Rails LTS has been conceived as a drop-in replacement for Rails 2.3, 3.2, and 4.2. However, we do recommend that you go through the list below to make sure that installing Rails LTS will work without problems.
Your application should run the latest release of the official Rails 2.3 gems.
If you are running an earlier version, we strongly recommend [upgrading to Rails 2.3.18](https://makandracar...
Please choose a guide for your version of Ruby on Rails:
If you have installed Rails LTS before and want to update to a newer version, please see our [update instructions](https://makandracards.com...
This document describes how to swap out the official Rails 2.3 gems with Rails 2.3 LTS. If you have installed Rails LTS before and want to update to a newer version, please see our update instructions.
This document describes how to swap out the official Rails 3.2 gems with Rails 3.2 LTS. If you have installed Rails LTS before and want to update to a newer version, please see our update instructions.
This document describes how to swap out the official Rails 4.2 gems with Rails 4.2 LTS. If you have installed Rails LTS before and want to update to a newer version, please see our update instructions.
This document describes how to swap out the official Rails 5.2 gems with Rails 5.2 LTS. If you have installed Rails LTS before and want to update to a newer version, please see our update instructions.
This document describes how to configure Rails LTS and how to take advantage of its optional security features.
The default Rails LTS configuration (:compatible
) has been built for maximum compatibility with the official Rails releases. We do however recommend the :hardened
configuration, which includes improvements we believe to be reasonable defaults for increased security in most applications.
On Rails 2.3, to activate :hardened
configuration, add the following to the Rails::Initializer
block in your `...
This document assumes you have installed Rails LTS before and want to update to a new version of the Rails LTS gem. As a subscriber to the Rails LTS service, you will be notified whenever a new version for Rails LTS becomes available.
If you have installed Rails LTS with Bundler, simply run the following comment within your Rails project directory:
bundle update rails
After updating, check that your Gemfile.lock
contains the expected changes.
...
Run the following command:
bundle show rails
This will display the path of the installed rails
gem. The path will contain the version number, e.g. 3.2.22.8
below:
/home/alice/.rbenv/versions/2.1.2/lib/ruby/gems/2.1.0/gems/rails-3.2.22.8
^^^^^^^^
As a customer of a paid plan who has installed Rails LTS with Bundler, run the fo...
Starting with Rails LTS 2.3.18.19, it is possible to run Rails LTS with modern versions of RubyGems (2.6.13 at the time of writing) if you are using Rails 2.3 LTS with Bundler.
With RubyGems 2+, Rails LTS will restrict the following features which are now supplied by bundler:
config.gem ...
in environment.rb
.rails:freeze:gems
or rails:gems:unpack
.We use a mailing list to inform customers about security vulnerabilities and new releases of Rails LTS.
You can subscribe to this list during the order process. You can also manually subscribe here: https://railslts.com/notifications/subscribe
When running bundle install --verbose
on Bundler versions 1.12+, you might see errors of the form
HTTP 403 Forbidden https://username:password@gems.railslts.com/versions
These errors are not fatal, Rails LTS should still be installed correctly. This has been tested with all Bundler versions 1.12.x and 1.13.x.
Since version 1.12, Bundler includes a performance optimization called "compact gem index". Our gem server does not support this.
When trying to access this new index our web server will return a 403. B...
Please choose a Changelog for your version of Ruby on Rails:
uri
gem.time
and uri
stdlibs (CVE-2023-28755, CVE-2023-28756), see [here](https://mailchi.mp/railslts/rails-lts-patches-for-redos-vulnerab...uri
gem.time
and uri
stdlibs (CVE-2023-28755, CVE-2023-28756), see [here](https://mailchi.mp/railslts/rails-lts-patches-for-redos-vulnerab...uri
gem.time
and uri
stdlibs (CVE-2023-28755, CVE-2023-28756), see [here](https://mailchi.mp/railslts/rails-lts-patches-for...change_table do |t|
t.integer :size, default: 0 # works
t.integer :count, { default: 0 } # would create an additional column named "{default => 0}"
end
This could also cause weird columns to appear in the schema_migrations
or ar_internal_metadata
tables when creating a new database.This is a list of known CVEs relevant for Rails LTS 2.3+. All CVEs are fixed in all versions of Rails LTS (or may not affect some versions). If a versions of Rails LTS is not mentioned, the fix was already done in an official release Ruby on Rails release, and is therefore also part of Rails LTS.
XSS vulnerability in the translate helper method in Ruby on Rails
Possible XSS Security Vulnerability in SafeBuffer#[]
CVE-2012-1099
Rails 2.3 and 3.2 LTS use ActionDispatch::Http::ParamsHashWithIndifferentAccess
to represent params hashes, similar to Rails 5's ActionController::Parameters
.
If you serialize data in Rails LTS, then upgrade to other Rails versions (such as Rails 5) and then try to deserialize the data, you might run into an error
uninitialized constant ActionDispatch::Http::ParamsHashWithIndifferentAccess
or
undefined class/module ActionDispatch::Http::ParamsHashWithIndifferentAccess
To fix this, add the following line to an initial...
Rails LTS (<= 4.2) contains a fix for CVE-2021-22885, but this includes a breaking change you can opt out of. In Rails 5.2 LTS you cannot opt out of this, because it was already fixed in the original 5.2 release.
Affected code looks like this
redirect_to(params[:redirect_url])
If params[:redirect_url]
was, for example, the array ['my', 'secret']
, this would cause the method my_secret_url
to be called.
That can be problematic, for example
..._path
or ..._url
method in your application,Rails LTS is a service of makandra, a team of Ruby developers and Linux system engineers based in Germany. We have more than 10 years of experience developing and operating web applications, and have always taken security very seriously.
This is a brief overview of how we handle Rails security issues for LTS, and how we operate the service:
Rails LTS primarily fixes security vulnerabilities after they have been publicly disclosed for the official release of Ru...
Rails 2.3 LTS works with Ruby 1.8.7, Ruby 2.5, and Ruby 2.7. Typical web apps see a 2x to 4x performance boost by switching from Ruby 1.8.7 to Ruby 2.5+. "Support" means that upgrading a Rails 2.3 application to Ruby 2.5 will not require Rails related monkey patches.
However, upgrading will still require some effort for the majority of Rails 2.3 applications, since your own code as well as some third-party gems will most likely have compatibility issues. You should only attempt this as a somewhat experienced Rub...
Rails 3.2 LTS works with Ruby 1.8.7, 1.9.3, 2.3, 2.5, and 2.7. "Support" means that upgrading a Rails 3.2 application to Ruby 2.5 will not require Rails related monkey patches.
However, upgrading will still require some effort for the majority of Rails 3.2 applications, since your own code as well as some third-party gems might have compatibility issues. This is especially
true if you upgrade from Ruby 1.x. You should only attempt this as a somewhat experienced Ruby developer, and only if you have a good automat...
The Rails LTS service only covers security updates for the Rails framework, not for Ruby.
As a courtesy to our customers, we sometimes backport security patches to legacy Ruby versions, which you can find below. However, we cannot guarantee future patches for legacy Ruby versions.
Download ruby_1_8_7-p374-fixes-2015-04-14.patch and rename it to download.patch
.
This patch applies to Ruby version **...