Heroku-20, Heroku-22 and Heroku-24 stacks updated

Change effective on 01 July 2024

We have updated the heroku-20, heroku-22 and heroku-24 stacks to pick up security fixes in upstream packages.

This update includes the OpenSSH security fixes for CVE-2024-6387.

The new base images for each stack will be rolled out automatically to the Common Runtime over the next 24 hours, followed by Private Spaces.

If you are using Heroku’s default buildpack-powered build system/stacks you do not need to redeploy your app to pick up these changes, since your application’s slug is applied on top of the most recent base image for the stack each time a dyno starts. Currently running dynos will be automatically restarted, so there is no need to manually restart your app.

If your app instead uses Heroku’s container stack (most apps do not), you will need to rebuild your app’s Docker image in order to pick up any updates in the base image specified in your Dockerfile.

See this Dev Center article for an overview of the packages available in each stack’s base image.

The Heroku-20 stack is deprecated and will reach end-of-life on April 30th, 2025. Please upgrade to a newer stack as soon as possible. See the Heroku-20 End-Of-Life FAQ for more details.

Changelog of packages

Stack: heroku-20

  • Updated libcups2 from version 2.3.1-9ubuntu1.6 to 2.3.1-9ubuntu1.8
  • Updated libruby2.7 from version 2.7.0-5ubuntu1.13 to 2.7.0-5ubuntu1.14
  • Updated linux-libc-dev from version 5.4.0-186.206 to 5.4.0-187.207
  • Updated postgresql-client-common from version 260.pgdg20.04+1 to 261.pgdg20.04+1
  • Updated ruby2.7 from version 2.7.0-5ubuntu1.13 to 2.7.0-5ubuntu1.14
  • Updated wget from version 1.20.3-1ubuntu2 to 1.20.3-1ubuntu2.1

Updates to packages available at build time only

  • Updated postgresql-common from version 260.pgdg20.04+1 to 261.pgdg20.04+1
  • Updated ruby2.7-dev from version 2.7.0-5ubuntu1.13 to 2.7.0-5ubuntu1.14

Stack: heroku-22

  • Updated libcups2 from version 2.4.1op1-1ubuntu4.8 to 2.4.1op1-1ubuntu4.10
  • Updated libssl3 from version 3.0.2-0ubuntu1.15 to 3.0.2-0ubuntu1.16
  • Updated linux-libc-dev from version 5.15.0-112.122 to 5.15.0-113.123
  • Updated openssh-client from version 1:8.9p1-3ubuntu0.7 to 1:8.9p1-3ubuntu0.10
  • Updated openssh-server from version 1:8.9p1-3ubuntu0.7 to 1:8.9p1-3ubuntu0.10
  • Updated openssh-sftp-server from version 1:8.9p1-3ubuntu0.7 to 1:8.9p1-3ubuntu0.10
  • Updated openssl from version 3.0.2-0ubuntu1.15 to 3.0.2-0ubuntu1.16
  • Updated postgresql-client-common from version 260.pgdg22.04+1 to 261.pgdg22.04+1
  • Updated wget from version 1.21.2-2ubuntu1 to 1.21.2-2ubuntu1.1

Updates to packages available at build time only

  • Updated libssl-dev from version 3.0.2-0ubuntu1.15 to 3.0.2-0ubuntu1.16

Stack: heroku-24

  • Updated openssh-client from version 1:9.6p1-3ubuntu13 to 1:9.6p1-3ubuntu13.3
  • Updated openssh-server from version 1:9.6p1-3ubuntu13 to 1:9.6p1-3ubuntu13.3
  • Updated openssh-sftp-server from version 1:9.6p1-3ubuntu13 to 1:9.6p1-3ubuntu13.3
  • Updated postgresql-client-common from version 260.pgdg24.04+1 to 261.pgdg24.04+1
  • Updated wget from version 1.21.4-1ubuntu4 to 1.21.4-1ubuntu4.1

Updates to packages available at build time only

  • Updated linux-libc-dev from version 6.8.0-35.35 to 6.8.0-36.36