101 System requirements
Rails LTS has been conceived as a drop-in replacement for Rails 2.3, 3.2, and 4.2. However, we do recommend that you go through the list below to make sure that installing Rails LTS will work without problems.
Rails 2.3 LTS
Rails version
Your application should run the latest release of the official Rails 2.3 gems.
If you are running an earlier version, we strongly recommend [upgrading to Rails 2.3.18](https://makandracar...
102 Installing Rails LTS
Please choose a guide for your version of Ruby on Rails:
- Installing Rails 2.3 LTS
- Installing Rails 3.2 LTS
- Installing Rails 4.2 LTS
- Installing Rails 5.2 LTS
- Installing Rails 6.1 LTS
If you have installed Rails LTS before and want to update to a newer version, please see our ...
103 Installing Rails 2.3 LTS with Bundler
This document describes how to swap out the official Rails 2.3 gems with Rails 2.3 LTS. If you have installed Rails LTS before and want to update to a newer version, please see our update instructions.
Prerequisites
- Make sure your project satisfies the system requirement for Rails LTS. This involves [upgrading to Rails 2.3.18](https://makandracards.com/makandra/16951-...
103 Installing Rails 3.2 LTS
This document describes how to swap out the official Rails 3.2 gems with Rails 3.2 LTS. If you have installed Rails LTS before and want to update to a newer version, please see our update instructions.
Prerequisites
- Subscribe to a Rails LTS plan to receive your credentials. If you already have a paid subscription for another version of Rails LTS, you can use the same credentials for Rails...
103 Installing Rails 4.2 LTS
This document describes how to swap out the official Rails 4.2 gems with Rails 4.2 LTS. If you have installed Rails LTS before and want to update to a newer version, please see our update instructions.
Prerequisites
- Subscribe to a Rails LTS plan to receive your credentials. If you already have a paid subscription for another version of Rails LTS, you can use the same credentials for Rails...
103 Installing Rails 5.2 LTS
This document describes how to swap out the official Rails 5.2 gems with Rails 5.2 LTS. If you have installed Rails LTS before and want to update to a newer version, please see our update instructions.
Prerequisites
- Subscribe to a Rails LTS plan to receive your credentials. If you already have a paid subscription for another version of Rails LTS, you can use the same credentials for Rails...
103 Installing Rails 6.1 LTS
This document describes how to swap out the official Rails 6.1 gems with Rails 6.1 LTS. If you have installed Rails LTS before and want to update to a newer version, please see our update instructions.
Prerequisites
- Subscribe to a Rails LTS plan to receive your credentials. If you already have a paid subscription for another version of Rails LTS, you can use the same credentials for Rails...
104 Enabling additional security features in Rails LTS
This document describes how to configure Rails LTS and how to take advantage of its optional security features.
The default Rails LTS configuration (:compatible
) has been built for maximum compatibility with the official Rails releases. We do however recommend the :hardened
configuration, which includes improvements we believe to be reasonable defaults for increased security in most applications.
On Rails 2.3, to activate :hardened
configuration, add the following to the Rails::Initializer
block in your `...
104 Updating Rails LTS to a newer version
This document assumes you have installed Rails LTS before and want to update to a new version of the Rails LTS gem. As a subscriber to the Rails LTS service, you will be notified whenever a new version for Rails LTS becomes available.
-
Run the following comment within your Rails project directory:
bundle update rails
After updating, check that your
Gemfile.lock
contains the expected changes.If booting Rails now gives you this error:
...
105 How to find out your current Rails LTS version
Rails 3.2 LTS, 4.2 LTS, 5.2 LTS
Run the following command:
bundle show rails
This will display the path of the installed rails
gem. The path will contain the version number, e.g. 3.2.22.8
below:
/home/alice/.rbenv/versions/2.1.2/lib/ruby/gems/2.1.0/gems/rails-3.2.22.8
^^^^^^^^
Rails LTS 2.3
Installation with bundler
As a customer of a paid plan who has installed Rails LTS with Bundler, run the fo...
106 RubyGems 2.x support for Rails 2.3 LTS
Starting with Rails LTS 2.3.18.19, it is possible to run Rails LTS with modern versions of RubyGems (2.6.13 at the time of writing) if you are using Rails 2.3 LTS with Bundler.
With RubyGems 2+, Rails LTS will restrict the following features which are now supplied by bundler:
- You will no longer be able to use
config.gem ...
inenvironment.rb
. - You can no longer freeze/unpack gems using
rails:freeze:gems
orrails:gems:unpack
. - Rails will no longer search locally installed gems when looking for generators (in `...
107 Subscribe to the LTS mailing list
We use a mailing list to inform customers about security vulnerabilities and new releases of Rails LTS.
You can subscribe to this list during the order process. You can also manually subscribe here: https://account.railslts.com/notifications/subscribe
110 Known issue: HTTP 403 error in "bundle install --verbose" output
When running bundle install --verbose
on Bundler versions 1.12+, you might see errors of the form
HTTP 403 Forbidden https://username:password@gems.railslts.com/versions
These errors are not fatal, Rails LTS should still be installed correctly. This has been tested with all Bundler versions 1.12.x and 1.13.x.
Background:
Since version 1.12, Bundler includes a performance optimization called "compact gem index". Our gem server does not support this.
When trying to access this new index our web server will return a 403. B...
201 Changelogs
Please choose a Changelog for your version of Ruby on Rails:
202 Rails 2.3 LTS Changelog
October 17th 2024, Rails version 2.3.18.58
- Fixed ReDoS vulnerability CVE-2024-47889. Read the announcement.
June 19th 2024, Rails version 2.3.18.57
- Fixed a bug that under rare circumstances lead to redundant empty "Set-Cookie" headers.
May 21st 2024, Rails version 2.3.18.56
- Added missing adapter for
mysql2
version 0.5.x.
May 14th 2024, Rails version 2.3.18.55
- Added support for Ruby 3.3. See our [upgrade guide](/railslts/620513-support-for-modern...
204 Rails 3.2 LTS Changelog
October 17th 2024, Rails version 3.2.22.48
- Fixed ReDoS vulnerabilities CVE-2024-41128 and CVE-2024-47889. Read the announcement.
May 14th 2024, Rails version 3.2.22.47
- Added support for Ruby 3.3. See our upgrade guide.
May 14th 2024, Rack version 1.4.7.19
- Added support for Ruby 3.3. See our upgrade guide.
Feb 23rd 2...
205 Rails 4.2 LTS Changelog
October 17th 2024, Rails version 4.2.11.38
- Fixed ReDoS vulnerabilities CVE-2024-41128, CVE-2024-47887, and CVE-2024-47889. Read the announcement.
May 14th 2024, Rails version 4.2.11.37
- Added support for Ruby 3.3. See our upgrade guide.
May 14th 2024, Rack version 1.6.13.17
- Added support for Ruby 3.3. See our [upgrade guide](/railslts/620513-support-for-modern-ruby-versions-up-to-ruby-3...
206 Rails 5.2 LTS Changelog
Dezember 11th 2024, Rails version 5.2.8.26
- Fixed CVE-2024-54133, a vulnerability that allows to bypass the Content Security Policy configuration in Rails' ActionDispatch. Read the announcement.
October 17th 2024, Rails version 5.2.8.25
- Fixed ReDoS vulnerabilities CVE-2024-41128, CVE-2024-47887, and CVE-2024-47889. Read the announcement.
Sep 18th 2024, Rack version 2.2.9.10
- Me...
207 Rails 6.1 LTS Changelog
Dezember 11th 2024, Rails version 6.1.7.21
- Fixed CVE-2024-54133, a vulnerability that allows to bypass the Content Security Policy configuration in Rails' ActionDispatch. Read the announcement.
October 17th 2024, Rails version 6.1.7.20
- Fixed ReDoS vulnerabilities CVE-2024-41128, CVE-2024-47887, CVE-2024-47888, and CVE-2024-47889. Read the announcement.
Sep 18th, 2024: Version 6...
209 List of CVEs addressed by Rails LTS
This is a list of known CVEs relevant for Rails LTS 2.3+. All CVEs are fixed in all versions of Rails LTS (or may not affect some versions). If a versions of Rails LTS is not mentioned, the fix was already done in an official release Ruby on Rails release, and is therefore also part of Rails LTS.
-
XSS vulnerability in the translate helper method in Ruby on Rails
- Fixed in 2.3 LTS.
-
Possible XSS Security Vulnerability in SafeBuffer#[]
- Rails 2.3 with up to date versions of the rails_xss plugin is not affected.
-
CVE-2012-1099
- F...
210 Fixing 'uninitialized constant / undefined class/module ActionDispatch::Http::ParamsHashWithIndifferentAccess' when migrating away from Rails LTS
Rails 2.3 and 3.2 LTS use ActionDispatch::Http::ParamsHashWithIndifferentAccess
to represent params hashes, similar to Rails 5's ActionController::Parameters
.
If you serialize data in Rails LTS, then upgrade to other Rails versions (such as Rails 5) and then try to deserialize the data, you might run into an error
uninitialized constant ActionDispatch::Http::ParamsHashWithIndifferentAccess
or
undefined class/module ActionDispatch::Http::ParamsHashWithIndifferentAccess
To fix this, add the following line to ...
211 Using strings in polymorphic helpers / CVE-2021-22885
Rails LTS (<= 4.2) contains a fix for CVE-2021-22885, but this includes a breaking change you can opt out of. In Rails 5.2 LTS and upward you cannot opt out of this, because it was already fixed in the original 5.2 release.
Affected code looks like this
redirect_to(params[:redirect_url])
If params[:redirect_url]
was, for example, the array ['my', 'secret']
, this would cause the method my_secret_url
to be called.
That can be problematic, for example
- when there is a dangerous
..._path
or..._url
method in your applicat...
250 Security standards and practices
Rails LTS is a service of makandra, a team of Ruby developers and Linux system engineers based in Germany. We have more than 10 years of experience developing and operating web applications, and have always taken security very seriously.
This is a brief overview of how we handle Rails security issues for LTS, and how we operate the service:
Handling of security issues
Rails LTS primarily fixes security vulnerabilities after they have been publicly disclosed for the official release of Ru...
280 Support for modern Ruby versions up to Ruby 3.3
We have made all versions of Rails LTS compatible with Ruby 3.3 or below. All Rails components should work as expected with no deprecation warnings.
However, upgrading Ruby will require manual effort. Your application may contain code that does not work on the latest Ruby. It is likely that some of your third-party dependencies do not work on the latest Ruby. The upgrading steps vary for every Rails application, and increase with the number of third-party gems.
We have ourselves successfully upgraded several older applications. Usual...