Rails 2.3 LTS Changelog
Mar 20th, 2020: Version 18.104.22.168
- Fixed an XSS vulnerability in
- Fixed additional XSS vulnerabilities in
#escape_json, see details
Dec 22nd, 2019: Version 22.214.171.124
ActiveRecord::SessionStoreto not be vulnerable to timing attacks that can lead to session hijacking (CVE-2019-16782). see details
Mar 22nd, 2019: Amendment to CVE-2019-5418
- The previously reported CVE 2019-5418 has been upgraded to possible remote code execution. Rails LTS 126.96.36.199 protects your application against this exploit.
Mar 14th, 2019: Version 188.8.131.52
- Backport fixes for ActionView format / MIME type parsing (CVE-2019-5418 and CVE-2019-5419) (see details)
- Confirmed that 2.3 LTS is not affected by CVE-2019-5420.
Jan 23rd, 2019: Version 184.108.40.206
- Add compatibility with Ruby 2.5.
Nov 20th, 2018: Version 220.127.116.11
- Fix a regression introduced in 18.104.22.168 where calling
#respond_to?on a named scope would sometimes cause the scope to be loaded.
Oct 10th, 2018: Version 22.214.171.124
- Fix parameter filtering (password etc) in log files for Ruby 2.3.
Aug 2nd, 2018: Version 126.96.36.199
- Fixed a crash when using
rails new-app. This is not a security issue.
Mar 21st, 2018: Version 188.8.131.52
- Rails LTS 2.3 receives support for Ruby 2.3. For details see Ruby 2.3 support.
- Rails LTS 2.3 receives support for RubyGems 2.x. For details see RubyGems 2.x support for Rails 2.3 LTS
- No changes when running on Ruby 1.8.7 and RubyGems 1.x.
Mar 20th, 2018: Not affected by sanitization CVEs
A vulnerability was disclosed for some Ruby sanitization gems like loofah (CVE-2018-8048) and sanitize (CVE-2018-3740). This also affects recent Rails versions, whose
sanitize() helper depends on loofah.
We have confirmed that the
sanitize() helper in Rails 2.3 is not affected by this issue.
Note that if your application uses one of the affected gems directly, you may still be affected and should update to the latest version of these gems.
Aug 12th, 2016: Version 184.108.40.206
- Fixes an issue similar to CVE-2016-6316: Possible XSS Vulnerability in Action View that occured when
#content_tagwas called with
(escape = false). More Details
Apr 1st, 2016: Version 220.127.116.11
This is a bugfix release only, no security issues have been fixed.
- Fixes issues when using the
- Depend on rake < 11.0, since rake 11 is no longer 1.8.7 compatible.
Mar 1st, 2016: Version 18.104.22.168
- Fixes CVE-2016-2097: Possible Information Leak Vulnerability in Action View
- Fixes CVE-2016-2098: Possible remote code execution vulnerability in Action Pack
Jan 26th, 2016: Version 22.214.171.124
Backported a fix for CVE-2016-0751: Possible Object Leak and Denial of Service attack in Action Pack
Backported a fix for CVE-2016-0753: Possible Input Validation Circumvention in Active Model
Nov 10th, 2015: Version 126.96.36.199
Added support for installing LTS via our own gem server to reduce download times.
June 17th, 2015: Version 188.8.131.52
Backported a fix for Possible Denial of Service attack in Active Support (CVE-2015-3227)
You can now upgrade Rails LTS 2.3 to use
rack 1.4. You should upgrade
rack to at least
1.4.6 to address Potential Denial of Service Vulnerability in Rack (CVE-2015-3225).
This release also contains two backward-compatible fixes that makes it easier to upgrade to Ruby 2.2, courtesy of Peter Lind. Note that using Rails 2.3 with Ruby 2+ involves considerable work and is not supported by us.
April 14th, 2015: Ruby patches
A vulnerability was discosed in all versions of Ruby.
Please note that the Rails LTS service only covers security patches for the Rails framework. We are unable to guarantee backported security patches for Ruby 1.8.7 or 1.9.3 in the future.
October 31st, 2014: Version 184.108.40.206
Backported a fix for Arbitrary file existence disclosure in Action Pack (CVE-2014-7818) (2.3 was affected)
Note that was also a vulnerability affecting Sprockets. 2.3 does not use Sprockets by default, but you might have integrated it manually.
June 3rd, 2014: Version 220.127.116.11
Backported a fix for SQL Injection Vulnerability in 'bitstring' quoting (CVE-2014-3482) affecting PostgreSQL users.
Note that there was also "SQL Injection Vulnerability in 'range' quoting" (CVE-2014-3483) which did not affect Rails 2.3.
May 20th, 2014: Version 18.104.22.168
Add a switch to fail on ambiguous table / column names to mitigate Unsafe Query Risk in Active Record.
May 7th, 2014: Version 22.214.171.124
Backported a fix for Directory Traversal Vulnerability With Certain Route Configurations (CVE-2014-0130).
February 19th, 2014: Version 126.96.36.199
- Backported patch for XSS Vulnerability in number_to_currency, number_to_percentage and number_to_human (CVE-2014-0081).
- CVE-2014-0080 and CVE-2014-0082 do not apply to Rails 2.3.
February 14th, 2014: Version 188.8.131.52
Backported an old security advisory with CVE-2012-1099 to Rails LTS.
January 31st, 2014: Version 184.108.40.206
Rails LTS now offers a version number.
Starting with today's release, you can query
RailsLts::VERSION to check which version you are using.
December 4th, 2103: Version 220.127.116.11
Five security advisories were published on the official Rails security list:
We provided a patched version of Rails LTS for commercial plans as of today.
November 22nd, 2013
A vulnerability was discosed in all versions of Ruby.
Since Ruby 1.8.7 is no longer maintained at this time, we have provided a Backported fix for "Heap Overflow in Floating Point Parsing (CVE-2013-4164)".
Please note that the Rails LTS service only covers security patches for the Rails framework. We are unable to guarantee backported security patches for Ruby 1.8.7 in the future.
October 16th, 2103
150 days without accident! After a storm of severe security vulnerabilities earlier this year, the Ruby on Rails framework seems to be enjoying a short respite.
We continue to monitor the official Rails security list for new advisories.
June 20th, 2013
We are now officially supporting installation without Bundler or Git.
June 18th, 2013
June 3rd, 2013: Version 18.104.22.168
This vulnerability was disclosed a long time ago (in November 2011) and affects Rails 2.3 applications with the rails_xss plugin. However, a fix for Rails 2.3 was never released, so we have fixed this in Rails LTS.
May 29th, 2013: Version 22.214.171.124
Backported a fix for a bug in the built-in HTML tokenizer, which would crash for certain types of malformed HTML.
May 27th, 2013
Fixed many broken tests.
May 21st, 2013: Version 126.96.36.199
Added optional switches to disable the parsing of XML params and JSON params. These are disabled by default in order to preserve compatibility with Rails 2.3.18.
The switches are enabled in hardened configuration mode.
May 15th, 2013: Version 188.8.131.52
Rails LTS is compatible with the official Rails 2.3.18 release.
Rails LTS now contains fixes for CVE-2012-3464, CVE-2012-3465, CVE-2012-2695.