Registration for Waza 2013 is now open

The Concourse - San Francisco February 28, 2013

Heroku’s Waza (技), the Japanese word for art and technique, is an immersive one-day developer experience focused on craft. Throughout the event you will find technical sessions with added experiences in music, art and technology. The event features technical sessions, hands-on workshops, great food, and traditional music.

Registration is now open! Tickets are $300.

Last year’s event sold out in a matter of hours. Don’t risk missing out this year -- join us for Waza on February 28th, 2013 at the Concourse in San Francisco.

We are excited to announce the following speakers:

Rails Security Vulnerability

A serious security vulnerability has been found in the Ruby on Rails framework. This exploit affects nearly all applications running Rails and a patch has been made available.

Rails developers can get a full list of all your affected Heroku applications by following instructions here. Please address this security vulnerability by immediately upgrading your affected apps to any of the safe versions of Rails listed below. The following Rails versions have been patched and deemed safe from this exploit:

  • 3.2.11
  • 3.1.10
  • 3.0.19
  • 2.3.15

If you do not upgrade, an attacker can trivially gain access to your application, its data, and run arbitrary code or commands. Heroku recommends upgrading to a patched version immediately.

How to Upgrade:

Open the Gemfile in the affected application and change the Rails version to one listed above:

rails '3.2.11'

Then run:

$ bundle update rails

Then commit the results to git, and push to Heroku:

$ git commit -am "Bundle update rails"
$ git push heroku master

Repeat for any susceptible applications. If you cannot upgrade at this time, please consider enabling maintenance mode or scaling your app down to zero dynos.

$ heroku maintenance:on -a APPNAME
$ heroku scale web=0 -a APPNAME

Any applications running an insecure version are at risk.

Password Hijacking Security Vulnerability and Response

Heroku recently learned of and resolved a security vulnerability. We want to report this to you, describe how we responded to the incident, and reiterate our commitment to constantly improving the security and integrity of your data and source code.

On December 19, 2012, security researcher Stephen Sclafani notified us of an issue in our account creation system. Using a maliciously-crafted HTTP request, an attacker could change the password of a pre-existing Heroku user account, and thus gain control of it. This attack would not disclose the pre-existing password to the attacker (those are stored internally as non-recoverable bcrypt hashes).

Upon receiving notification, our engineering and security staff engaged with Mr. Sclafani. We developed and deployed a preliminary patch to production on December 20. While we were deploying the patch, Mr. Sclafani also discovered a related issue in the password reset flow that could be used to reset the passwords of a certain subset of users at random. A preliminary patch for this was also developed and deployed on December 20.

After deploying these patches, we conducted a thorough and comprehensive audit of our internal logs. We found no evidence that these vulnerabilities were exploited prior to Mr. Sclafani’s research on December 19, either by him or any other third parties. Due to the nature of the vulnerability, any customer whose account was compromised would have found both their existing password and API key invalidated, and would have had to initiate a password reset.

While both Mr. Sclafani and Heroku endeavoured to use test accounts exclusively, a very small number of customer account passwords were reset during the incident. We have contacted the impacted customers and advised them to reset their passwords and credentials.

We would like to thank Mr. Sclafani for notifying us of this vulnerability, and giving us ample opportunity to fix it. His description is available at http://stephensclafani.com/2013/01/09/vulnerabilities-in-heroku/. We are extremely grateful to both him and all external security researchers who practice responsible disclosure.

We are confident in the steps we have taken to protect our customers from this vulnerability and will continue to improve our internal processes in order to provide our customers with a trusted cloud platform. We would also like to reaffirm our commitment to the security and integrity of our customers’ data and code. Nothing is more important to us.

Oren Teich, Chief Operating Officer

Run JRuby on Heroku Right Now

Over a year ago Heroku launched the Cedar stack and the ability to run Java on our platform. Java is known as a powerful language - capable of performing at large scale. Much of this potential comes from the JVM that Java runs on. The JVM is the stable, optimized, cross-platform virtual machine that also powers other languages including Scala and Clojure. Starting today you can leverage the power of the JVM in your Ruby applications without learning a new language, by using JRuby on Heroku.

After a beta process with several large production applications, we are pleased to move JRuby support into general availability immediately. One of these companies Travis CI which provides free CI testing to open source repositories, and a pro plan for private projects, was a JRuby beta tester. Josh Kalderimis of the Travis team had this to say about using JRuby on Heroku:

We love JRuby, everything from the threading support to having the power of the JVM at our finger tips. But what we love most is that we can set up a JRuby app in seconds, the same way as all of our other Heroku apps. Git push and it's live, no matter what the language.

We've been working with the JRuby team to make sure that the experience using the language on Heroku is going to be everything you've come to expect from using our platform. So why should you be interested in running JRuby?

Why JRuby

If you're coming from a Java background and want to use a more dynamic language, JRuby allows you to leverage the syntax of Ruby with the the ability to run JVM based libraries. If you're a Ruby developer already on Heroku, the JRuby implementation has several unique features that you can leverage. The most prevalent difference between running code on JRuby and MRI, or cRuby, is JRuby's lack of a Global Virtual Machine Lock. This means you can run multiple threads of JRuby code within the same process. While cRuby does allow you to perform IO and other non-ruby commands in parallel threads, running Ruby code concurrently can only be done in multiple processes. The second difference is the JVM ecosystem. JRuby can use Java libraries such as JDBC based database drivers. Many of these libraries have been heavily optimized and can offer speed upgrades.

JRuby on Heroku

JRuby on Heroku lowers the barrier of entry to both learning and running a new language in production. The interface of JRuby with the Heroku platform is the same as our other languages: you push your code to us and we do the rest. You don't need to think about all of the details of running a new language. The result is you get to focus on adding features, not on your how to deploy and keep your systems up.

We have been working with the JRuby community together to make sure the experience is a good one. Charles Nutter, the co-lead of JRuby, is excited about the future of running JRuby on Heroku:

One of the most frequently-requested features for JRuby isn't a JRuby feature at all...it's support for JRuby on Heroku. We're very excited that Heroku now officially supports JRuby, and we're looking forward to working with and supporting Heroku users trying out JRuby on their cloud of choice.

By normalizing the interface to deployment across implementations, we hope to ease the process of trying new intrepreters within the Ruby community. We are excited to see a new class of applications, by running Ruby on the JVM, deployed and supported on Heroku. With all these options, which Ruby should you use in production?

Which Ruby to Use?

Heroku supports many languages, and we have a long and happy history of supporting Ruby. We are continuing to invest in the exciting future of MRI we are also excited about the ability for you to run your code on the interpreter of your choice. This can open up new possibilities such as taking advantage of different VM optimizations or concurrent Ruby processing.

As you're trying JRuby, remember that it may behave slightly differently than you're used to with MRI. If you're interested in trying JRuby out on an existing Heroku app, you can read more about converting an existing Rails app to use JRuby.

Every app is different and every project has different requirements. Having the ability to quickly and easily run your app in production on multiple Ruby VMs gives you the power to choose.

Try it Today

If you have an existing Rails app you can deploy your existing app on JRuby. If you're just starting from scratch, running JRuby on Heroku is a breeze. All you need to do is specify the version of Ruby you want to run, the engine, and the engine version in your Gemfile:

ruby '1.9.3', engine: 'jruby', engine_version: '1.7.1'

You'll need to run bundle install with JRuby locally, then commit the results and push to Heroku:

$ git add .
$ git commit -m "trying JRuby on Heroku"
$ git push heroku master
Counting objects: 692, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (662/662), done.
Writing objects: 100% (692/692), 141.01 KiB, done.
Total 692 (delta 379), reused 0 (delta 0)

-----> Heroku receiving push
-----> Ruby/Rails app detected
-----> Using Ruby version: ruby-1.9.3-jruby-1.7.1
-----> Installing JVM: openjdk7-latest
-----> Installing dependencies using Bundler version 1.2.1
# ...

That should be all you need to do to run JRuby on Heroku. If you're converting an existing Rails application, please read moving an existing Rails app to run on JRuby.

While you're trying JRuby out on Heroku you can also try out Ruby 2.0.0 preview, before it is released in February.

Conclusion

With the release of JRuby on Heroku now you can to run your code on multiple VMs, and leverage concurrent Ruby code in production. You've got a standard interface to deployments and the power to choose the right tool for the right job. Special thanks to all of the customers who tried the JRuby beta, and to the JRuby team for being available for technical support. Give JRuby a try and let us know what you think.

Postgres 9.2 – The Database You Helped Build

Hosting your data on one of the largest fleets of databases in the world comes with certain advantages. One of those benefits is that we can aggregate the collective pain points that face our users and work within the Postgres community to help find solutions to them.

In the previous year we worked very closely with the broader Postgres community to build features, fix bugs, and resolve pain points. You've already seen some of the results of that work in the form of extension support on Heroku and query cancellation. With the 9.2 release we're delighted to say that with your help, we've been able to bring you a whole host of new power and simplicity in your database.

Effective immediately, we're moving Postgres 9.2 into GA, which will become the new default shortly after. Postgres 9.2 is full of simplifications and new features that will make your life better, including:

  • Expressive new datatypes
  • New tools for getting deep insights into your database's performance
  • User interface improvements.

You can request a version 9.2 database from the command line like this:

heroku addons:add heroku-postgresql:dev --version=9.2

Get started by provisioning one today or read more about the many great features now available in Postgres 9.2 over on the Heroku Postgres blog

Browse the blog archives or subscribe to the full-text feed.