Skip to content
This repository has been archived by the owner on Jan 21, 2022. It is now read-only.

Releases: cloudfoundry-attic/cf-release

v257

19 Apr 00:48
v257
0be81a4
Compare
Choose a tag to compare
v257 Pre-release
Pre-release

Contents

Notices

  • Warning: We've found an issue with the combination of releases recommended here, so we advise deployers to use CF 258 instead. Specifically, the recommended version of diego-release (1.13.0) does not allow deployers to configure cleanup_process_dirs_on_wait, which is required for healthy functioning of the recommended garden-runc-release (1.5.0). Diego-release 1.14.0 includes the ability to configure that property.
  • Changes in some jobs require using a BOSH Director v258 or newer.
  • Changing the number of instances of doppler with restart Traffic Controllers resulting in disruption in Firehose throughput.
  • The included version of Loggregator restricts ciphers to use only the following 4 ciphers. This is a breaking change for some operators and a configurable property for opting into more cipher suites was introduced in Loggregator 85
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Job Spec Changes

  • The cc_uploader job has new required properties. Read here for details

Security Notices

Affecting v257

  • None

Resolved in v257

Subcomponent Updates

Compatible Releases and Stemcells

Assets 2
Loading

CF 256

12 Apr 00:40
@dsabeti dsabeti
v256
2dcce2b
Compare
Choose a tag to compare
CF 256

Contents

Notices

  • Updating GrootFS to v0.16.0, if running with GrootFS already, will require recreating the Diego cells.
  • The Postgres job will upgrade PostgreSQL to version 9.6.2.
    NOTE: this drops support for upgrading from PostgreSQL 9.4.5
    Only upgrades from PostgreSQL 9.4.6 (since cf v232) and PostgreSQL 9.4.9 (since cf v241) are supported.
    Before deploying, please review considerations at postgres-release v15.
  • If you are running cf-networking-release, the value for cf_networking.garden_external_networker.cni_plugin_dir must be updated to /var/vcap/packages/silk/bin

Job Spec Changes

  • The router status endpoint is no longer optional. As such, router.status.password (which has been configurable for a long time) is now required.
  • cc_uploader now requires the following properties to be configured:
    • properties.capi.cc_uploader.cc.ca_cert
    • properties.capi.cc_uploader.cc.client_cert
    • properties.capi.cc_uploader.cc.client_key
      Diego manifest generation (as of Diego 1.11.0) has already required this property to be configured, so it's likely that most deployers have already set these values. For deployers building their manifests some other way, these properties are now required by the components themselves.
  • In the postgres job, the default value for the databases.monit_timeout has been changed to 90 seconds.
  • The included version of Loggregator restricts ciphers to use only the following 4 ciphers. This is a breaking change for some operators and a configurable property for opting into more cipher suites was introduced in Loggregator 85
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Security Notices

Affecting v256

None recorded as of 2017-04-11.

Resolved in v256

  • CVE-2017-4970 in Staticfile buildpack versions v1.4.0 – v1.4.3 (high severity)

Known Issues

  • Users that belong to any space containing a user provided service instance are unable to view any specific service plan: /v2/service_plans/:guid. Users are still able to view the marketplace and provision service instances.

Subcomponent Updates

Compatible Releases and Stemcells

  • diego-release: v1.12.0. Release notes for v1.12.0.
  • garden-runc-release: v1.4.0. Release notes for v1.4.0.
  • cflinuxfs2-rootfs release v1.60.0. Release notes for v1.60.0
  • cf-networking-release: v0.19.0. Release notes for v0.19.0.
  • grootfs-release v0.16.0. Release notes for v0.16.0. Updating GrootFS to v0.16.0, if running with GrootFS already, will require recreating the Diego cells.
  • stemcell: 3363.15
Assets 2
Loading

v255

11 Apr 22:09
@evanfarrar evanfarrar
v255
d5295bc
Compare
Choose a tag to compare
v255

Contents

Notices

  • MySQL UAA databases that were operating prior to UAA version 1.5.2 (released in early 2014) may be incompatible with migrations in this release, causing failures during the UAA job update. A manual fix for affected deployments can be found here.
  • The included version of Loggregator restricts ciphers to use only the following 4 ciphers. This is a breaking change for some operators and a configurable property for opting into more cipher suites was introduced in Loggregator 85
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Job Spec Changes

  • Diego's cc_uploader job has new required properties. Read here for details.

Security Notices

Affecting v255

  • CVE-2017-4970 in Staticfile buildpack versions v1.4.0 – v1.4.3 (high severity)

Known Issues

  • Users that belong to any space containing a user provided service instance are unable to view any specific service plan: /v2/service_plans/:guid. Users are still able to view the marketplace and provision service instances.

Subcomponent Updates

Compatible Releases and Stemcells

Assets 2
Loading

CF 254

21 Mar 17:22
@dsabeti dsabeti
v254
80a8305
Compare
Choose a tag to compare
CF 254

Contents

Notices

  • Upcoming changes may require an update to your BOSH Director. Please update to BOSH v261.3 to ensure that future versions of cf-release can successfully deploy.
    Details: Specifically, if your BOSH director uses a MySQL database as its data store, a version of cf-release that contains links for consul jobs will fail to deploy due to a bug in the database schema. BOSH v261.3 contains the necessary fix. We will likely wait until CF v256 to introduce the breaking change, so that operators can update their BOSH directors to 261.3 or greater.
  • This release adds functionality to allow multiple instances of the Cloud Controller clock job. If you're using the spiff templates, you'll see clock_global job replaces by clock_z1 and clock_z2 jobs.
  • This release is using an experimental new Loggreator-API when deploying to bosh-lite. It has been noted that metron is using unusually high CPU when utilizing this new API. This does not normal bosh deployments.
  • The included version of Loggregator restricts ciphers to use only the following 4 ciphers. This is a breaking change for some operators and a configurable property for opting into more cipher suites was introduced in Loggregator 85
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Job Spec Changes

  • Cloud Controller Clock now requires SSL configuration with the following properties, these properties became required for Cloud Controller in CF 253 so they may already be present in your deployment:
    • cc.mutual_tls.ca_cert: PEM-encoded CA certificate for secure, mutually authenticated TLS communication
    • cc.mutual_tls.public_cert: PEM-encoded certificate for secure, mutually authenticated TLS communication
    • cc.mutual_tls.private_key: PEM-encoded key for secure, mutually authenticated TLS communication

CVEs

  • None

Subcomponent Updates

Compatible Releases and Stemcells

Assets 2
Loading

CF 253

28 Feb 23:45
@dsabeti dsabeti
v253
36a8a24
Compare
Choose a tag to compare
CF 253

Contents

Notices

  • Preparatory manifest changes: Both CF 253 and Diego 1.8.1 include changes to the manifest generation scripts that introduce the following line in a number of places:

    consumes: { consul: nil }

    This will allow the consul job to start providing a bosh link without having that link be consumed by the various consul jobs in the deployment. CF 254 will introduce a version of consul that requires these changes to the manifest, so please ensure that you deploy CF 253 and Diego 1.8.1 first before moving on to CF 254.

Job Spec Changes

  • cf-networking-release: If you are deploying cf-networking-release (which is still experimental), there will be some necessary changes to your manifest.

  • statsd-injector: To successfully deploy statsd-injector (part of loggregator), you'll need to generate the following properties:

    • loggregator.tls.statsd_injector.cert
    • loggregator.tls.statsd_injector.key

    You can generate this keypair using this script. You'll need to provide the certificate and key for the CA that was used to sign the other loggregator certs. The certificate for that CA can also be found in loggregator.tls.ca. Deployers should have the private key stored securely.

  • The included version of Loggregator restricts ciphers to use only the following 4 ciphers. This is a breaking change for some operators and a configurable property for opting into more cipher suites was introduced in Loggregator 85
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

CVEs

  • None

Subcomponent Updates

Compatible Releases and Stemcells

Assets 2
Loading

CF 252

10 Feb 17:46
@dsabeti dsabeti
v252
4e2e687
Compare
Choose a tag to compare
CF 252

Contents

Notices

  • Manifest changes: netman-release has been renamed to cf-networking-release. If you're deploying netman-release (which is still experimental), there will be some necessary changes to your manifest.
  • Slow API responses during deployment: Cloud Controller will be performing a migration on the events table to allow tracking additional user information on audit events. Because this table is often very large, some requests may be slower than normal. Additionally, there is a change to background processing that may cause asynchronous requests such as app and space deletion to take slightly longer until workers finish deploying.
  • The default transport for syslog_daemon_config has changed from TCP to UDP for both the metron_agent and metron_agent_windows jobs. This change was done on the metron_agent_windows job to enable Windows to write syslog. The change was also made to the metron_agent job to remain consistent between the two. These changes result in the same behavior for mixed windows and linux deployments. If you require TCP transport for component logs, you will need to explicitly set the property syslog_daemon_config.transport to tcp in your deployment manifest. Otherwise your syslog server will have to be configured to accept syslog over UDP.
  • The included version of Loggregator restricts ciphers to use only the following 4 ciphers. This is a breaking change for some operators and a configurable property for opting into more cipher suites was introduced in Loggregator 85
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Job Spec Changes

  • Cloud Controller now requires SSL configuration with the following properties, the CA cert should match the diego bbs ca cert and that ca cert should be used to sign the newly required public cert:
    • cc.mutual_tls.ca_cert: PEM-encoded CA certificate for secure, mutually authenticated TLS communication
    • cc.mutual_tls.public_cert: PEM-encoded certificate for secure, mutually authenticated TLS communication
    • cc.mutual_tls.private_key: PEM-encoded key for secure, mutually authenticated TLS communication
  • Postgres v10 job spec changes
  • Loggregator now requires properties set for mutual auth with Cloud Controller. This is used for retrieving application names for inclusion in syslog drains and is set with the following new properties.
    • loggregator.tls.syslogdrainbinder.cert: TLS certificate for syslogdrainbinder, signed by diego bbs CA
    • loggregator.tls.syslogdrainbinder.key: TLS key for syslogdrainbinder, signed by diego bbs CA
    • Use <diego-bbs-ca.crt> and <diego-bbs-ca.key> when running generate-loggregator-certs. The diego BBS CA cert and key are typically generated separately from this script.
    • See the Loggregator README for more details on the new flag

CVEs

  • Stacks version 1.99.0, included in v252, is vulnerable to USN-3193-1

Subcomponent Updates

Compatible Releases and Stemcells

Assets 2
Loading

v251

19 Jan 20:49
v251
690e815
Compare
Choose a tag to compare
v251

The cf-release v251 was released on January 18, 2017.

Contents:

CC and Service Broker APIs

Contains CAPI release v1.15.0. Release notes for v1.15.0

Identity

No Changes

Routing

routing-release bumped to 0.143.0

Loggregator

Updated from v70 to v74.02

Deprecated Debug Flags

This release includes the deprecation of the following debug flags. These flags use the gosteno library and produce debug logs for every single log and metric event. this hides useful debug information produced without a flag. The deprecated flags are

  • traffic_controller.debug
  • doppler.debug
  • metron_agent.debug
  • syslog_drain_binder.debug

New Certificates Required

In order to secure the transport of log messages going forward Loggregator will require Metron cert & key as well as the Loggregator CA cert. You won't be able to deploy the this and future versions of Loggregator if you don't have these configured. See our README with specifics for generating and setting up your certs.

New Features & Bug Fixes

  • Improved service discovery for Dopplers
  • Encrypted log transport Metron->Doppler (via gRPC)
  • Pooled connections from Metron->Doppler (via gRPC)
  • Changed retry strategy for connecting to with etcd
  • Fixed an issue when metron fails over to UDP if provided with invalid certs. TrafficController and Doppler no longer panic if provided with invalid certs.

Buildpacks and Stacks

stacks

updated to 1.96.0 (from 1.95.0)

1.96.0

USN-3172-1 Ubuntu Security Notice USN-3172-1:

  • CVE-2016-9131: A malformed response to an ANY query can cause an assertion failure during recursion
  • CVE-2016-9147: An error handling a query response containing inconsistent DNSSEC information could cause an assertion failure
  • CVE-2016-9444: An unusually-formed DS record response could cause an assertion failure

binary-buildpack

updated to v1.0.7 (from v1.0.5)

v1.0.7

  • Add new version warning to binary buildpack

dotnet-core-buildpack

updated to v1.0.9 (from v1.0.6)

v1.0.9

  • Add warning if downloaded dependency is not the latest patch version for a
    given major and minor version
  • Add warning if buildpack version used to stage an app changes
  • Add node 6.9.4, remove node 6.9.2
  • Add .NET SDK 1.0.0-preview4-004233

Default binary versions: node 6.9.4, bower 1.8.0, dotnet 1.0.0-preview2-003156

From v1.0.8 and v1.0.7

  • Fix self contained app regression (#128)
  • Add warning if app was previously staged with a different version of
    the buildpack
  • Add .NET SDK 1.0.0-preview2-003156, remove .NET SDK 1.0.0-preview2-003121
    • Make .NET SDK 1.0.0-preview2-003156 the default SDK version
  • Add .NET Core framework 1.0.3
  • Allow project paths in .deployment file to start with ./
  • Store process id in the PID environment variable
  • Add MSBuild support
  • Add F# support
  • Package .NET Core runtimes and install separately from .NET Core SDK
  • Add node 6.9.2, remove node 6.9.1
  • Allow custom library path

go-buildpack

updated to v1.7.17 (from v1.7.16)

v1.7.17

  • Add warning if downloaded dependency is not the latest patch version for a
    given major and minor version
  • Add warning if buildpack version used to stage an app changes
  • Add godep v76, remove godep v75

Default binary versions: go 1.7.4

java-buildpack

updated to v3.11 (from v3.10)

v3.11

I'm pleased to announce the release of the java-buildpack, version 3.11. This release features the addition of support for the Dyadic EKM. This release also disables (but does not remove) support for AppDynamics due to the fact that the Cloud Foundry Foundation cannot legally distribute the AppDynamics agent. This support can be reenabled by providing the agent and updating the configuration via environment variables or a fork.

For a more detailed look at the changes in 3.11, please take a look at the commit log. Packaged versions of the buildpack, suitable for use with create-buildpack and update-buildpack, can be found attached to this release.

nodejs-buildpack

updated to v1.5.27 (from v1.5.24)

v1.5.27

  • Catch excecptions from buildpack version warning scripts
    • Under some non-standard CF deployment configurations, it was possible for these scripts to
      error out. As they are purely informative, this should never happen.

Default binary versions: node 4.7.2

From v1.5.26 and v1.5.25

  • Add warning if downloaded dependency is not the latest patch version for a
    given major and minor version
  • Add new version warning to nodejs buildpack
  • Yarn support added, activated if yarn.lock file present
  • Add node 7.4.0, 7.3.0 remove node 7.2.1, 7.2.0, 7.1.0
  • Add node 6.9.4, 6.9.3 remove node 6.9.2, 6.9.1, 6.9.0
  • Add node 4.7.2, 4.7.1, remove node 4.7.0, 4.6.2, 4.6.1
  • Add node 0.12.18, remove node 0.12.16

Default binary versions: node 4.7.0

php-buildpack

updated to v4.3.25 (from v4.3.23)

v4.3.25

  • Add warning if downloaded dependency is not the latest patch version for a
    given major and minor version
  • Add new version warning to PHP buildpack
  • Add composer 1.3.0, remove composer 1.2.4
  • Add nginx 1.11.8, remove nginx 1.11.7
  • Add httpd 2.4.25, remove httpd 2.4.23

Default binary versions: php 5.5.38, composer 1.3.0, httpd 2.4.25, newrelic 6.3.0.161, nginx 1.11.8

From v4.3.24

  • Add PHP 7.0.14, remove PHP 7.0.12
  • Add PHP 5.6.29, remove PHP 5.6.27
  • Add nginx 1.11.7, remove nginx 1.11.6
  • Use rebuilt HTTPD 2.4.23 with proper LDAP support
  • Add composer 1.2.4, remove composer 1.2.2

python-buildpack

updated to v1.5.14 (from v1.5.13)

v1.5.14

  • Add warning if downloaded dependency is not the latest patch version for a
    given major and minor version
  • Add warning if buildpack version used to stage an app changes
  • Add python 3.6.0
  • Add python 2.7.13, remove python 2.7.11
  • Update setuptools version to 32.1.0
  • Update miniconda to 4.2.12
  • Update pip version to 9.0.1

Default binary versions: python 2.7.12

ruby-buildpack

updated to v1.6.32 (from v1.6.29)

v1.6.32

  • Add warning if downloaded dependency is not the latest patch version for a
    given major and minor version
  • Add new version warning to Ruby buildpack
  • Add bundler 1.13.7, remove bundler 1.13.6
  • Add ruby 2.4.0
  • Add node 4.7.2, remove node 4.7.0

Default binary versions: ruby 2.3.3, node 4.7.2

From v1.6.30

  • Add jruby 9.1.5.0, remove jruby 9.1.2.0
  • Add node 4.7.0, remove node 4.6.2
    ...
Read more
Assets 2
Loading

v250

23 Dec 19:41
v250
7bb139e
Compare
Choose a tag to compare
v250

The cf-release v250 was released on December 22, 2016.

IMPORTANT

  • The CAPI Release included in CF-250 has several new manifest properties that aren’t meant to be required yet. We’ve discovered an issue with BOSH directors before v257 where these properties must still be set. One of the following workarounds should be applied:
    • Upgrade your BOSH deployment to v257 or later
    • Set the following properties to ”” in your CF Deployment manifest: cc.mutual_tls.ca_cert, cc.mutual_tls.public_cert, and cc.mutual_tls.private_key
  • The Loggregator bosh properties for loggregator.tls.metron.cert and loggregator.tls.metron.key do not need to be set for this release. They were added for documentation that a future version of cf-release will require these properties.

The Loggregator release

Contents:

CC and Service Broker APIs

Contains CAPI release v1.14.0. Release notes for v1.12.0, v1.13.0, and v1.14.0

Identity

No Changes

Routing

No changes

Loggregator

No changes

Buildpacks and Stacks

stacks

updated to 1.95.0 (from 1.92.0)

1.95.0

1.94.0

USN-3156-1 Ubuntu Security Notice USN-3156-1:

  • CVE-2016-1252: A man-in-the-middle attacker could circumvent the InRelease signature of a repository, leading to a malicious package being installed and, therefore, remote arbitrary code execution.

1.93.0

dotnet-core-buildpack

updated to v1.0.6 (from v1.0.5)

v1.0.6

Highlights:

  • Add dotnet 1.0.0-preview2-1-003177, remove .NET SDK 1.0.0-preview2-1-003155

Default binary versions: node 6.9.1, bower 1.8.0, dotnet 1.0.0-preview2-003131

go-buildpack

updated to v1.7.16 (from v1.7.15)

v1.7.16

Highlights:

  • Add go 1.6.4, 1.7.4, remove go 1.6.2, 1.7.1

Default binary versions: go 1.7.4

nodejs-buildpack

updated to v1.5.24 (from v1.5.23)

v1.5.24

Highlights:

  • Add node 7.2.0, remove node 7.0.0

Default binary versions: node 4.6.2

php-buildpack

updated to v4.3.23 (from v4.3.22)

v4.3.23

Highlights:

  • Add rdkafka for PHP5, ioncube for PHP 7
  • Add nginx 1.11.6, remove nginx 1.11.5
  • Add php 5.6.28, 7.0.13, remove php 5.6.26, 7.0.11

Default binary versions: php 5.5.38, composer 1.2.2, httpd 2.4.23, newrelic 6.3.0.161, nginx 1.11.6

python-buildpack

updated to v1.5.13 (from v1.5.12)

v1.5.13

Default binary versions: python 2.7.12

ruby-buildpack

updated to v1.6.29 (from v1.6.28)

v1.6.29

Highlights:

  • Add ruby 2.1.10, 2.2.6, 2.3.2, 2.3.3, remove ruby 2.1.8, 2.2.4, 2.3.1

Default binary versions: ruby 2.3.3, node 4.6.2

staticfile-buildpack

updated to v1.3.14 (from v1.3.13)

v1.3.14

Highlights:

  • Enable 'Vary: Accept-Encoding' header
  • Add nginx 1.11.6, remove nginx 1.11.5

Default binary versions: nginx 1.11.6

DEA-Warden-HM9000 Runtime

This section will be updated soon. If this section is not yet up-to-date, please reach out for information:

Internal Components

postgres-release (includes postgres job)

  • No changes

etcd-release (includes etcd and etcd_metrics_server jobs)

  • No changes

consul-release (includes consul_agent job)

  • Bumped from v135 to v145. Functional changes:
    ** Now includes consul 0.7.1(was 0.7.0)
    ** Changes to support running consul_agent on windows in client mode.

nats-release (includes nats and nats_stream_forwarder jobs)

  • No changes.

Recommended Versions of Additional Releases

These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release.

Job Spec Changes

Recommended BOSH Stemcell Version

  • 3312.12

Note: For AWS you should use the Xen-HVM stemcells rather than Xen.

These are soft recommendations; several different versions of the stemcells are likely to work fine with this version of cf-release and the corresponding versions of the additional releases listed above.

Assets 2
Loading

v249

10 Dec 07:19
v249
c902274
Compare
Choose a tag to compare
v249

The cf-release v249 was released on December 10, 2016.

Important

login.saml.serviceProviderKeyPassword:
description: "Password to protect the service provider private key."

Contents:

CC and Service Broker APIs

Contains CAPI release v1.11.0. Release notes for v1.11.0

Identity

UAA Release bumped to v24 aka UAA Release v3.9.3

Routing

Routing-release was bumped to 0.142.0

Loggregator

This section will be updated soon. If this section is not yet up-to-date, please reach out for information:

  • Updated to golang 1.7.4
  • Improved Cipher Suites
  • Update to TLS versions being used

Buildpacks and Stacks

  • No changes

DEA-Warden-HM9000 Runtime

  • No changes

Internal Components

postgres-release (includes postgres job)

  • No changes

etcd-release (includes etcd and etcd_metrics_server jobs)

  • Bumped from v86 to v87. Functional changes:
    The proxy for TLS migration now responds to /v2/members, fixing an issue in consumers that get peers via the API instead of via bosh properties.

consul-release (includes consul_agent job)

  • No changes.

nats-release (includes nats and nats_stream_forwarder jobs)

  • No changes.

Recommended Versions of Additional Releases

These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release.

Job Spec Changes

Recommended BOSH Stemcell Versions

  • real IaaS: 3312.7
  • BOSH-Lite: 3312.7

Note: For AWS you should use the Xen-HVM stemcells rather than Xen.

These are soft recommendations; several different versions of the stemcells are likely to work fine with this version of cf-release and the corresponding versions of the additional releases listed above.

Assets 2
Loading

v248

06 Dec 01:46
v248
594e989
Compare
Choose a tag to compare
v248

The cf-release v248 was released on December 02, 2016.

IMPORTANT

BACKWARDS INCOMPATIBLE CHANGES

Starting with this release UAA no longer provides default values for the SAML Service Provider Certificate and JWT Signing Key as a security best practice. These need to be generated explicitly per deployment of UAA and are required for proper start-up and functioning of UAA.

These are standard artifacts which can be generated using openssl. Please refer the topic here on how to generate a self signed cert.

Please refer here for more details.

Contents:

CC and Service Broker APIs

Contains CAPI release v1.11.0. Release notes for v1.11.0

Identity

This release includes UAA 3.9.2

Routing

No changes

Loggregator

This section will be updated soon. If this section is not yet up-to-date, please reach out for information:

Buildpacks and Stacks

stacks

updated to 1.92.0 (from 1.90.0)

1.92.0

USN-3142-1 Ubuntu Security Notice USN-3142-1:

USN-3139-1 Ubuntu Security Notice USN-3139-1:

  • CVE-2016-1248: vim before patch 8.0.0056 does not properly validate values for the 'filetype', 'syntax' and 'keymap' options, which may result in the execution of arbitrary code if a file with a specially crafted modeline is opened.

USN-3134-1 Ubuntu Security Notice USN-3134-1:

  • CVE-2016-0772: The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
  • CVE-2016-1000110: use of HTTP_PROXY flag supplied by attacker in CGI scripts
  • CVE-2016-5636: Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.
  • CVE-2016-5699: CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.

USN-3132-1 Ubuntu Security Notice USN-3132-1:

USN-3131-1 Ubuntu Security Notice USN-3131-1:
(81 CVEs addressed, see USN link)

1.91.0

dotnet-core-buildpack

updated to v1.0.5 (from v1.0.4)

v1.0.5

  • Add bower 1.8.0, remove bower 1.7.9
  • Serve libunwind from buildpacks.cloudfoundry.org

Default binary versions: node 6.9.1, bower 1.8.0, dotnet 1.0.0-preview2-003131

go-buildpack

updated to v1.7.15 (from v1.7.14)

v1.7.15

  • Ensure all downloaded binaries have checksums verified
  • Add godep v75, remove godep v74

Default binary versions: go 1.6.3

nodejs-buildpack

updated to v1.5.23 (from v1.5.22)

v1.5.23

  • Add node 7.1.0, 7.0.0, 6.9.1, 4.6.2
  • Remove node 6.8.1, 4.6.0, 0.10.47 (EOL), 0.10.48 (EOL)
  • Ensure all downloaded binaries have checksums verified
  • Remove vendored node binary executable

Default binary versions: node 4.6.2

php-buildpack

updated to v4.3.22 (from v4.3.21)

v4.3.22

  • Ensure all downloaded binaries have checksums verified
  • Add composer 1.2.2, remove composer 1.2.1
  • Add APCu support to all PHP versions
  • Warn and error when composer.json or composer.lock has invalid format
  • Add support for phpiredis and phpredis in PHP7

Default binary versions: php 5.5.38, composer 1.2.2, httpd 2.4.23, newrelic 6.3.0.161, nginx 1.11.5

python-buildpack

updated to v1.5.12 (from v1.5.11)

v1.5.12

  • Ensure all downloaded binaries have checksums verified

Default binary versions: python 2.7.12

ruby-buildpack

updated to v1.6.28 (from v1.6.27)

v1.6.28

  • Add node 4.6.2, remove node 4.6.1
  • Add bundler 1.13.6, remove bundler 1.13.5
  • Add openjdk 1.8.0_111, remove openjdk 1.8.0_101
  • Ensure all downloaded binaries have checksums verified

Default binary versions: ruby 2.3.1, node 4.6.2

staticfile-buildpack

updated to v1.3.13 (from v1.3.12)

v1.3.13

  • Option to enable hosting of hidden dot-files
  • Enable HSTS support
  • Don't write hashed credentials from Staticfile.auth to the logs

DEA-Warden-HM9000 Runtime

This section will be updated soon. If this section is not yet up-to-date, please reach out for information:

Internal Components

postgres-release (includes postgres job)

  • No changes

etcd-release (includes etcd and etcd_metrics_server jobs)

  • Bumped from vXX to vXX. Functional changes:

consul-release (includes consul_agent job)

  • Bumped from vXX to vXX. Functional changes:

nats-release (includes nats and nats_stream_forwarder jobs)

  • No changes

Recommended Versions of Additional Releases

These versions are soft recommendations, as several different versions of these releases may work correctly with this version of cf-release.

Read more
Assets 2
Loading