CF 256

Contents

• Notices
• Job Spec Changes
• CVEs
• Compatible Releases and Stemcells
• Subcomponent Updates

Notices

• Updating GrootFS to v0.16.0, if running with GrootFS already, will require recreating the Diego cells.
• The Postgres job will upgrade PostgreSQL to version 9.6.2.
  NOTE: this drops support for upgrading from PostgreSQL 9.4.5
  Only upgrades from PostgreSQL 9.4.6 (since cf v232) and PostgreSQL 9.4.9 (since cf v241) are supported.
  Before deploying, please review considerations at postgres-release v15.
• If you are running cf-networking-release, the value for cf_networking.garden_external_networker.cni_plugin_dir must be updated to /var/vcap/packages/silk/bin

Job Spec Changes

• The router status endpoint is no longer optional. As such, router.status.password (which has been configurable for a long time) is now required.
• cc_uploader now requires the following properties to be configured:
  • properties.capi.cc_uploader.cc.ca_cert
  • properties.capi.cc_uploader.cc.client_cert
  • properties.capi.cc_uploader.cc.client_key
    Diego manifest generation (as of Diego 1.11.0) has already required this property to be configured, so it's likely that most deployers have already set these values. For deployers building their manifests some other way, these properties are now required by the components themselves.
• In the postgres job, the default value for the databases.monit_timeout has been changed to 90 seconds.
• The included version of Loggregator restricts ciphers to use only the following 4 ciphers. This is a breaking change for some operators and a configurable property for opting into more cipher suites was introduced in Loggregator 85
  TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Security Notices

Affecting v256

None recorded as of 2017-04-11.

Resolved in v256

• CVE-2017-4970 in Staticfile buildpack versions v1.4.0 – v1.4.3 (high severity)

Known Issues

• Users that belong to any space containing a user provided service instance are unable to view any specific service plan: /v2/service_plans/:guid. Users are still able to view the marketplace and provision service instances.

Subcomponent Updates

• Cloud Controller and Service Broker API:
  • no change
• Identity:
  • no change
• Routing:
  • routing-release 0.149.0
• Loggregator:
  • Loggregator 82
  • Statsd 1.0.22
• Java Buildpack:
  • java-buildpack v3.15
• Ruby Buildpack:
  • ruby-buildpack v1.6.37
  • ruby-buildpack v1.6.36
• Go Buildpack:
  • go-buildpack v1.7.19 (no change)
• Node.js Buildpack:
  • nodejs-buildpack v1.5.31
• Python Buildpack:
  • python-buildpack v1.5.17
• PHP Buildpack:
  • php-buildpack v4.3.30
• Staticfile Buildpack:
  • staticfile-buildpack v1.4.4
• Binary Buildpack:
  • binary-buildpack v1.0.11 (no change)
• .Net Core Buildpack:
  • dotnet-core-buildpack v1.0.15
• RootFS:
  • cflinuxfs2 v1.113.0
• Consul:
  • consul-release v152 (unchanged)
• Etcd:
  • etcd-release v93 (unchanged)
• NATS:
  • No changes
• Postgres:
  • postgres-release v15
• DEA-Warden-HM9000:
  • No changes.

Compatible Releases and Stemcells

• diego-release: v1.12.0. Release notes for v1.12.0.
• garden-runc-release: v1.4.0. Release notes for v1.4.0.
• cflinuxfs2-rootfs release v1.60.0. Release notes for v1.60.0
• cf-networking-release: v0.19.0. Release notes for v0.19.0.
• grootfs-release v0.16.0. Release notes for v0.16.0. Updating GrootFS to v0.16.0, if running with GrootFS already, will require recreating the Diego cells.
• stemcell: 3363.15