Buildpacks PMC - 2015-11-09 Notes

Mike Dalessio

Hello CF community!

Here is an update from the Buildpacks PMC, as of 2015-11-09. The full notes
are available at:

but I've reproduced them below for your convenience.

Note that in addition to the releases below, we'll also be cutting a
cflinuxfs2 release today to include a recent CVE update.




We've been continuing to make updates to the cflinuxfs2 rootfs at least
weekly, with additional turnaround of CVE updates within 48 hours.

Released cflinuxfs2 versions 1.10.0
<>, 1.11.0
<>, 1.12.0
<>, 1.13.0
<>, 1.14.0
<>, and 1.15.0
<>, addressing:

USN-2788-1 <> "unzip vulnerabilities",
which is related to:

- CVE-2015-7696 "Heap buffer overflow when extracting password-protected
- CVE-2015-7697 "Infinite loop when extracting password-protected

USN-2787-1 <>, "audiofile
vulnerability", which is related to:

- CVE-2015-7747 "made to crash or run programs as your login if it
opened a specially crafted file"

USN-2767-1 <>, "GDK-PixBuf
vulnerabilities", which is related to:

- CVE-2015-7673
overflow and DoS with a tga file in gdk-pixbuf < 2.32.1"
- CVE-2015-7674
overflow with a gif file in gdk-pixbuf < 2.32.1"


Continuing on the track of work to provide a "chain of custody"
<> for everything shipped
in the buildpacks, each buildpack released is now published with a SHA256
checksum in the release notes.

Released v1.6.3
<> adding
support for Go 1.4.1 for upgrade paths, adding a Godep binary to the
manifest, and supporting the linker's -X option format for go1.5.

In the last set of PMC notes, it was proposed to drop golang v1.2.x and
v1.3.x <> and no
objections were raised. We'll be scheduling work on this over the next few

We're also in the process of sending pull requests back upstream to godep and
to the go-buildpack to allow "wildcarding" of golang versions, meaning that
"1.4.*" would use the most recent matching golang version. This would make
more palatable the "skinny buildpack" policy of only providing the two
most-recent supported versions on a major/minor branch. See GH#22
<> for details.

Released v3.3.1
<>. This
release contains a new debug framework and ensures that the dependencies
contained in theoffline buildpack are up to date.

Released v1.5.1
which adds support for Node 4.2.x LTS, emits buildpack details from
bin/detect, and merges many commits from upstream.

In the last PMC notes, it was proposed to add node.js 4.x support
<> via static
linking of dependencies. This work was completed and shipped in
nodejs-buildpack v1.5.1 as noted above.

Released v4.2.1
<>, v4.2.0
<>, and
v4.1.5 <>,
which collectively update nginx to v1.9.6, update httpd to 2.4.17, add
support for PHP 5.6.16 and 5.5.30, and drop support for PHP 5.4.x (which
has been EOLed).

In the last PMC notes, it was proposed to remove nginx 1.6
<> from the
buildpack, but continuing to support nginx 1.8 and 1.9, and no objections
were raised. We'll schedule work on this change.

Released v1.6.8
<>, which
updates JRuby to, and updates OpenJDK to 1.8.0_65.

Released v1.2.2
which improves error messages and log messages, and emits buildpack details
from bin/detect.

Some performance analysis was done of the staticfile-buildpack after
cf-release v221's increase of ip_conntrack_max, and the results may be
interesting to readers. Details are in this tracker story
<>, but the TL;DR is
that we saturated the testing network before we hit nginx bottlenecks. Peak
performance for 1KB payloads was in excess of 1400 requests/second

Join to automatically receive all group messages.