The Cloud Foundry Foundation Security Working Group would like to provide a brief update with regard to security advisories.
As you may know, Ubuntu Xenial (16.04) has transitioned from free long-term support (LTS) status to paid extended security maintenance (ESM). Accordingly, the Cloud Foundry Foundation has stopped issuing patches and security advisories for Xenial-based stemcells. Some commercial vendors may offer ongoing support, but new Xenial stemcells will no longer appear on bosh.io or cloudfoundry.org.
New stemcells based on Ubuntu Bionic (18.04) are now available on bosh.io, and we have resumed security advisories for Ubuntu Security Notices that affect version 1.1 or later of the Bionic stemcells.
CFF Security Working Group