Heroku Postgres – Version 9.2 now Default

Over a year ago we began working with the community as to how we could help to make Postgres better. Much of this came to fruition with PostgreSQL version 9.2 and three months ago we released support of Postgres 9.2 into GA. PostgreSQL version 9.2 is now the new default when provisioning a Heroku Postgres database.

You can read more about the powerful features in this version over on the Heroku Postgres blog.

Postgres Version 9.2 is now Default

Over a year ago we began working with the community as to how we could help to make Postgres better. Much of this came to fruition with PostgreSQL version 9.2 and three months ago we released support of Postgres 9.2 into GA. We've now seen many users begin taking advantage of the powerful features in this version including:

In these three months the 9.2 PostgreSQL version has had time to bake including several minor updates fixing a variety of bugs. Today as a result of all of this we're making 9.2 the default version when you provision a Heroku Postgres database.

In addition to making 9.2 our new default we've end of lifed both version 8.3 and 8.4. To provide further detail around this we've documented our version policy for Postgres versions within the Dev Center. Provision your 9.2 database today to get started using many of these exciting new features.

Empowering Change: Programming Literacy for All

There has never been a better time to be a programmer. Every day more and more gadgets get connected or over-clocked. Programming is so prevalent that it often goes unnoticed in our daily lives. Whether we're scripting out social presence with IFTTT, or doing taxes with Excel, automation and programming has become an inescapable part of the modern world.

Heroku believes that to invest in our future, we must invest in programming literacy. While we're waiting for recursion to be a staple in our children’s classrooms, we can work on continuing and higher education today.

Heroku engineers are given opportunities and encouragement to be part of this movement. They’ve done so through supporting and participating in a number of groups including Hungry academy, Rails Girls, PyLadies, and more.

As a Heroku engineer I had a recent opportunity to teach a class in Ruby on Rails at the University of Texas in Austin. While nothing beats an in-classroom experience, it's not modular or scalable. In an effort to further scale programming literacy, we’ve been working to make this content available for everyone. After many re-takes, re-writes and hours of editing, we are happy to provide you with over 40 hours of video, lectures, exercises and quizes for free: Heroku Presents: UT on Rails.

The course will take a brand new developer up through the ranks, until they can build and deploy a fully functional website. If you or someone you know is interested in learning web programming, it's a great opportunity.

Read more →

2X Dynos in Public Beta

A dyno, the unit of computing power on Heroku, is a lightweight container running a single user-specified command. Today we’re announcing a dyno with twice the capacity: 2X dynos.

2X Dynos

Existing dynos are now called 1X dynos. They come with 512MB of memory and 1x CPU share. They cost $0.05/hr. 2X dynos are exactly what their name implies: 1GB of memory and twice the CPU share for $0.10/hr. To support the growth of current and future apps on the platform, you can now control your dyno resources on two axes: size and quantity.

Let’s try them out.

Read more →

Heroku Postgres Databases Patched

This post originally appeared on the postgres blog. We are also posting it in full here because we believe the content is so important.

Data is one of the most valuable assets of any company. As a database-as-a-service provider, one of our biggest responsibilities is ensuring your data is kept safe. A few weeks ago, one of the worst security vulnerabilities to date in PostgreSQL was discovered. To address this issue, Heroku deployed a point release upgrade across the entire Heroku Postgres service earlier this week. This resulted in a period of database unavailability, typically with a duration of less than one minute. Every database running on Heroku Postgres is now appropriately patched and is unaffected by the vulnerability.

PostgreSQL Vulnerability Details

The PostgreSQL project has provided official detail on CVE-2013-1899.

Several weeks ago there was a responsible disclosure of a serious security vulnerability within PostgreSQL by Mitsumasa Kondo and Kyotaro Horiguchi. The vulnerability allows unauthenticated remote users to use the ‘postmaster‘ process to write data to any accessible file, including critical internal database files.

The vulnerability was fixed and then committed to the PostgreSQL’s private git repository, but only after updates to anonymously accessible copies were disabled. Updated versions of PostgreSQL were released today to most large packaging repositories, as well as source code and installers.

Heroku Postgres Patching

The Heroku Postgres team worked with the PostgreSQL community to ensure we would be able to rapidly apply this patch. However, due to the nature of the issue, and aiming to mitigate risk for others, we were not able to discuss specifics until now. Our goal — in addition to ensuring your data was safe — was to continue monitoring this upgrade as it was deployed, providing early feedback to the community should bugs be found, and not jeopardizing in any way the coordinated public disclosure process stewarded by the PostgreSQL community. Most importantly, the PostgreSQL source code that included the patch was held in the utmost secrecy. In addition, the deployment plan was reviewed by PostgreSQL community members in advance.

Once the source code was released to the PostgreSQL packagers—of which a member of the Heroku Postgres staff is a part of—we began applying this patch to all Heroku Postgres databases, with the first updates starting on Monday. As of Wednesday at 6:30 PM PDT, all Heroku Postgres databases had been upgraded to their appropriate point release and were no longer vulnerable to CVE-2013-1899.

Conclusion

We realize that having no control over a maintenance window, however brief, is among the worst possible experiences. We are very sorry. Two reasons prevented us from working with you to schedule the security update. First, we prioritize ensuring your data is safe above all else, as a result making sure that every database was patched before this exploit was weaponized was paramount. Secondly, this was the first time we've had to deal with a security update of this scale, and have no machinery in place to schedule upgrades of this sort. Spending time to build such machinery would have prevented us from having every database patched in time. We will continue to work on improving our process around such maintenance to provide a better experience in the future.

As of late Wednesday all Heroku Postgres databases were upgraded and no longer at risk of CVE-2013-1899. No further action is required on your part to ensure your data remains safe.

Browse the blog archives or subscribe to the full-text feed.