Heroku-22 and Heroku-24 stacks updated
Change effective on 29 July 2025
We updated the heroku-22 and heroku-24 stacks to pick up
security fixes in upstream packages.
In addition, we removed the /usr/lib/ssl/cert.pem symlink on Heroku-24 to work around an upstream Ubuntu 24.04 OpenSSL certificates loading performance bug, and return to the behaviour of Ubuntu 22.04 / Heroku-22.
If you encounter errors like SSL_CTX_load_verify_file: system lib, it means your app is overriding the OpenSSL default CA certificate file location to point at the now non-existent path. Check for references to ssl_ca_file, ca_file or OpenSSL::X509::DEFAULT_CERT_FILE and remove them. In general the CA certificates file and directory locations shouldn’t be hardcoded at the application level, and instead the default library/OS settings used instead.
The new base images for each stack roll out automatically to the Common Runtime over the next 48 hours, followed by Private Spaces.
If you use Heroku’s default buildpack-powered build system/stacks, you don’t need to redeploy your app to include these changes. We automatically restart any running dynos as we roll out the new base images for each stack. For Cedar-generation apps, each time a dyno starts, the slug applies on top of the most recent base image. For Fir-generation apps, the built image gets rebased on top of the most recent base image.
If your app uses Heroku’s container stack (most don’t),
you must rebuild your app’s Docker image to pick up updates in the base image specified in your
Dockerfile.
See this Dev Center article for an overview of the packages available in each stack’s base image.
Changelog of packages
Stack: heroku-22
- Updated
iputils-tracepathfrom version3:20211215-1to3:20211215-1ubuntu0.1 - Updated
libgdk-pixbuf-2.0-0from version2.42.8+dfsg-1ubuntu0.3to2.42.8+dfsg-1ubuntu0.4 - Updated
libgdk-pixbuf2.0-commonfrom version2.42.8+dfsg-1ubuntu0.3to2.42.8+dfsg-1ubuntu0.4 - Updated
libpoppler-glib8from version22.02.0-2ubuntu0.8to22.02.0-2ubuntu0.9 - Updated
libpoppler118from version22.02.0-2ubuntu0.8to22.02.0-2ubuntu0.9 - Updated
libsqlite3-0from version3.37.2-2ubuntu0.4to3.37.2-2ubuntu0.5 - Updated
linux-libc-devfrom version5.15.0-144.157to5.15.0-151.161 - Updated
poppler-utilsfrom version22.02.0-2ubuntu0.8to22.02.0-2ubuntu0.9
Updates to packages available at build time only
- Updated
gir1.2-gdkpixbuf-2.0from version2.42.8+dfsg-1ubuntu0.3to2.42.8+dfsg-1ubuntu0.4 - Updated
libgdk-pixbuf-2.0-devfrom version2.42.8+dfsg-1ubuntu0.3to2.42.8+dfsg-1ubuntu0.4 - Updated
libgdk-pixbuf2.0-binfrom version2.42.8+dfsg-1ubuntu0.3to2.42.8+dfsg-1ubuntu0.4 - Updated
libunbound8from version1.13.1-1ubuntu5.10to1.13.1-1ubuntu5.11
Stack: heroku-24
- Updated
iputils-tracepathfrom version3:20240117-1build1to3:20240117-1ubuntu0.1 - Updated
libgdk-pixbuf-2.0-0from version2.42.10+dfsg-3ubuntu3.1to2.42.10+dfsg-3ubuntu3.2 - Updated
libgdk-pixbuf2.0-commonfrom version2.42.10+dfsg-3ubuntu3.1to2.42.10+dfsg-3ubuntu3.2 - Updated
libpoppler-glib8t64from version24.02.0-1ubuntu9.4to24.02.0-1ubuntu9.5 - Updated
libpoppler134from version24.02.0-1ubuntu9.4to24.02.0-1ubuntu9.5 - Updated
libsqlite3-0from version3.45.1-1ubuntu2.3to3.45.1-1ubuntu2.4 - Updated
openssh-clientfrom version1:9.6p1-3ubuntu13.12to1:9.6p1-3ubuntu13.13 - Updated
openssh-serverfrom version1:9.6p1-3ubuntu13.12to1:9.6p1-3ubuntu13.13 - Updated
openssh-sftp-serverfrom version1:9.6p1-3ubuntu13.12to1:9.6p1-3ubuntu13.13 - Updated
poppler-utilsfrom version24.02.0-1ubuntu9.4to24.02.0-1ubuntu9.5
Updates to packages available at build time only
- Updated
gir1.2-gdkpixbuf-2.0from version2.42.10+dfsg-3ubuntu3.1to2.42.10+dfsg-3ubuntu3.2 - Updated
libgdk-pixbuf-2.0-devfrom version2.42.10+dfsg-3ubuntu3.1to2.42.10+dfsg-3ubuntu3.2 - Updated
libgdk-pixbuf2.0-binfrom version2.42.10+dfsg-3ubuntu3.1to2.42.10+dfsg-3ubuntu3.2 - Updated
libunbound8from version1.19.2-1ubuntu3.4to1.19.2-1ubuntu3.5 - Updated
linux-libc-devfrom version6.8.0-64.67to6.8.0-71.71