We’ve moved certain security restrictions from the magento2 configuration into the global magento1/2 security configuration file.
In specific the following files are no longer reachable from external:
auth.(json|lock)
package.(json|lock)
composer.(json|lock)
Gruntfile.js
cron.php
Hidden files are also denied with a 403 now instead of a 404.
Furthermore we’re working hard on the Xenial migration. Many changes have been merged to aid in the Xenial migrations, these should however have no impact on our current Precise nodes.