202 Rails 2.3 LTS Changelog

June 6th 2025, Rack version 1.4.7.24

• Fixed CVE-2025-49007: ReDoS Vulnerability in Rack Multipart Handling. Read the announcement Show archive.org snapshot .

May 9th 2025, Rack version 1.4.7.23

• Backported fixes for 2 CVEs. Read the announcement Show archive.org snapshot . This includes fixes for
  • Unbounded-Parameter DoS in Rack::QueryParser (CVE-2025-46727)
  • Session Reuse in Rack::Session::Pool (CVE-2025-32441)

March 13th, 2025, Rack version 1.4.7.22

• Fixed CVE-2025-27610: Local File Inclusion in Rack::Static. Read the announcement Show archive.org snapshot

March 11th, Rails version 2.3.18.59

• Removed the railslts-version gem. Read the announcement Show archive.org snapshot
• No security updates.

March 6th 2025, Rack version 1.4.7.21

• Fixed CVE-2025-27111: Possible Log Injection in Rack

February 21th 2025, Rack version 1.4.7.20

• Fixed CVE-2025-25184: Possible Log Injection in Rack::CommonLogger

October 17th 2024, Rails version 2.3.18.58

• Fixed ReDoS vulnerability CVE-2024-47889. Read the announcement Show archive.org snapshot .

June 19th 2024, Rails version 2.3.18.57

• Fixed a bug that under rare circumstances lead to redundant empty "Set-Cookie" headers.

May 21st 2024, Rails version 2.3.18.56

• Added missing adapter for mysql2 version 0.5.x.

May 14th 2024, Rails version 2.3.18.55

• Added support for Ruby 3.3. See our upgrade guide.

May 14th 2024, Rack version 1.4.7.19

• Added support for Ruby 3.3. See our upgrade guide.

Feb 23rd 2024, Rack version 1.4.7.18

• Fixed DoS vulnerabilities CVE-2024-25126 and CVE-2024-26141, see here Show archive.org snapshot for more details.

Oct 18th 2023, Rack version 1.4.7.17

• Fixed an incompatibility with newer version of the rack-cache gem.

Oct 18th 2023, Rails version 2.3.18.54

• Fixed a bug for Ruby 3.1, where it was not possible to use scopes or class methods on scopes with keyword arguments.

Jul 21st 2023, Rack version 1.4.7.16

• The fix for CWE-444 (a potential cache poisoning attack; see https://github.com/rack/rack/issues/1732 Show archive.org snapshot for an explanation) has been lost in an earlier Rack release. It is now reinstated.

Jun 27th 2023, Rails version 2.3.18.53

• Fixed a possible XSS vulnerability via User Supplied Values to redirect_to (CVE-2023-28362), see here Show archive.org snapshot for more details

May 22th 2023, Rails versions 2.3.18.52

• Fixed a potential (non-security) issue with the 2.3.18.50 / 2.3.18.51 release with certain Ruby versions / version of the uri gem.

Apr 4th 2023, Rails versions 2.3.18.51

• Fixed a potential issue with the 2.3.18.50 release for certain webserver configurations

Apr 4th 2023, Rails version 2.3.18.50

• Added monkey patches to address ReDoS vulnerabilities in the time and uri stdlibs (CVE-2023-28755, CVE-2023-28756), see here Show archive.org snapshot for more details

Mar 27th 2023, Rack version 1.4.7.15

• The earlier fix for CVE-2022-44571 was incomplete. This release correct the issue.

Mar 23rd 2023, Rails version 2.3.18.49

• Added partial mitigation for CVE-2013-3221, which is relevant when querying MySQL string columns with integers. See here Show archive.org snapshot for more details.

Mar 14th 2023: Rack version 1.4.7.14

• Backported fix for DOS vulnerability CVE-2023-27539, see here Show archive.org snapshot for more details.

Mar 3rd, 2023: Rails version 2.3.18.48

• We've added the Rack::TempfileReaper middleware to the default middleware stack, see below.

Mar 3rd, 2023: Rack version 1.4.7.13

• Backported fix for [CVE-2023-27530] to address a potential DOS attack with rack multipart requests.
• Also backported the Rack::TempfileReaper middleware.
• See here Show archive.org snapshot for additional details and a potential breaking change.

Jan 20th, 2023: Rails version 2.3.18.47

• Fixed a ReDoS vulnerabilities in Rails: [CVE-2023-22796]
• Fixed a DOS vulnerability in the PostgreSQL adapter for ActiveRecord [CVE-2022-44566]
  • ActiveRecord will now throw an exception, if you pass an integer > 64bit. You can opt out using

    Copyconfig.active_record.raise_int_wider_than_64bit = false
    

• See here Show archive.org snapshot for more details

Jan 20th, 2023: Rack version 1.4.7.12

• Fixed multiple ReDos vulnerabilites in Rack: [CVE-2022-44570], [CVE-2022-44571]
• See here Show archive.org snapshot for more details

Dec 21st, 2022: Rack version 1.4.7.11

• Fixed an issue that made rails server fail with certain web servers on Ruby 3.1.

Dec 13th, 2022: Rails version 2.3.18.46

• Added compatibility for Ruby 3.1.
• Fix a compatbility issue with mysql2 version 0.5 (you probably still want to use our fork of 0.2.x Show archive.org snapshot .

Dec 13th, 2022: Rack version 1.4.7.10

• Based on our fork of rack.
• Added support for ruby 3.1.
• Includes fixes for CVE-2018-16471, CVE-2020-8161, CVE-2020-8184, CVE-2022-30122, CVE-2022-30123, CWE-444, CWE-290.
• More info

Jul 21st, 2022: Version 2.3.18.45

• Updated required tzinfo version to address CVE-2022-31163; see details Show archive.org snapshot

Jul 14th, 2022: Version 2.3.18.44

• Merged upstream bug fix for [CVE-2022-32224] Possible RCE escalation bug with Serialized Columns in Active Record. We tried to make it less of a breaking change than the official patch by adding a default set of permitted serializable classes. Note this patch has no effect for Rubies < 2.1 see details

May 18th, 2022: Version 2.3.18.43

• Bug fix for recent security fix for CVE-2022-27777; see details Show archive.org snapshot .

Apr 27th, 2022: Version 2.3.18.42

• Backported fix for possible XSS vulnerabilities via content_tag or tag helpers (CVE-2022-27777); see details Show archive.org snapshot .

Mar 17th, 2022: Version 2.3.18.41

• Removed restriction to rake version < 11. This means users can update their rake version to >= 12.3.3 to fix CVE-2020-8130. Alternatively, we have made available a fork of rake 10.5 Show archive.org snapshot that also fixes the issue. see details Show archive.org snapshot

Mar 17th, 2022: Version 2.3.18.40

• This version has no changes.

Dec 21st, 2021: Version 2.3.18.39

• Improved compatibility with newer Postgresql Versions. 2.3 LTS should now work with Postgresql up to version 14.

Sep 14th, 2021: Version 2.3.18.38

• Relaxed requirement for Bundler. It is now possible to use Rails 2.3 LTS with Bundler 2 (given a compatible version of Ruby and Rubygems).

Mar 06th, 2021: Version 2.3.18.37

• Fixed an information disclosure / unexpected method invocation vulnerability in Action Pack (CVE-2021-22885), see details Show archive.org snapshot
  This contains a breaking change.

Jan 27th, 2021: Version 2.3.18.36

• Fixed regression in #translate helper, see details Show archive.org snapshot .

Jan 25th, 2021: Version 2.3.18.35

• Added Ruby 2.7 compatibility.

Sep 29th, 2020: Version 2.3.18.34

• Fixed a DOS vulnerability in ActiveSupport, which only occured on Ruby 2+, see details Show archive.org snapshot .

Sep 10th, 2020: Version 2.3.18.33

• Backported fix for potential XSS vulnerability in Action View (CVE-2020-15169), see details Show archive.org snapshot .

Aug 25th, 2020: Version 2.3.18.32

• Fixes an issue with the script/server command not accepting certain parameters when running with rack > 1.1.
• This release fixes no security issues.

Jun 17th, 2020: Announcement regarding CVE-2020-8184

• No Rails 2.3 LTS release was necessary.
• We backported the patch to our forked Show archive.org snapshot version of rack 1.4.

May 19th, 2020: Version 2.3.18.31

• Addressed "Potentially unintended unmarshalling of user-provided objects in MemCacheStore" [CVE-2020-8165] Show archive.org snapshot .
  Note that potential code changes are needed, see here for details Show archive.org snapshot

May 16th, 2020: Version 2.3.18.30

• Backported fix for potential remote code execution of user-provided local names CVE-2020-8163 Show archive.org snapshot , see details Show archive.org snapshot .

May 15th, 2020: Announcement regarding CVE-2020-8161 and CVE-2018-16471

• No Rails 2.3 LTS release was necessary.
• We forked rack Show archive.org snapshot to backport CVE-2020-8161 Show archive.org snapshot .
• We also included the backport of the past vulnerability CVE-2018-16471 Show archive.org snapshot in the fork.
• For more information read our advisory Show archive.org snapshot .

May 07th, 2020: Version 2.3.18.29

• Backported fix for arbitrary file write/potential remote code execution attack in actionpack (CVE-2020-8159), see details Show archive.org snapshot

May 06th, 2020: Version 2.3.18.28

• Backported fix for information disclosure vulnerability in Active Resource (CVE-2020-8151), see details Show archive.org snapshot

Apr 30th, 2020: Version 2.3.18.27

• Fixed a "floating point exception" crash which occasionally happened in tests only, on Ruby 1.8.7, on newer linux kernels. This works around an apparent bug within Ruby 1.8.7 itself.

Mar 20th, 2020: Version 2.3.18.26

• Fixed an XSS vulnerability in #escape_javascript (CVE-2020-5267), see details Show archive.org snapshot
• Fixed additional XSS vulnerabilities in #escape_javascript and #escape_json, see details Show archive.org snapshot

Dec 22nd, 2019: Version 2.3.18.25

• Fixed ActiveRecord::SessionStore to not be vulnerable to timing attacks that can lead to session hijacking (CVE-2019-16782). see details Show archive.org snapshot

Mar 22nd, 2019: Amendment to CVE-2019-5418

• The previously reported CVE 2019-5418 has been upgraded to possible remote code execution. Rails LTS 2.3.18.24 protects your application against this exploit.

Mar 14th, 2019: Version 2.3.18.24

• Backport fixes for ActionView format / MIME type parsing (CVE-2019-5418 and CVE-2019-5419) ( see details Show archive.org snapshot )
• Confirmed that 2.3 LTS is not affected by CVE-2019-5420.

Jan 23rd, 2019: Version 2.3.18.23

• Add compatibility with Ruby 2.5.

Nov 20th, 2018: Version 2.3.18.22

• Fix a regression introduced in 2.3.18.19 where calling #respond_to? on a named scope would sometimes cause the scope to be loaded.

Oct 10th, 2018: Version 2.3.18.21

• Fix parameter filtering (password etc) in log files for Ruby 2.3.

Aug 2nd, 2018: Version 2.3.18.20

• Fixed a crash when using rails new-app. This is not a security issue.

Mar 21st, 2018: Version 2.3.18.19

• Rails LTS 2.3 receives support for Ruby 2.3. For details see Ruby 2.3 support.
• Rails LTS 2.3 receives support for RubyGems 2.x. For details see RubyGems 2.x support for Rails 2.3 LTS
• No changes when running on Ruby 1.8.7 and RubyGems 1.x.

Mar 20th, 2018: Not affected by sanitization CVEs

A vulnerability was disclosed for some Ruby sanitization gems like loofah ( CVE-2018-8048 Show archive.org snapshot ) and sanitize ( CVE-2018-3740 Show archive.org snapshot ). This also affects recent Rails versions, whose sanitize() helper depends on loofah.

We have confirmed that the sanitize() helper in Rails 2.3 is not affected by this issue.

Note that if your application uses one of the affected gems directly, you may still be affected and should update to the latest version of these gems.

Aug 12th, 2016: Version 2.3.18.18

• Fixes an issue similar to CVE-2016-6316: Possible XSS Vulnerability in Action View Show archive.org snapshot that occured when #content_tag was called with (escape = false). More Details Show archive.org snapshot

Apr 1st, 2016: Version 2.3.18.17

This is a bugfix release only, no security issues have been fixed.

• Fixes issues when using the rake rails:freeze:gems command
• Depend on rake < 11.0, since rake 11 is no longer 1.8.7 compatible.

Mar 1st, 2016: Version 2.3.18.16

• Fixes CVE-2016-2097: Possible Information Leak Vulnerability in Action View Show archive.org snapshot
• Fixes CVE-2016-2098: Possible remote code execution vulnerability in Action Pack Show archive.org snapshot

More Details Show archive.org snapshot

Jan 26th, 2016: Version 2.3.18.15

Backported a fix for CVE-2016-0751: Possible Object Leak and Denial of Service attack in Action Pack Show archive.org snapshot

Backported a fix for CVE-2016-0753: Possible Input Validation Circumvention in Active Model Show archive.org snapshot

More Details Show archive.org snapshot

Nov 10th, 2015: Version 2.3.18.14

Added support for installing LTS via our own gem server to reduce download times.

June 17th, 2015: Version 2.3.18.13

Backported a fix for Possible Denial of Service attack in Active Support (CVE-2015-3227) Show archive.org snapshot

You can now upgrade Rails LTS 2.3 to use rack 1.4. You should upgrade rack to at least 1.4.6 to address Potential Denial of Service Vulnerability in Rack (CVE-2015-3225) Show archive.org snapshot .

This release also contains two backward-compatible fixes that makes it easier to upgrade to Ruby 2.2, courtesy of Peter Lind Show archive.org snapshot . Note that using Rails 2.3 with Ruby 2+ involves considerable work and is not supported by us.

April 14th, 2015: Ruby patches

A vulnerability was discosed in all versions of Ruby.

Since Ruby 1.8.7 und Ruby 1.9.3 are no longer maintained at this time, we have provided backported fixes for CVE-2015-1855: Ruby OpenSSL Hostname Verification Show archive.org snapshot .

Please note that the Rails LTS service only covers security patches for the Rails framework. We are unable to guarantee backported security patches for Ruby 1.8.7 or 1.9.3 in the future.

October 31st, 2014: Version 2.3.18.12

Backported a fix for Arbitrary file existence disclosure in Action Pack (CVE-2014-7818) Show archive.org snapshot (2.3 was affected)

Note that was also a vulnerability affecting Sprockets Show archive.org snapshot . 2.3 does not use Sprockets by default, but you might have integrated it manually.

June 3rd, 2014: Version 2.3.18.11

Backported a fix for SQL Injection Vulnerability in 'bitstring' quoting (CVE-2014-3482) Show archive.org snapshot affecting PostgreSQL users.

Note that there was also "SQL Injection Vulnerability in 'range' quoting" (CVE-2014-3483) which did not affect Rails 2.3.

May 20th, 2014: Version 2.3.18.10

Add a switch to fail on ambiguous table / column names to mitigate Unsafe Query Risk in Active Record Show archive.org snapshot .

May 7th, 2014: Version 2.3.18.9

Backported a fix for Directory Traversal Vulnerability With Certain Route Configurations (CVE-2014-0130) Show archive.org snapshot .

February 19th, 2014: Version 2.3.18.8

• Backported patch for XSS Vulnerability in number_to_currency, number_to_percentage and number_to_human (CVE-2014-0081) Show archive.org snapshot .
• CVE-2014-0080 and CVE-2014-0082 do not apply to Rails 2.3.

February 14th, 2014: Version 2.3.18.7

Backported an old security advisory Show archive.org snapshot with CVE-2012-1099 to Rails LTS.

January 31st, 2014: Version 2.3.18.6

Rails LTS now offers a version number.

Starting with today's release, you can query RailsLts::VERSION to check which version you are using.

Applications such as Brakeman Show archive.org snapshot or Code Climate Show archive.org snapshot can make use of that information now, too.

December 4th, 2103: Version 2.3.18.5

Five security advisories were published on the official Rails security list Show archive.org snapshot :

• CVE-2013-6414
• CVE-2013-4491
• CVE-2013-6415
• CVE-2013-6417
• CVE-2013-6416

We provided a patched version of Rails LTS for commercial plans as of today.

November 22nd, 2013

A vulnerability was discosed in all versions of Ruby.

Since Ruby 1.8.7 is no longer maintained at this time, we have provided a Backported fix for "Heap Overflow in Floating Point Parsing (CVE-2013-4164)".

Please note that the Rails LTS service only covers security patches for the Rails framework. We are unable to guarantee backported security patches for Ruby 1.8.7 in the future.

October 16th, 2103

150 days without accident! After a storm of severe security vulnerabilities earlier this year, the Ruby on Rails framework seems to be enjoying a short respite.
We continue to monitor the official Rails security list Show archive.org snapshot for new advisories.

June 20th, 2013

We are now officially supporting installation without Bundler or Git.

June 18th, 2013

Added missing tests that ensure fixes for CVE-2012-2660 Show archive.org snapshot , CVE-2012-2694 Show archive.org snapshot and CVE-2013-0155 Show archive.org snapshot .

June 3rd, 2013: Version 2.3.18.4

Fix XSS vulnerability in the translate helper method in Ruby on Rails Show archive.org snapshot .

This vulnerability was disclosed a long time ago (in November 2011) and affects Rails 2.3 applications with the rails_xss Show archive.org snapshot plugin. However, a fix for Rails 2.3 was never released, so we have fixed this in Rails LTS.

May 29th, 2013: Version 2.3.18.3

Backported a fix for a bug Show archive.org snapshot in the built-in HTML tokenizer, which would crash for certain types of malformed HTML.

May 27th, 2013

Fixed many broken tests.

May 21st, 2013: Version 2.3.18.2

Added optional switches to disable the parsing of XML params and JSON params. These are disabled by default in order to preserve compatibility with Rails 2.3.18.

The switches are enabled in hardened configuration mode.

May 15th, 2013: Version 2.3.18.1

Rails LTS is compatible with the official Rails 2.3.18 release Show archive.org snapshot .
Rails LTS now contains fixes for CVE-2012-3464, CVE-2012-3465, CVE-2012-2695.