Date   
[Urgent] High severity vulnerability in PHP versions included in the PHP buildpack

Stephen Levine
 

Hi All,

If you use the PHP buildpack in Cloud Foundry, please see below.

NOTICE: Multiple upstream vulnerabilities have been discovered in all supported PHP versions in the PHP buildpack. MS-ISAC reports that the most severe of these vulnerabilities could allow an attacker to execute arbitrary code. An attacker could take advantage of this type of vulnerability to steal credentials, modify application code, cause a denial of service attack, or take other malicious actions.

ACTION: As soon as possible: Upgrade the PHP buildpack to version 4.3.53. Confirm that PHP apps are configured to use PHP 7.2.5, PHP 7.1.17, PHP 7.0.30, or PHP 5.6.36. Re-stage all PHP apps.


Thanks,
Stephen
CF Buildpacks PM

Re: [Urgent] High severity vulnerability in PHP versions included in the PHP buildpack

Carlo Alberto Ferraris
 

`cf better-push` can't come fast enough ūüėĘ


On Sat, Apr 28, 2018, 11:50 Stephen Levine <slevine@...> wrote:
Hi All,

If you use the PHP buildpack in Cloud Foundry, please see below.

NOTICE: Multiple upstream vulnerabilities have been discovered in all supported PHP versions in the PHP buildpack. MS-ISAC reports that the most severe of these vulnerabilities could allow an attacker to execute arbitrary code. An attacker could take advantage of this type of vulnerability to steal credentials, modify application code, cause a denial of service attack, or take other malicious actions.

ACTION: As soon as possible: Upgrade the PHP buildpack to version 4.3.53. Confirm that PHP apps are configured to use PHP 7.2.5, PHP 7.1.17, PHP 7.0.30, or PHP 5.6.36. Re-stage all PHP apps.


Thanks,
Stephen
CF Buildpacks PM

Re: Minimal CF Install for Demos

Benjamin Gandon <benjamin@...>
 

I have what you need (on GCP), and more because it is a CF distribution. (You'll find out soon that demoing CF is not just about CF.) 

I've been working on this for almost one year. For the obvious reason that here in France, nobody knows about CF and we desperately needed tools to help in making demos of OSS CF.

It fits in 1 VM only.

So go deploy the GCP flavor of Easy Foundry, as deployed with the Gstack Bosh Environment. There: https://github.com/gstackio/gstack-bosh-environment

Easy Foundry aims at becoming the very first 100% OSS distribution of Cloud Foundry based on BOSH.

And Gstack BOSH Environment (GBE) is an automation framework leveraging (and heavily based on) BOSH 2.0 features.

The global UX with GBE tries to keep it simple:
    $ gbe up # for creating the infrastructure
    $ gbe converge < all | cf > # for converging all deployments towards their expected state (or CF only)

But there are stil some preliminary setup steps, first. The GCP setup procedure should definitely work, because it has been my main test case for a long time. Otherwise don't hesitate to give me feedback and ask for support. You'll get it working, I swear!

For everyone reading this post, please note that EF and GBE are still Work In Progress. There are many improvements to make before we reach a Gold release, or start incubation as a CF extension. We welcome feedback and pull requests!

Regards,
/Benjamin GANDON (depuis mon iPhone)
CEO at Gstack (follow us on @_Gstack!)



Le 23 avr. 2018 à 23:58, Matt Curry <matt.curry@...> a écrit :

Does anyone have a guilde for a minimal CF install on AWS or GCP for demo purproses?

 

In other words, the cheapest and smallest possible working install.

 

I think that this is the point of CFDev, but I need to be able to run 2 installs side by side, and also need to be able to deploy it to a cloud provider so that it is public facing.

 

Thanks,

Matt

CF Summit EU contributor reg code

Chip Childers
 

Hey all,

Whew... we just got done with CF Summit NA in Boston, but it's time to turn towards Europe! For those that don'e know, we'll be headed back to Basel Switzerland again this year, October 10 to 12.

Contributors (those that have contributed docs, code, bug reports) are welcome to use the following code to register: CFEU18CONT

More info on the website here: https://www.cloudfoundry.org/event/eusummit2018/ 

See you all there!

-chip
--
Chip Childers
CTO, Cloud Foundry Foundation
1.267.250.0815

Re: CF Summit EU contributor reg code

Chip Childers
 

Sorry... one correction. The event is Oct 10 and 11, with lots of pre-event activities on the 9th. Sorry about that. :)


On Mon, Apr 30, 2018 at 11:14 AM Chip Childers <cchilders@...> wrote:
Hey all,

Whew... we just got done with CF Summit NA in Boston, but it's time to turn towards Europe! For those that don'e know, we'll be headed back to Basel Switzerland again this year, October 10 to 12.

Contributors (those that have contributed docs, code, bug reports) are welcome to use the following code to register: CFEU18CONT

More info on the website here: https://www.cloudfoundry.org/event/eusummit2018/ 

See you all there!

-chip
--
Chip Childers
CTO, Cloud Foundry Foundation
1.267.250.0815
--
Chip Childers
CTO, Cloud Foundry Foundation
1.267.250.0815

Re: Call for Demos - CF / K8S Integration SIG Meeting

Jain, Ashish
 

Hi Chip,

 

Service Fabrik team would like to demonstrate couple of use cases as below:

 

  1. BOSH based CF services consumed by K8S apps
  2. Service provisioning on K8S Pods and consumed by CF app

 

Best regards,

Ashish

 

From: <cf-dev@...> on behalf of Chip Childers <cchilders@...>
Reply-To: "cf-dev@..." <cf-dev@...>
Date: Thursday, 26 April 2018 at 9:23 PM
To: CF Developers Mailing List <cf-dev@...>
Subject: [cf-dev] Call for Demos - CF / K8S Integration SIG Meeting

 

During yesterday's CF/K8S SIG meeting, several speakers proposed demo'ing their various efforts during a future call.

 

I'd like to formally request replies from anyone interested in giving a demo, and we'll work out an agenda for the next (and future) SIG calls based on responses.

 

So far, I have an offer from SAP for Dobromir Zahariev to demo the work around service catalog sync between CFAR and K8S.

 

Anyone else willing?

 

-chip

--

Chip Childers
CTO, Cloud Foundry Foundation
1.267.250.0815

Re: [cf-bosh] CF Summit EU contributor reg code

Swarna Podila
 

Which means…y’all should plan on joining the Day Zero activities - Cert Exams, User Day (if you’re at an end user organization), unconference, trainings, etc.

--¬†‚ÄčSwarna Podila
‚ÄčSenior
 Director
‚Äč, Community‚Äč
 | Cloud Foundry Foundation

On Mon, Apr 30, 2018 at 5:31 PM, Chip Childers <cchilders@...> wrote:
Sorry... one correction. The event is Oct 10 and 11, with lots of pre-event activities on the 9th. Sorry about that. :)

On Mon, Apr 30, 2018 at 11:14 AM Chip Childers <cchilders@...> wrote:
Hey all,

Whew... we just got done with CF Summit NA in Boston, but it's time to turn towards Europe! For those that don'e know, we'll be headed back to Basel Switzerland again this year, October 10 to 12.

Contributors (those that have contributed docs, code, bug reports) are welcome to use the following code to register: CFEU18CONT

More info on the website here: https://www.cloudfoundry.org/event/eusummit2018/ 

See you all there!

-chip
--
Chip Childers
CTO, Cloud Foundry Foundation
1.267.250.0815
--
Chip Childers
CTO, Cloud Foundry Foundation
1.267.250.0815


Re: CF Networking support for CNI plugin chaining question

Gabriel Rosenhouse
 

Last call for Network Integrators: if you have opinions about how we execute CNI configuration, please reach out to our team (#container-networking in Slack, or reply here).

Our first story on this track is here: https://www.pivotaltracker.com/story/show/157025572

Proposal: Network connection stability option in Luna Security Provider in Java Buildpack #cf

Greg Meyer
 

First of all, a HUGE thank you for the Luna Security Provider framework in the Java buildpack; I can't express enough how much this has eased deployment and configuration for web applications requiring the level of functionality offered by the HSM.

This is a semi-cross post of an issue posted to the Java Buildpack Git repo [1], and I'm soliciting some feedback.

In some networks, the connection to a Luna device may get severed due various configuration options. In these cases, a Java application using the Luna JCA/JCE provider cannot reconnect without restarting the application.

One possible mitigation is using the TCPKeepAlive option which can be set in the Chrystoki.conf file.  The TCPKeepAlive setting is an optional parameter of the LunaSA Client configuration with 2 possible settings: 0 and 1 where 0 disables it and 1 enables it (the default is 0 if the setting is not present).  I've forked the buildpack and have implemented [2] a candidate mechanism using a new configuration options: tcp_keep_alive_enabled.  There are obviously other way to provide and implement configuration (ex: leaving the setting absent if the configuration is set to false), so with that said I'm looking for feedback and/or opening up a dialog before submitting a pull request.


[1] https://github.com/cloudfoundry/java-buildpack/issues/584
[2] https://github.com/gm2552/java-buildpack/commit/09a089efca0c94279691eb476ec2447ee09f609a

Service Fabrik 2.0: A pluggable, flexible decoupled Broker architecture proposal

Jain, Ashish
 

Dear All,

 

Service Fabrik team is pleased to share the proposal around the next generation architecture for a more flexible, pluggable OSBAPI compliant broker. Since we achieved incubation we have realized that Service Fabrik is opinionated, monolithic in nature and it is tough to integrate other community projects from example BBR. With this new design Service Fabrik envisions to move from data driven to an event driven architecture. This would enable Service Fabrik to allow pluggability via bring your own provisioner which could be K8S provisioner or a terraform one. And then operate the deployments via bring your own backup/restore mechanism for example BBR, Shield etc. And which also scales independently for provisioning and operations. More details in the proposal here https://docs.google.com/document/d/1qBtcFEmy0KyF_cSKZ7hn6_tx72k3fgbp_Bf4Zb4lS-4/edit.

 

We look forward to your opinion/comments/questions.

 

Best regards,

Ashish

https://github.com/cloudfoundry-incubator/service-fabrik-broker

 

PS: SF 2.0 was presented during Boston summit, ppt is available here https://cfna18.sched.com/event/DdZu/service-fabrik-20-a-more-pluggable-and-flexible-backing-service-shashank-mohan-jain-ashish-jain-sap?iframe=no&w=&sidebar=yes&bg=no

Announcing BOSH Kube CPI

Michael Maximilien
 

fyi...

As the cool kids do it these days, see:


The gist are in these links:


PDF of presentation: https://bit.ly/bosh-kube-cpi

We'd love to hear your feedback.

Best,

Dmitriy and Max

CF CLI/GoLang Dropping Support for Legacy Operating Systems #cf

Anand Gaitonde
 

The GoLang release (1.10) made the following announcement:


Go 1.10 is the last release that will run on OpenBSD 6.0. Go 1.11 will require OpenBSD 6.2.

Go 1.10 is the last release that will run on OS X 10.8 Mountain Lion or OS X 10.9 Mavericks. Go 1.11 will require OS X 10.10 Yosemite or later.

Go 1.10 is the last release that will run on Windows XP or Windows Vista. Go 1.11 will require Windows 7 or later.


While this requires no immediate action for anyone, we would like the users of the CF CLI to be aware that once the CF CLI upgrades to GoLang 1.11, it will no longer support operating systems that GoLang does not support.


Following the GoLang release schedule, Go 1.11 will be released around August 2018, giving affected customers at least six more months to upgrade to a supported version.


If you feel like the CF CLI Team should refrain from upgrading to GoLang 1.11 upon its release, please voice your concerns now and we will adjust our upgrade cycle accordingly.


Additional notes:

  • According to our downloads stats of the last year, Windows makes up 5.54% and OS X makes up 1.98% of totals downloads.

  • Approximately 0.1% of total CF CLI downloads over the last year are made by the affected systems. The overwhelming majority of said downloads are Windows XP.

  • Microsoft dropped support of Windows XP on April 8, 2014.

  • Microsoft dropped support of Vista on April 11, 2017.

  • According to the Apple Security Updates page, the last time Mavericks (10.9) was updated was in March 2017. It has not gotten any security fixes since then.

Re: How can we customized "404 Not Found"

Shannon Coen
 
Edited

Today the CF Routing team added the ability for an Envoy proxy deployed as the edge router for CF (using istio-release) to return a 503 instead of a 404 for a requested route when the mapped app is stopped or crashing. 

We are thrilled as this represents the first new routing feature in Cloud Foundry enabled by our next-gen routing subsystem based on Istio and Envoy. See the attached GIF for a micro-demo. 

While this is test-driven and CI'd functionality, I want to clarify that istio-release is considered experimental/alpha. 

For more on our initiative to leverage Istio and Envoy, see https://docs.google.com/document/d/1LgLY0g39fzpg1_4zTckbH1mOuuSKGvYwp2tkakoe9ys/edit

NOTICE : [nodejs-buildpack] End of Node.js 4.x support after 2018-06-04

Scott Sisil <ssisil@...>
 

Support for Node.js 4.x will be removed in the first release of the Node.js buildpack after 2018-06-04.


The Node.js Release Working Group ended support for Node.js 4.x on 2018-04-30 [1][2]. We are giving users a 30 day notice before support for Node.js 4.x is officially removed from the Node.js buildpack.  We recommend migrating any applications using release 4.x to LTS releases 6.x, 8.x or 10.x.


Thanks,

Wanted: Cloud Foundry Blog Content

Caitlyn O'Connell
 

Hi all:

As we unwind after a highly successful Summit, we've been thinking about the type of content we'd like to feature on the Cloud Foundry blog. We have a dearth of Tutorial/How-to content, and we'd like to remedy that.

If you have an awesome, Cloud Foundry-adjacent how-to that you'd like to turn into a tutorial blog, please get in touch with me. And here's a quick reminder on blog publishing protocol:


How to Publish on the Cloud Foundry Blog


Step 1: Draft your post in a Google Doc and share it with Caitlyn, who will make edits/comments.

Step 2: Login to the Cloud Foundry blog with your username and password at https://www.cloudfoundry.org/wp-login.php

Step 3: Draft approved copy and save draft

Step 4: Share any images for the post with Caitlyn via email

Step 5: Caitlyn will make SEO tweaks including categories and keywords, then will schedule the post to go out

Step 6: Cloud Foundry will share the post on social -- and you should too!



Thank you, and please get in touch with content/questions!

Best,
Caitlyn

--
Caitlyn O'Connell
Marketing Communications Manager
Cloud Foundry Foundation
818 439 5079 | @caitlyncaleah

Want to contribute to our blog? Email content@.... 

Interested in how you can try out Cloud Foundry? Read about 2018 certified platforms.

CF CLI Minimum Supported Version

Abby Chau
 

In order to focus our resources on the most valuable features and bug fixes, the CF CLI team periodically announces the end of support for older Cloud Controller (CC) API versions. The current CF CLI is backwards compatible to CF 203 / CC API 1.23, from March 2015.


Going forward, we want to give users a more predictable annual cycle for cf CLI version support cut-offs so you can plan accordingly. We also want to tighten up this timeline so the CF CLI team can narrow its focus to fewer CC API versions without unduly disrupting your use of CF.


To this end, moving forward, CF CLI will only maintain support as far back as the previous year’s CF Certification, and we've also add additional cushion to enable a more seamless upgrade process. Older CF CLI versions compatible with older CF releases will continue to be available. However, upon the new year, the first CLI release of that year will remove all code pertaining to unsupported releases.


Starting in 2018, CF CLI will only support:

  • Previous Year‚Äôs CF Certification: CF Certification 2017

  • CF Release in January 2017: v251 (CAPI Release: 1.15.0 (APIs 2.69.0 and 3.4.0)


Starting in 2019, CF CLI will only support:

  • Previous Year‚Äôs CF Certification: CF Certification 2018

  • CF-Deployment Release in January 2018: v1.7.0. (CF Release in January 2018: v284)

  • CAPI Release on January 1st, 2018: 1.46.0 (APIs 2.100.0 and 3.35.0)


The CF CLI team welcomes any feedback you may have regarding this. We can be reached via this email, or on Slack at #cli. Thanks!


Best,


CF CLI team


CF routing-release 0.176.0

Shubha Anjur Tupil
 

Hi all,

We just released routing release 0.176.0 with features to enable compliance with the EU General Data Protection Regulation (GDPR).


- Operators can now configure a manifest property `router.disable_log_forwarded_for` to disable logging of X-Forwarded-For header in Gorouter logs. This is to comply with EU regulations that do not allow persisting personal data. Details here

- Operators can now configure a manifest property `router.disable_log_source_ip` to disable logging of source IP in Gorouter logs. This is to comply with EU regulations that do not allow persisting personal data. Details here

- We fixed an issue where Gorouter was not previously forwarding/settings the client certificate in the XFCC header when a request was being proxied through a route service. Gorouter now sets the XFCC header with the client certificate. See the manifest property `router.forwarded_client_cert` to understand the options available for forwarding a client certificate. Details here


Please let us know if you have any feedback and/or questions. Happy to help!


Regards, 

Shubha & Shannon 

Routing PMs



Re: How can we customized "404 Not Found"

David McClure
 

Nice! Love the gif demo :)

On Wed, May 2, 2018 at 6:32 PM, Shannon Coen <scoen@...> wrote:

[Edited Message Follows]

Today the CF Routing team added the ability for an Envoy proxy deployed as the edge router for CF (using istio-release) to return a 503 instead of a 404 for a requested route when the mapped app is stopped or crashing. 

We are thrilled as this represents the first new routing feature in Cloud Foundry enabled by our next-gen routing subsystem based on Istio and Envoy. See the attached GIF for a micro-demo. 

While this is test-driven and CI'd functionality, I want to clarify that istio-release is considered experimental/alpha. 

For more on our initiative to leverage Istio and Envoy, see https://docs.google.com/document/d/1LgLY0g39fzpg1_4zTckbH1mOuuSKGvYwp2tkakoe9ys/edit


Re: Call for Demos - CF / K8S Integration SIG Meeting

Chip Childers
 

Outstanding response to this request folks!

For this Wednesday, I'd like to ask for:

(1) Sree to demonstrate UAA + k8s
(2) Julz to demonstrate Erini

Along with both of those, we should do a round up of updates from anyone working in related areas / projects.

I'll work with the other proposals to find a good slot in the coming meetings. I have proposals from Jeenal, Dr Max, Adam H and Ashish. Should if I missed an email or you want to be on the list too!

-chip

On Thu, Apr 26, 2018 at 5:53 PM Chip Childers <cchilders@...> wrote:
During yesterday's CF/K8S SIG meeting, several speakers proposed demo'ing their various efforts during a future call.

I'd like to formally request replies from anyone interested in giving a demo, and we'll work out an agenda for the next (and future) SIG calls based on responses.

So far, I have an offer from SAP for Dobromir Zahariev to demo the work around service catalog sync between CFAR and K8S.

Anyone else willing?

-chip
--
Chip Childers
CTO, Cloud Foundry Foundation
1.267.250.0815
--
Chip Childers
CTO, Cloud Foundry Foundation
1.267.250.0815

Re: Call for Demos - CF / K8S Integration SIG Meeting

Chip Childers
 

Also: for Wednesday I forgot that Dobromir also was preparing to demo the service manager project!

On Sun, May 6, 2018 at 6:56 PM Chip Childers <cchilders@...> wrote:
Outstanding response to this request folks!

For this Wednesday, I'd like to ask for:

(1) Sree to demonstrate UAA + k8s
(2) Julz to demonstrate Erini

Along with both of those, we should do a round up of updates from anyone working in related areas / projects.

I'll work with the other proposals to find a good slot in the coming meetings. I have proposals from Jeenal, Dr Max, Adam H and Ashish. Should if I missed an email or you want to be on the list too!

-chip


On Thu, Apr 26, 2018 at 5:53 PM Chip Childers <cchilders@...> wrote:
During yesterday's CF/K8S SIG meeting, several speakers proposed demo'ing their various efforts during a future call.

I'd like to formally request replies from anyone interested in giving a demo, and we'll work out an agenda for the next (and future) SIG calls based on responses.

So far, I have an offer from SAP for Dobromir Zahariev to demo the work around service catalog sync between CFAR and K8S.

Anyone else willing?

-chip
--
Chip Childers
CTO, Cloud Foundry Foundation
1.267.250.0815
--
Chip Childers
CTO, Cloud Foundry Foundation
1.267.250.0815
--
Chip Childers
CTO, Cloud Foundry Foundation
1.267.250.0815