.1)
v3.8.1
v3.8
python-buildpack
updated to v1.5.7 (from v1.5.6)
v1.5.7
Identity
No Changes
Routing
- Update router manifest properties, see below details
- Manifest generation will now set the property
uaa.zones.internal.hostnames
to["uaa.service.cf.internal"]
if no stub overrides that value. This is in support of routing components contacting UAA over its internal TLS port. details - Fix issue where GoRouter was not sending logs to syslog. details
- Thanks to Jonty Wareing from the UK Government Digital Service, Gorouter now supports the PROXY protocol details
- Warning: An issue was found with PROXY protocol support where, when enabled, the Gorouter is unable to accept concurrent connections. PROXY protocol support is disabled by default.
Loggregator
- The
noaa
library for connecting to the firehose has a number of reliability improvements. If you use it, it is recommended that you upgrade to the latest version. - Expose Metron URL Through Bosh 2.0 Links details
- Fix the race condition in NOAA details
- Manage logs endpoint auth token lifecycle (was:cloudfoundry/noaa #14: Reconnection token failed) details
- Remove AZ property from Traffic Controller details
Internal Components
consul
No changes.
etcd and etcd_metrics_server
- etcd-release was bumped from v57 to v58. Significant changes:
- Improved how operators configure
etcd_metrics_server
to work with a secure TLS etcd cluster. details
- Improved how operators configure
postgres
- All long-running processes in
postgres
job now run asvcap
instead ofroot
. details
nats and nats_stream_forwarder
No changes.
Job Spec Changes
- Added
etcd_metrics_server.etcd.dns_suffix
property toetcd_metrics_server
job to support configuring the job to talk to the secureetcd
server. details. blobstore.tls.port
now defaults to 4443 and must be above 1024. When using WebDAV blobstore, the Cloud Controller must now be configured with the ...
v238
The cf-release v238 was released on June 27, 2016.
IMPORTANT
- Known issue: The WebDAV blobstore and Cloud Controller API / Clock / Worker jobs are unable to start after a VM restart because creation of the run directory for each process,
/var/vcap/data/sys/run/*
, was moved to the bosh pre-start script. The jobs are unable to start because/var/vcap/data/sys/run
is mounted on a temporary file-system and the bosh pre-start script is not executed on VM restart, only deployment. A fix is in the pipeline for CF-240. To workaround this issue, operators can do abosh deploy
, which will recognize the failing jobs and properly create the run directory. - v238 includes a fix for CVE-2016-4468, UAA SQL Injection. The mitigation is to upgrade to cf-release v238
- Cloud Controller and other components of capi-release now use bosh pre-start job-lifecycle scripts for many startup tasks including database migrations. This capability requires bosh-release v206+ (1.3072.0) and requires releases deployed with 3125+ stemcells.
Contents:
- CC and Service Broker APIs
- DEA-Warden-HM9000 Runtime
- Buildpacks and Stacks
- Identity
- Routing
- Loggregator
- Internal Components
- Job Spec Changes
- Recommended BOSH Stemcell Versions
- Recommended Versions of Additional Releases
CC and Service Broker APIs
CC API Version: 2.57.0
Service Broker API Version: 2.9
CAPI Release
- Add blobstore timeout configuration details
- Add configuration to run multiple blobstore nginx workers per core details
- Update nginx to 1.11.1 details
- Bridge components only support
properties.capi
details
Cloud Controller
- Make minimum candidate stagers configurable details
- Use hm9000 internal address when making requests details
- Add missing event types to API documentation details
- Enforce space quota on route creation details
- Client author should be able to follow CC API docs to configure total reserved route ports when creating a space quota details
- Retry blobstore requests before failing details
- hm9000 client handles socket error when internal hm9000 address does not exist details
- Emit error when consul is down details
- Add optional description to security group rule details
- Domain helper used in check_for_domain_overlap doesn't work when a second domain appears in list in addition to the system domain details
/v2/routes
and/v2/apps/:guid/routes
and/v3/apps/:guid/routes
return a deprecated url format for domains. details- Emit error when consul is down details
- Allow Shared Domains to be seeded through the manifest details
- Sequel
sql_log_level
is 'debug', not 'debug2' details - Move database migrations and seeding into bosh pre-start. Move buildpack installation into bosh post-start. Run cloud controller scripts as
vcap
user. details - Updating service broker with non-unique service plan name fails to provide offending service and plan info. details
- EXPERIMENTAL: When Cloud Controller starts an app on Diego and has a service binding containing volume_mounts, it should desire an LRP with volume mounts details
- V3 Experimental
- As a space developer, I can map a route to a specific process type on a specific port details
- As a space auditor, I should NOT be able to download packages or droplets details
- v3 process examples in docs should show stats link details
- Droplet memory_limit field should be staging_memory_in_mb details
- Droplet disk_limit field should be staging_disk_in_mb details
- As a SpaceAuditor, I expect to never see sensitive information details
- As a SpaceManager, I expect to have oznly READ access for all V3 endpoints details
- As a space developer, I can get the list of droplets associated with a package details
- As an API consumer, I should be able to filter /v3/droplets and /v3/apps/:guid/droplets details
- Service Broker API
- Add service_id and plan_id to last_operation calls to service brokers details
- Support for broker operation identifier for provision details
- Support for broker operation identifier for deprovision details
- Support for broker operation identifier for update details
- EXPERIMENTAL: Translate service broker volume mounts to diego volume mounts details
TPS
- Support ActualLRPCrashedEvent from BBS in TPS details
Pull Requests and Issues
- cloudfoundry/cloud_controller_ng#551: Missing service/plan id for async last_operation call details
- cloudfoundry/cloud_controller_ng#573: SpaceManager / SpaceAuditor could not see private domain details
- cloudfoundry/cloud_controller_ng#597: The "Updating an App" documentation makes it look like I can update the
detected_start_command
details
DEA-Warden-HM9000 Runtime
- Bumped to ruby 2.3.1
- Improved HM9000 performance
Known issues
- Container metrics via CLI are 100x larger than reality.
Buildpacks and Stacks
Support for .profile pre-runtime hooks. Documentation can be found here
stacks
updated to 1.67.0 (from 1.56.0)
1.67.0
1.66.0
1.65.0
1.64.0
1.63.0
1.62.0
1.61.0
1.60.0
1.59.0
1.58.0
1.57.0
java-buildpack
updated to v3.7.1 (from v3.7)
v3.7.1
nodejs-buildpack
updated to v1.5.15 (from v1.5.14)
v1.5.15
php-buildpack
updated to v4.3.14 (from v4.3.12)
v4.3.14
v4.3.13
python-buildpack
updated to v1.5.6 (from v1.5.5)
v1.5.6
ruby-buildpack
updated to v1.6.19 (from v1.6.17)