Heroku-18, Heroku-20 and Heroku-22 stack images updated

Change effective on 01 November 2022

We have updated the heroku-18, heroku-20 and heroku-22 stack images to pick up security fixes in upstream packages. The new stack images will be rolled out automatically to the Common Runtime over the next 48 hours, followed by Private Spaces.

This release includes the OpenSSL 3 security fixes for CVE-2022-3602 and CVE-2022-3786.

Note: On Ubuntu 22.04 LTS (and thus Heroku-22), it is expected that the updated openssl, libssl3 and libssl-dev package versions are 3.0.2-0ubuntu1.7 (and not 3.0.7), due to the process used for security and bug fix backports on Ubuntu.

If you are using Heroku’s default buildpack-powered build system/stacks you do not need to redeploy your app to pick up these changes, since your application’s slug is applied on top of the most recent stack image each time a dyno starts. Currently running dynos will be automatically restarted, so there is no need to manually restart your app.

If your app instead uses Heroku’s container stack (most apps do not), you will need to rebuild your app’s Docker image in order to pick up any updates in the base image specified in your Dockerfile.

See this Dev Center article for an overview of the packages available in each stack image.

Changelog of packages

The following packages have been changed; a separate section for each stack (if applicable) lists packages that are only available at build time, but not at runtime.

Stack: heroku-18

  • Updated curl from version 7.58.0-2ubuntu3.20 to 7.58.0-2ubuntu3.21
  • Updated libcurl3-gnutls from version 7.58.0-2ubuntu3.20 to 7.58.0-2ubuntu3.21
  • Updated libcurl4 from version 7.58.0-2ubuntu3.20 to 7.58.0-2ubuntu3.21
  • Updated libdbus-1-3 from version 1.12.2-1ubuntu1.3 to 1.12.2-1ubuntu1.4
  • Updated tzdata from version 2022c-0ubuntu0.18.04.0 to 2022e-0ubuntu0.18.04.0

Updates to packages available at build time only

  • Updated libcurl4-openssl-dev from version 7.58.0-2ubuntu3.20 to 7.58.0-2ubuntu3.21

Stack: heroku-20

  • Updated curl from version 7.68.0-1ubuntu2.13 to 7.68.0-1ubuntu2.14
  • Updated libcurl3-gnutls from version 7.68.0-1ubuntu2.13 to 7.68.0-1ubuntu2.14
  • Updated libcurl4 from version 7.68.0-1ubuntu2.13 to 7.68.0-1ubuntu2.14
  • Updated libdbus-1-3 from version 1.12.16-2ubuntu2.2 to 1.12.16-2ubuntu2.3
  • Updated tzdata from version 2022c-0ubuntu0.20.04.0 to 2022e-0ubuntu0.20.04.0

Updates to packages available at build time only

  • Updated libcurl4-openssl-dev from version 7.68.0-1ubuntu2.13 to 7.68.0-1ubuntu2.14

Stack: heroku-22

  • Updated binutils from version 2.38-3ubuntu1 to 2.38-4ubuntu2
  • Updated binutils-common from version 2.38-3ubuntu1 to 2.38-4ubuntu2
  • Updated binutils-x86-64-linux-gnu from version 2.38-3ubuntu1 to 2.38-4ubuntu2
  • Updated cpp-11 from version 11.2.0-19ubuntu1 to 11.3.0-1ubuntu1~22.04
  • Updated curl from version 7.81.0-1ubuntu1.4 to 7.81.0-1ubuntu1.6
  • Updated gcc-11 from version 11.2.0-19ubuntu1 to 11.3.0-1ubuntu1~22.04
  • Updated gcc-11-base from version 11.2.0-19ubuntu1 to 11.3.0-1ubuntu1~22.04
  • Updated libasan6 from version 11.2.0-19ubuntu1 to 11.3.0-1ubuntu1~22.04
  • Updated libbinutils from version 2.38-3ubuntu1 to 2.38-4ubuntu2
  • Updated libctf-nobfd0 from version 2.38-3ubuntu1 to 2.38-4ubuntu2
  • Updated libctf0 from version 2.38-3ubuntu1 to 2.38-4ubuntu2
  • Updated libcurl3-gnutls from version 7.81.0-1ubuntu1.4 to 7.81.0-1ubuntu1.6
  • Updated libcurl4 from version 7.81.0-1ubuntu1.4 to 7.81.0-1ubuntu1.6
  • Updated libdbus-1-3 from version 1.12.20-2ubuntu4 to 1.12.20-2ubuntu4.1
  • Updated libgcc-11-dev from version 11.2.0-19ubuntu1 to 11.3.0-1ubuntu1~22.04
  • Updated libssl3 from version 3.0.2-0ubuntu1.6 to 3.0.2-0ubuntu1.7
  • Updated libtsan0 from version 11.2.0-19ubuntu1 to 11.3.0-1ubuntu1~22.04
  • Updated openssl from version 3.0.2-0ubuntu1.6 to 3.0.2-0ubuntu1.7
  • Updated tzdata from version 2022c-0ubuntu0.22.04.0 to 2022e-0ubuntu0.22.04.0

Updates to packages available at build time only

  • Updated g++-11 from version 11.2.0-19ubuntu1 to 11.3.0-1ubuntu1~22.04
  • Updated libcurl4-openssl-dev from version 7.81.0-1ubuntu1.4 to 7.81.0-1ubuntu1.6
  • Updated libssl-dev from version 3.0.2-0ubuntu1.6 to 3.0.2-0ubuntu1.7
  • Updated libstdc++-11-dev from version 11.2.0-19ubuntu1 to 11.3.0-1ubuntu1~22.04
  • Updated libunbound8 from version 1.13.1-1ubuntu5.1 to 1.13.1-1ubuntu5.2