Pain in the PaaS: The Problem of Lagging Security Updates at Heroku
patchworksecurity.comI didn't go through each vulnerability, but I'd bet that the Heroku security team did as at least some of the vulns don't really seem to apply to Heroku.
Case in point: you for sure are not running MySQL on a Heroku dyno.
You've got a point there, but I'd ask why not remove the packages that aren't being used? Here's some of the raw data about which system libraries are lagging in security patches:
liblwres90 1:9.9.5.dfsg-3ubuntu0.6 mysql-common 5.5.46-0ubuntu0.14.04.2 libmysqlclient-dev 5.5.46-0ubuntu0.14.04.2 libmysqlclient18 5.5.46-0ubuntu0.14.04.2 rsync 3.1.0-2ubuntu0.1 bind9-host 1:9.9.5.dfsg-3ubuntu0.6 libisccc90 1:9.9.5.dfsg-3ubuntu0.6 libisc95 1:9.9.5.dfsg-3ubuntu0.6 dnsutils 1:9.9.5.dfsg-3ubuntu0.6 linux-libc-dev 3.13.0-74.118 libbind9-90 1:9.9.5.dfsg-3ubuntu0.6 libxml2 2.9.1+dfsg1-3ubuntu4.6 libdns100 1:9.9.5.dfsg-3ubuntu0.6 libxml2-dev 2.9.1+dfsg1-3ubuntu4.6 libisccfg90 1:9.9.5.dfsg-3ubuntu0.6