
Pain in the PaaS: The Problem of Lagging Security Updates at Heroku - Shamiq
https://patchworksecurity.com/blog/
======
michaelbuckbee
I didn't go through each vulnerability, but I'd bet that the Heroku security
team did as at least some of the vulns don't really seem to apply to Heroku.

Case in point: you for sure are not running MySQL on a Heroku dyno.

~~~
Shamiq
You've got a point there, but I'd ask why not remove the packages that aren't
being used? Here's some of the raw data about which system libraries are
lagging in security patches:

    
    
      liblwres90 1:9.9.5.dfsg-3ubuntu0.6
      mysql-common 5.5.46-0ubuntu0.14.04.2
      libmysqlclient-dev 5.5.46-0ubuntu0.14.04.2
      libmysqlclient18 5.5.46-0ubuntu0.14.04.2
      rsync 3.1.0-2ubuntu0.1
      bind9-host 1:9.9.5.dfsg-3ubuntu0.6
      libisccc90 1:9.9.5.dfsg-3ubuntu0.6
      libisc95 1:9.9.5.dfsg-3ubuntu0.6
      dnsutils 1:9.9.5.dfsg-3ubuntu0.6
      linux-libc-dev 3.13.0-74.118
      libbind9-90 1:9.9.5.dfsg-3ubuntu0.6
      libxml2 2.9.1+dfsg1-3ubuntu4.6
      libdns100 1:9.9.5.dfsg-3ubuntu0.6
      libxml2-dev 2.9.1+dfsg1-3ubuntu4.6
      libisccfg90 1:9.9.5.dfsg-3ubuntu0.6

