[michaelbuckbee]

I didn't go through each vulnerability, but I'd bet that the Heroku security team did as at least some of the vulns don't really seem to apply to Heroku.

Case in point: you for sure are not running MySQL on a Heroku dyno.

[Shamiq]

You've got a point there, but I'd ask why not remove the packages that aren't being used? Here's some of the raw data about which system libraries are lagging in security patches:

  liblwres90 1:9.9.5.dfsg-3ubuntu0.6
  mysql-common 5.5.46-0ubuntu0.14.04.2
  libmysqlclient-dev 5.5.46-0ubuntu0.14.04.2
  libmysqlclient18 5.5.46-0ubuntu0.14.04.2
  rsync 3.1.0-2ubuntu0.1
  bind9-host 1:9.9.5.dfsg-3ubuntu0.6
  libisccc90 1:9.9.5.dfsg-3ubuntu0.6
  libisc95 1:9.9.5.dfsg-3ubuntu0.6
  dnsutils 1:9.9.5.dfsg-3ubuntu0.6
  linux-libc-dev 3.13.0-74.118
  libbind9-90 1:9.9.5.dfsg-3ubuntu0.6
  libxml2 2.9.1+dfsg1-3ubuntu4.6
  libdns100 1:9.9.5.dfsg-3ubuntu0.6
  libxml2-dev 2.9.1+dfsg1-3ubuntu4.6
  libisccfg90 1:9.9.5.dfsg-3ubuntu0.6