Platform Release Notes: May 22, 2017

Curious what’s new that you might find helpful as a cloud.gov application developer? Here are highlights from our
platform updates over the past two weeks.

Volunteers needed

The cloud.gov team is looking to make the cloud.gov platform easier to evaluate and use, and we’re recruiting volunteers
to help us do that. If you’re interested, let us know at inquiries@cloud.gov. We’ll ask
you a few questions and ask you to walk us through using some aspect of the platform via screenshare.

Added

• We’ve published a cost estimator spreadsheet (in XLSX and ODS formats) that your team can
  use to get a sense of how much cloud.gov will cost for your organization. If you’re interested in switching from a
  sandbox to a paid cloud.gov package, or if you want to expand your use of the platform to additional applications, use
  the estimator to get a sense of what the access package and usage quota fees will be across all your cloud.gov systems.
• The Defense Information Systems Agency (DISA) has issued a provisional authorization for Department of Defense
  teams to use cloud.gov’s FedRAMP P-ATO for systems at
  the DISA level 2 impact level. This is a followup to the P-ATO; Level 2 is equivalent to FedRAMP Moderate. - The latest
  version of the PHP buildpack supports PHP 7.1.4 and 7.0.18.

Fixed

We’ve improved our automated process for updating the part of cloud.gov that routes traffic to your application.
Previously, you might have seen occasional 502 errors in your application when we made updates.

Removed

The latest version of the PHP buildpack removes support for PHP 7.1.2 and 7.0.16. If your applications rely on one of
these versions, update your application to use a supported version of PHP.

Platform releases

We upgraded the Cloud Foundry deployment to v258. This
upgrade addresses these security vulnerabilities:

• CVE-2017-4972: Blind SQL Injection in UAA - CVE-2017-4973: Privilege
  Escalation in UAA

Restage your application to incorporate fixes in the base
filesystem and ensure you’re running the
most recent language version supported by your buildpack.

Additional upgrades

• PHP buildpack 4.3.31 - Go buildpack
  1.8.1 - Python buildpack
  1.5.18 - Staticfile buildpack
  1.4.5 - Java buildpack
  3.16 - RootFS cflinuxfs2
  1.119.0, which address vulnerabilities described in
  these security notices: - USN-3271-1: Libxslt vulnerabilities - USN-3274-1:
  ICU vulnerabilities - USN-3276-1: shadow
  vulnerabilities - USN-3282-1: FreeType
  vulnerabilities - USN-3283-1: rtmpdump
  vulnerabilities - Diego
  1.15.3 - Stemcell 3312.24, which address
  vulnerabilities described in this security notice: - USN-3265-2: Linux kernel (Xenial HWE)
  vulnerabilities

See also

If you’re interested in details about recent dashboard updates, you can also see the dashboard release
notes.