The Rails LTS service only covers security updates for the Rails framework, not for Ruby.

As a courtesy to our customers, we sometimes backport security patches to legacy Ruby versions, which you can find below. However, we cannot guarantee future patches for legacy Ruby versions.

Patches for Ruby 1.8.7

Download ruby_1_8_7-p374-fixes-2015-04-14.patch and rename it to download.patch.

This patch applies to Ruby version **...

An expectation like this will fail with Rails LTS 2.3:

should render_template(:edit)

The error will look like this:

expecting <:edit> but rendering with <"">

This is an issue with rspec-rails 1.x monkey-patching into ActionController during controller specs.

Fix

To fix this, use our compatibility fork of rspec-rails 1.3.

With Bundler

If ...

With Rails 3.2 LTS your RSpec 2 controller specs might fail with an error like this:

NoMethodError:
  undefined method `[]' for nil:NilClass

Fix

To fix this, use our compatibility fork of rspec-rails 2.14.

You can switch to the fork by updating your Gemfile:

gem 'rspec-rails', :git => 'https://github.com/makandra/rspec-rails.git', :branch => '2-14-lts'

Now run bundle update rspec-rails.

There is a possible ReDoS (regular expression denial of service) vulnerability in the activerecord gem that is part of Rails LTS. An attacker using a specially crafted request can cause an application with certain vulnerable code to consume an excessive amount of CPU time.

Affected versions: Rails 3.2.22.9 LTS and lower, Rails 3.0.20.12 LTS and lower
Unaffected versions: Rails 2.3 LTS

Note: The flaw is also present in the official non-LTS 3.x version of Active Record, which is no longer maintained. Other non-LTS Rails versions are not af...

Mimicking the offical change in Rails 5.1.8 to protect against CVE-2022-32224, all versions of Rails LTS try to use YAML.safe_load to deserialize database columns in ActiveRecord. This is a potential breaking change.

Background

When using something like

class MyModel < ActiveRecord::Base
  serialize :address_data
  # or alternatively
  store :settings, accessor: [:color, :homepage]
end

ActiveRecord will use YAML to serialize and deserialize data. However, YAML deserialization using YAML.load (or explicitly `YAML.unsafe...

We maintain several forks since [CVE-2023-23913] of rails-ujs and jquery-ujs.
Since each Rails app has a different way of handling asset packages, we introduced several new forked packages with a fix.
If you want to install one of those packages, please replace your npm package or gem with one of our forked versions.

Use the NPM package @railslts/jquery-ujs to replace the jquery-ujs NPM package, e.g. with npm install @railslts/jquery-ujs.
Use the NPM package @railslts/rails-ujs to replace the rails-ujs NPM package, e.g. with `npm...

Historically, the "rack" gem was not part of Rails LTS, simply because it was maintained and released separate from Ruby on Rails. However, since Rails cannot work without Rack, and since Rack did have a few minor security vulnerabilities, we've been maintaining forks of Rack on Github for a while.

This has now changed and Rack is now a core gem of Rails LTS. This means:

• We are committed to maintaining and patching Rack, and will make sure it works on the same Ruby versions that Rails LTS supports.
• We will serve rack over our gem server...