Skip to main content

63.0.0

· 10 min read

Added

  • all services: Introduce the UPGRADE.md file, as a companion to the CHANGELOG entries, which will mention all breaking changes, upgrade requirements, and notes associated to the release.
  • all services: Introduce a script bin/rotate_ca_certificate.rb to handle the interactions with CredHub in each step during the CA rotation. For more information, see Certificate Rotation - CA Certificate Rotation.
  • all services: Introduce an intermediate certificate in all deployment manifests signed by the a9s_private_components_ca CA to simplify the CA certificate rotation via the bin/rotate_ca_certificate.rb script. For more information, see Certificate Rotation - CA Certificate Rotation.
  • all services: a9s Smoke Tests: Introduce a new property, service-smoke-tests.service.graphite_timeout to make the timeout interval for the graphite logs configurable. This addresses the case where streaming the system metrics, under the heavy load of the smoke-tests, would exceed the default graphite timeout, causing the tests to fail. For more information, see General Smoke Tests Properties.
  • a9s MongoDB: a9s MongoDB SPI: Add new custom parameter custom_roles that allows the user to apply additional roles like clusterMonitor to the service-keys and service-bindings. For more information, see a9s MongoDB - Custom Parameters.
  • docs: Application Developer: a9s MongoDB: Add a documentation for the custom_roles parameter to apply custom roles to service-keys and service-bindings. For more information, see a9s MongoDB - Custom Parameters.
  • docs: Platform Operator: Add a note to clarify that generated certificates will be automatically rotated when updating a Service Instance, if the certificate will expire in 30 days or less. For more information, see Generated Certificates.
  • docs: Platform Operator: a9s MongoDB: Add documentation for the custom_roles parameter. For more information, see a9s MongoDB - SPI Configuration
  • docs: Platform Operator: a9s Smoke Tests: Add the service-smoke-tests.service.graphite_timeout property for graphite logs to the documentation. For more information, see General Smoke Tests Properties.

Changed

  • breaking change a9s Elasticsearch: a9s BOSH Deployer:
    • Update Rails to v7.2.
    • Update to the newest database field encryption method. After deploying the newest version, the migrate-deployer-encrypted-database-fields errand needs to be run for each Data Service.
    • The errand migrate-deployer-encrypted-database-fields is now part of the deployer-api instance group and therefore its dedicated instance group has been removed.
  • breaking change a9s LogMe: a9s BOSH Deployer:
    • Update Rails to v7.2.
    • Update to the newest database field encryption method. After deploying the newest version, the migrate-deployer-encrypted-database-fields errand needs to be run for each Data Service.
    • The errand migrate-deployer-encrypted-database-fields is now part of the deployer-api instance group and therefore its dedicated instance group has been removed.
  • breaking change a9s MySQL: a9s BOSH Deployer:
    • Update Rails to v7.2.
    • Update to the newest database field encryption method. After deploying the newest version, the migrate-deployer-encrypted-database-fields errand needs to be run for each Data Service.
    • The errand migrate-deployer-encrypted-database-fields is now part of the deployer-api instance group and therefore its dedicated instance group has been removed.
  • all services: a9s DS API Gateway: Disable the backup download endpoint from a9s Public API v1, as there is an issue with streaming larger backups.
  • all services: a9s Service Dashboard: Revert downloading backups to use a9s Public API V0, as the endpoint from a9s Public API V1 is not available to use.
  • all services: a9s DS API Gateway: Adapt underlying plugins to forward HTTP response status codes to client.
  • all services: a9s Smoke Tests: Refactor smoke tests to use less memory and disk resources.
  • a9s Backup Services: a9s Backup Manager: Limit the amount of queued backups per Service Instance to 1, in order to prevent backup accumulation and, as a result, the overflow of the backups queue.
  • a9s Backup Services: a9s Backup Manager: Update backups' and restores' state to failed for deleted Service Instances, thus improving the reliability of monitoring metrics.
  • a9s Backup Services: a9s Backup Manager: Improve a9s Backup Manager handling of queued tasks to avoid deadlocking the underlying process, which caused the backups to get stuck in queued state indefinitely.
  • a9s Backup Services: a9s Backup Manager: Prevent the deletion of valid WAL files when an older backup exists, thus ensuring proper restoration of said backup in a Service Instance with Continuous Archiving enabled.
  • a9s LogMe2: Improve communication reliability between Fluentd and OpenSearch.
  • a9s LogMe2: a9s DS API Gateway: Enable visualization of the OpenSearch Dashboards in the a9s Service Dashboard via the a9s Public API V1.
  • a9s MariaDB: Simplify the pre-start logic to improve the upgrade and the bootstraping of a new cluster.
  • docs: Application Developer: Add missing status codes to a9s Public API V1 endpoints. For more information, see a9s Public API - API V1 Endpoints.
  • docs: Application Developer: a9s Backup Manager: Update information about used OpenSSL versions for encryption and related limitations. For more information, see Known Issues for a9s Backup Manager.
  • docs: Platform Operator: Improve the color scheme of the release lifecycle table to use color-blind-friendly colors and add a downloadable link. For more information, see a9s Platform Operator - Sunrise Sunset.
  • docs: Platform Operator: Improve the documentation on how to do the CA rotation. For more information, see Certificate Rotation - CA Certificate Rotation.
  • docs: Platform Operator: all services: Update information about supported stemcells. For more information, see Stemcells.
  • docs: Platform Operator: a9s Backup Services: Move the a9s Backup Manager's workers documentation from the Properties page and into the a9s Backup Manager's page. For more information, see a9s Backup Manager - a9s Backup Worker.
  • docs: Platform Operator: a9s Backup Services: Restructure the "a9s Backup Service Properties" pages into a single source of truth. For more information, see a9s Backup Service Properties.
  • BOSH stemcell: all services: Update Jammy stemcell to version 1.866 for internal tests of all supported services.

Updated Dependencies

  • all services:
    • a9s Backup Agent: Update internal dependencies.
    • a9s BOSH Deployer: Update internal dependencies.
    • a9s DS API Gateway:
      • krakend-custom-plugins to v2.10.2.
      • krakend to v2.10.2.
    • nginx to v1.29.0.
    • routing to v0.342.0.
    • a9s Service Broker: Update internal dependencies.
    • a9s Smoke Tests: Update internal dependencies.
  • a9s-pg:
    • a9s Logstash: Logstash 8: logstash8 to v8.18.3.
    • a9s PostgreSQL 15: sqlite to v3.50.1.
  • a9s Backup Services: Update internal dependencies.
  • a9s Billing: Update internal dependencies.
  • a9s CF Service Guard: Update internal dependencies.
  • a9s Elasticsearch: a9s Elasticsearch SPI: Update dependencies.
  • a9s KeyValue:
    • a9s Logstash: Logstash 8: logstash8 to v8.18.3.
    • a9s KeyValue 8: valkey to v8.1.3.
  • a9s LogMe2:
    • a9s LogMe2:
      • opensearch to v2.19.3.
      • opensearch-dashboards to v2.19.3.
      • opensearch-plugin-repository-azure to v2.19.3.
      • opensearch-plugin-repository-s3 to v2.19.3.
    • a9s LogMe2 SPI: Update internal dependencies.
  • a9s MariaDB:
    • a9s Logstash: Logstash 8: logstash8 to v8.18.3.
    • a9s MariaDB 10.6: Galera 4-26.4.22.
    • a9s MariaDB 10.11: Galera 4-26.4.22.
  • a9s Messaging:
    • a9s Logstash: Logstash 8: logstash8 to v8.18.3.
    • a9s Messaging 3.13: erlang to v26.2.5.14.
    • a9s Messaging 4.0:
      • erlang to v26.2.5.14.
      • rabbitmq to v4.1.2.
  • a9s MongoDB: a9s Logstash: Logstash 8: logstash8 to v8.18.3.
  • a9s MongoDB:
    • a9s Logstash: Logstash 8: logstash8 to v8.18.3.
    • a9s MongoDB 7:
      • mongodb to v7.0.22.
      • mongosh to v2.5.6.
  • a9s MySQL: a9s MySQL SPI: Update internal dependencies.
  • a9s PostgreSQL:
    • a9s Logstash: Logstash 8: logstash8 to v8.18.3.
    • a9s PostgreSQL 13: sqlite to v3.50.1.
    • a9s PostgreSQL 15: sqlite to v3.50.1.
    • a9s PostgreSQL 17: sqlite to v3.50.1.
  • a9s Prometheus:
    • prometheus2:
      • blackbox_exporter to v0.27.0.
      • prometheus to v2.53.5.
    • prometheus-legacy:
      • blackbox_exporter to v0.27.0.
      • prometheus to v2.53.5.
      • jq to v1.8.1.
    • promgraf2:
      • blackbox_exporter to v0.27.0.
      • prometheus to v2.53.5.
      • jq to v1.8.1.
  • a9s Redis: a9s Redis 7: redis to v7.2.10.
  • a9s Search:
    • a9s Logstash: Logstash 8: logstash8 to v8.18.3.
    • opensearch to v2.19.3.
    • opensearch-dashboards to v2.19.3.
    • opensearch-plugin-repository-azure to v2.19.3.
    • opensearch-plugin-repository-s3 to v2.19.3.

Unsupported

  • breaking change all services: Ubuntu Bionic stemcell: End of Support: Terminate support for the following deprecated stemcell version:

    • Ubuntu Bionic stemcell: Ubuntu Bionic has been marked as end-of-life by their vendor since April 2023.

    We no longer provide support for this stemcell. The corresponding documentation has been removed. We strongly recommend migrating to a newer stemcell (Ubuntu Jammy).

    Although we will not intentionally break running Service Instances using this stemcell, it cannot be guaranteed that they still work as expected after an update to this release.

Removed

  • docs: Platform Operator: Remove outdated admonition from the "Stemcells" page. For more information, see Getting Started - Stemcells.
  • docs: Platform Operator: all services: Remove outdated information about upgrading stemcells to Ubuntu Jammy.
  • docs: Platform Operator: all services: Remove outdated Ubuntu Bionic templates.

Fixed

  • all services: a9s Backup Agent: Interrupt a restore or disaster recovery process when failing to download a file from an S3 backup store.
  • a9s Billing: Change the way the cf_billing_api_password password is set by using a BOSH variable as a credential property instead of dynamically generating it, to reduce the time it takes to deploy.
  • a9s MariaDB: Fix an issue in the bootstrap logic, when there is a need to sync a large amount of data between nodes, that would lead the State Snapshot Transfer(SST) to time out during the regular start, leaving the node in a failed state and requiring manual intervention.
  • a9s Service Dashboard: Fix the refreshing of restores in the UI during a backup restore and reload.
  • docs: all services: Fix broken anchors and links in both documentation paths.
  • docs: Application Developer: a9s KeyValue: Fix typos in the migrate_manual_dump_restore.rb script and add missing information in the a9s KeyValue migration documentation. For more information, see Service Instance Migration.
  • docs: Application Developer: a9s Redis: Fix typos in the migrate_manual_dump_restore.rb script and add missing information in the a9s Redis migration documentation. For more information, see Service Instance Migration.

Security

  • all services:
    • a9s Backup Agent: Fix CVEs:
      • CVE-2025-49794
      • CVE-2025-49795
      • CVE-2025-49796
      • CVE-2025-6021
      • CVE-2025-6170
    • a9s BOSH Deployer: Fix CVEs:
      • CVE-2025-49794
      • CVE-2025-49795
      • CVE-2025-49796
      • CVE-2025-6021
      • CVE-2025-6170
    • a9s Service Broker:
      • Fix basic auth bypass, which allowed for unrestricted access to the a9s Service Broker API to anyone who had direct network access to it.
      • Fix CVEs:
        • CVE-2025-49794
        • CVE-2025-49795
        • CVE-2025-49796
        • CVE-2025-6021
        • CVE-2025-6170
    • a9s Service Dashboard: Fix CVE: CVE-2025-7783
    • a9s Smoke Tests:
      • CVE-2025-49794
      • CVE-2025-49795
      • CVE-2025-49796
      • CVE-2025-6021
      • CVE-2025-6170
  • a9s-pg: a9s PostgreSQL 15: Fix CVE: CVE-2025-29087
  • a9s Backup Services:
    • a9s Backup Manager:
      • CVE-2025-49794
      • CVE-2025-49795
      • CVE-2025-49796
      • CVE-2025-6021
      • CVE-2025-6170
    • a9s Backup Monit:
      • CVE-2025-49794
      • CVE-2025-49795
      • CVE-2025-49796
      • CVE-2025-6021
      • CVE-2025-6170
  • a9s Billing: Fix CVEs:
    • CVE-2025-27610
    • CVE-2025-32414
    • CVE-2025-32415
    • CVE-2025-46727
    • CVE-2025-49794
    • CVE-2025-49795
    • CVE-2025-49796
    • CVE-2025-6021
    • CVE-2025-6170
  • a9s CF Service Guard:
    • Fix basic auth bypass, which allowed for unrestricted access to the a9s CF Service Guard API to anyone who had direct network access to it.
    • Fix CVEs:
      • CVE-2025-49794
      • CVE-2025-49795
      • CVE-2025-49796
      • CVE-2025-6021
      • CVE-2025-6170
  • a9s DS API Gateway:
    • CVE-2020-28483
  • a9s Elasticsearch: a9s Elasticsearch SPI:
    • CVE-2025-46727
    • CVE-2025-27610
    • CVE-2024-25126
    • CVE-2024-26141
    • CVE-2024-26146
  • a9s LogMe2: a9s LogMe2 SPI:
    • CVE-2025-46727
    • CVE-2025-27610
    • CVE-2024-25126
    • CVE-2024-26141
    • CVE-2024-26146
  • a9s MySQL: a9s MySQL SPI:
    • CVE-2025-46727
    • CVE-2025-27610
    • CVE-2024-25126
    • CVE-2024-26141
    • CVE-2024-26146
  • a9s PostgreSQL:
    • a9s PostgreSQL 13: Fix CVE: CVE-2025-29087
    • a9s PostgreSQL 15: Fix CVE: CVE-2025-29087
    • a9s PostgreSQL 17: Fix CVE: CVE-2025-29087