Change effective on 02 December 2016
Heroku’s support for Go has been upgraded to include Go 1.7.4 & 1.6.4. Future deploys with either a
go1.7 specifier will use these new versions.
go1.6.4 & go1.7.4 (released 2016/12/01) includes two security fixes. One of the issues effects Heroku users of net/http package’s Request.ParseMultipartForm, which starts writing to temporary files once the request body size surpasses the given “maxMemory” limit, allows an attacker to generate a multipart request crafted such that the dyno runs out of file descriptors.
The other issue affects users on Darwin (MacOS), where a user’s trust preferences for root certificates were not honored. If the user had a root certificate loaded in their Keychain that was explicitly not trusted, a Go program would still verify a connection using that root certificate. MacOS users are encouraged to upgrade their local version of Go.
Users of go1.6 and go1.7 should push a new commit to force a rebuild with the latest version of Go.