Skip to content


You can find the source of this version on GitHub at cloudfoundry/cf-release. It was created based on the commit b43acf8f.

Release Notes

Contents - Notices - Job Spec Changes - CVEs - Compatible Releases and Stemcells - Subcomponent Updates


  • Manifest changes: netman-release has been renamed to cf-networking-release. If you’re deploying netman-release (which is still experimental), there will be some necessary changes to your manifest.
  • Slow API responses during deployment: Cloud Controller will be performing a migration on the events table to allow tracking additional user information on audit events. Because this table is often very large, some requests may be slower than normal. Additionally, there is a change to background processing that may cause asynchronous requests such as app and space deletion to take slightly longer until workers finish deploying.
  • The default transport for syslog_daemon_config has changed from TCP to UDP for both the metron_agent and metron_agent_windows jobs. This change was done on the metron_agent_windows job to enable Windows to write syslog. The change was also made to the metron_agent job to remain consistent between the two. These changes result in the same behavior for mixed windows and linux deployments. If you require TCP transport for component logs, you will need to explicitly set the property syslog_daemon_config.transport to tcp in your deployment manifest. Otherwise your syslog server will have to be configured to accept syslog over UDP.
  • The included version of Loggregator restricts ciphers to use only the following 4 ciphers. This is a breaking change for some operators and a configurable property for opting into more cipher suites was introduced in Loggregator 85 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Job Spec Changes

  • Cloud Controller now requires SSL configuration with the following properties, the CA cert should match the diego bbs ca cert and that ca cert should be used to sign the newly required public cert:
    • cc.mutual_tls.ca_cert: PEM-encoded CA certificate for secure, mutually authenticated TLS communication
    • cc.mutual_tls.public_cert: PEM-encoded certificate for secure, mutually authenticated TLS communication
    • cc.mutual_tls.private_key: PEM-encoded key for secure, mutually authenticated TLS communication
  • Postgres v10 job spec changes
  • Loggregator now requires properties set for mutual auth with Cloud Controller. This is used for retrieving application names for inclusion in syslog drains and is set with the following new properties.
    • loggregator.tls.syslogdrainbinder.cert: TLS certificate for syslogdrainbinder, signed by diego bbs CA
    • loggregator.tls.syslogdrainbinder.key: TLS key for syslogdrainbinder, signed by diego bbs CA
    • Use <diego-bbs-ca.crt> and <diego-bbs-ca.key> when running generate-loggregator-certs. The diego BBS CA cert and key are typically generated separately from this script.
    • See the Loggregator README for more details on the new flag


  • Stacks version 1.99.0, included in v252, is vulnerable to USN-3193-1

Subcomponent Updates

Compatible Releases and Stemcells


You can reference this release in your deployment manifest from the releases section:

- name: "cf"
  version: "252"
  url: ""
  sha1: "ca31edd1a0fa3460692af70565145146d056aa86"

Or upload it to your director with the upload-release command:

bosh upload-release --sha1 ca31edd1a0fa3460692af70565145146d056aa86 \