Heroku-22 and Heroku-24 stacks updated
Change effective on 29 July 2025
We updated the heroku-22
and heroku-24
stacks to pick up
security fixes in upstream packages.
In addition, we removed the /usr/lib/ssl/cert.pem
symlink on Heroku-24 to work around an upstream Ubuntu 24.04 OpenSSL certificates loading performance bug, and return to the behaviour of Ubuntu 22.04 / Heroku-22.
If you encounter errors like SSL_CTX_load_verify_file: system lib
, it means your app is overriding the OpenSSL default CA certificate file location to point at the now non-existent path. Check for references to ssl_ca_file
, ca_file
or OpenSSL::X509::DEFAULT_CERT_FILE
and remove them. In general the CA certificates file and directory locations shouldn’t be hardcoded at the application level, and instead the default library/OS settings used instead.
The new base images for each stack roll out automatically to the Common Runtime over the next 48 hours, followed by Private Spaces.
If you use Heroku’s default buildpack-powered build system/stacks, you don’t need to redeploy your app to include these changes. We automatically restart any running dynos as we roll out the new base images for each stack. For Cedar-generation apps, each time a dyno starts, the slug applies on top of the most recent base image. For Fir-generation apps, the built image gets rebased on top of the most recent base image.
If your app uses Heroku’s container
stack (most don’t),
you must rebuild your app’s Docker image to pick up updates in the base image specified in your
Dockerfile
.
See this Dev Center article for an overview of the packages available in each stack’s base image.
Changelog of packages
Stack: heroku-22
- Updated
iputils-tracepath
from version3:20211215-1
to3:20211215-1ubuntu0.1
- Updated
libgdk-pixbuf-2.0-0
from version2.42.8+dfsg-1ubuntu0.3
to2.42.8+dfsg-1ubuntu0.4
- Updated
libgdk-pixbuf2.0-common
from version2.42.8+dfsg-1ubuntu0.3
to2.42.8+dfsg-1ubuntu0.4
- Updated
libpoppler-glib8
from version22.02.0-2ubuntu0.8
to22.02.0-2ubuntu0.9
- Updated
libpoppler118
from version22.02.0-2ubuntu0.8
to22.02.0-2ubuntu0.9
- Updated
libsqlite3-0
from version3.37.2-2ubuntu0.4
to3.37.2-2ubuntu0.5
- Updated
linux-libc-dev
from version5.15.0-144.157
to5.15.0-151.161
- Updated
poppler-utils
from version22.02.0-2ubuntu0.8
to22.02.0-2ubuntu0.9
Updates to packages available at build time only
- Updated
gir1.2-gdkpixbuf-2.0
from version2.42.8+dfsg-1ubuntu0.3
to2.42.8+dfsg-1ubuntu0.4
- Updated
libgdk-pixbuf-2.0-dev
from version2.42.8+dfsg-1ubuntu0.3
to2.42.8+dfsg-1ubuntu0.4
- Updated
libgdk-pixbuf2.0-bin
from version2.42.8+dfsg-1ubuntu0.3
to2.42.8+dfsg-1ubuntu0.4
- Updated
libunbound8
from version1.13.1-1ubuntu5.10
to1.13.1-1ubuntu5.11
Stack: heroku-24
- Updated
iputils-tracepath
from version3:20240117-1build1
to3:20240117-1ubuntu0.1
- Updated
libgdk-pixbuf-2.0-0
from version2.42.10+dfsg-3ubuntu3.1
to2.42.10+dfsg-3ubuntu3.2
- Updated
libgdk-pixbuf2.0-common
from version2.42.10+dfsg-3ubuntu3.1
to2.42.10+dfsg-3ubuntu3.2
- Updated
libpoppler-glib8t64
from version24.02.0-1ubuntu9.4
to24.02.0-1ubuntu9.5
- Updated
libpoppler134
from version24.02.0-1ubuntu9.4
to24.02.0-1ubuntu9.5
- Updated
libsqlite3-0
from version3.45.1-1ubuntu2.3
to3.45.1-1ubuntu2.4
- Updated
openssh-client
from version1:9.6p1-3ubuntu13.12
to1:9.6p1-3ubuntu13.13
- Updated
openssh-server
from version1:9.6p1-3ubuntu13.12
to1:9.6p1-3ubuntu13.13
- Updated
openssh-sftp-server
from version1:9.6p1-3ubuntu13.12
to1:9.6p1-3ubuntu13.13
- Updated
poppler-utils
from version24.02.0-1ubuntu9.4
to24.02.0-1ubuntu9.5
Updates to packages available at build time only
- Updated
gir1.2-gdkpixbuf-2.0
from version2.42.10+dfsg-3ubuntu3.1
to2.42.10+dfsg-3ubuntu3.2
- Updated
libgdk-pixbuf-2.0-dev
from version2.42.10+dfsg-3ubuntu3.1
to2.42.10+dfsg-3ubuntu3.2
- Updated
libgdk-pixbuf2.0-bin
from version2.42.10+dfsg-3ubuntu3.1
to2.42.10+dfsg-3ubuntu3.2
- Updated
libunbound8
from version1.19.2-1ubuntu3.4
to1.19.2-1ubuntu3.5
- Updated
linux-libc-dev
from version6.8.0-64.67
to6.8.0-71.71