CVE-2015-0235 "Ghost"
Change effective on 28 January 2015
At 8am (PST) yesterday (Jan 27th), Ubuntu and other vendors disclosed a vulnerability (CVE-2015-0235) in the gethostbyname
functions in libc which allows an attacker to execute remote code via lookups executed on a specially-crafted hostname. You can find more details about this vulnerability, known as “Ghost”, in this excellent write-up by Qualys.
Over the last day our engineers have remediated this issue. Updated stack images for our cedar
stack were released yesterday, and will propagate to your dynos within the next 24 hours. If you want to quickly guarantee that your dynos have updated, restarting your dynos (ps:restart
) will ensure that the new image is picked up. If you’re running the cedar-14
image, your applications were never vulnerable; this issue only affected our cedar
image.
As part of our ongoing defense in depth work we expect additional maintenance windows over the coming weeks for a number of services, including Heroku Postgres.