Security Updates: CVE-2015-7547

Change effective on 16 February 2016

This morning (Feb 16th PST), several vendors disclosed a vulnerability (CVE-2015-7547) in the getaddrinfo functions in libc which allows an attacker to potentially execute remote code via DNS lookups returning a specially-crafted payload. You can find more details about this vulnerability in this excellent writeup by Google Security.

Updated stack images for our Cedar-14 stack have been released, and will propagate to your dynos within the next 24 hours.

Heroku Postgres and Heroku Redis data services are being automatically updated to include the recommended patches to protect against this issue. We expect this update process to be complete within the next few hours.

Users of Standard & Premium data plans for Heroku Postgres wishing to receive these updates sooner can make use of the follower changeover process, otherwise no further action is required.

As per our stack update policy, any applications running on deprecated stacks, e.g. Cedar-10, have not received these updates.