Heroku-22 and Heroku-24 stacks updated

Change effective on 29 July 2025

We updated the heroku-22 and heroku-24 stacks to pick up security fixes in upstream packages.

In addition, we removed the /usr/lib/ssl/cert.pem symlink on Heroku-24 to work around an upstream Ubuntu 24.04 OpenSSL certificates loading performance bug, and return to the behaviour of Ubuntu 22.04 / Heroku-22.

If you encounter errors like SSL_CTX_load_verify_file: system lib, it means your app is overriding the OpenSSL default CA certificate file location to point at the now non-existent path. Check for references to ssl_ca_file, ca_file or OpenSSL::X509::DEFAULT_CERT_FILE and remove them. In general the CA certificates file and directory locations shouldn’t be hardcoded at the application level, and instead the default library/OS settings used instead.

The new base images for each stack roll out automatically to the Common Runtime over the next 48 hours, followed by Private Spaces.

If you use Heroku’s default buildpack-powered build system/stacks, you don’t need to redeploy your app to include these changes. We automatically restart any running dynos as we roll out the new base images for each stack. For Cedar-generation apps, each time a dyno starts, the slug applies on top of the most recent base image. For Fir-generation apps, the built image gets rebased on top of the most recent base image.

If your app uses Heroku’s container stack (most don’t), you must rebuild your app’s Docker image to pick up updates in the base image specified in your Dockerfile.

See this Dev Center article for an overview of the packages available in each stack’s base image.

Changelog of packages

Stack: heroku-22

  • Updated iputils-tracepath from version 3:20211215-1 to 3:20211215-1ubuntu0.1
  • Updated libgdk-pixbuf-2.0-0 from version 2.42.8+dfsg-1ubuntu0.3 to 2.42.8+dfsg-1ubuntu0.4
  • Updated libgdk-pixbuf2.0-common from version 2.42.8+dfsg-1ubuntu0.3 to 2.42.8+dfsg-1ubuntu0.4
  • Updated libpoppler-glib8 from version 22.02.0-2ubuntu0.8 to 22.02.0-2ubuntu0.9
  • Updated libpoppler118 from version 22.02.0-2ubuntu0.8 to 22.02.0-2ubuntu0.9
  • Updated libsqlite3-0 from version 3.37.2-2ubuntu0.4 to 3.37.2-2ubuntu0.5
  • Updated linux-libc-dev from version 5.15.0-144.157 to 5.15.0-151.161
  • Updated poppler-utils from version 22.02.0-2ubuntu0.8 to 22.02.0-2ubuntu0.9

Updates to packages available at build time only

  • Updated gir1.2-gdkpixbuf-2.0 from version 2.42.8+dfsg-1ubuntu0.3 to 2.42.8+dfsg-1ubuntu0.4
  • Updated libgdk-pixbuf-2.0-dev from version 2.42.8+dfsg-1ubuntu0.3 to 2.42.8+dfsg-1ubuntu0.4
  • Updated libgdk-pixbuf2.0-bin from version 2.42.8+dfsg-1ubuntu0.3 to 2.42.8+dfsg-1ubuntu0.4
  • Updated libunbound8 from version 1.13.1-1ubuntu5.10 to 1.13.1-1ubuntu5.11

Stack: heroku-24

  • Updated iputils-tracepath from version 3:20240117-1build1 to 3:20240117-1ubuntu0.1
  • Updated libgdk-pixbuf-2.0-0 from version 2.42.10+dfsg-3ubuntu3.1 to 2.42.10+dfsg-3ubuntu3.2
  • Updated libgdk-pixbuf2.0-common from version 2.42.10+dfsg-3ubuntu3.1 to 2.42.10+dfsg-3ubuntu3.2
  • Updated libpoppler-glib8t64 from version 24.02.0-1ubuntu9.4 to 24.02.0-1ubuntu9.5
  • Updated libpoppler134 from version 24.02.0-1ubuntu9.4 to 24.02.0-1ubuntu9.5
  • Updated libsqlite3-0 from version 3.45.1-1ubuntu2.3 to 3.45.1-1ubuntu2.4
  • Updated openssh-client from version 1:9.6p1-3ubuntu13.12 to 1:9.6p1-3ubuntu13.13
  • Updated openssh-server from version 1:9.6p1-3ubuntu13.12 to 1:9.6p1-3ubuntu13.13
  • Updated openssh-sftp-server from version 1:9.6p1-3ubuntu13.12 to 1:9.6p1-3ubuntu13.13
  • Updated poppler-utils from version 24.02.0-1ubuntu9.4 to 24.02.0-1ubuntu9.5

Updates to packages available at build time only

  • Updated gir1.2-gdkpixbuf-2.0 from version 2.42.10+dfsg-3ubuntu3.1 to 2.42.10+dfsg-3ubuntu3.2
  • Updated libgdk-pixbuf-2.0-dev from version 2.42.10+dfsg-3ubuntu3.1 to 2.42.10+dfsg-3ubuntu3.2
  • Updated libgdk-pixbuf2.0-bin from version 2.42.10+dfsg-3ubuntu3.1 to 2.42.10+dfsg-3ubuntu3.2
  • Updated libunbound8 from version 1.19.2-1ubuntu3.4 to 1.19.2-1ubuntu3.5
  • Updated linux-libc-dev from version 6.8.0-64.67 to 6.8.0-71.71