View
Posted almost 3 years ago. Visible to the public.

Rails LTS 2.3 Changelog

Aug 12th, 2016: Version 2.3.18.18

Apr 1st, 2016: Version 2.3.18.17

This is a bugfix release only, no security issues have been fixed.

  • Fixes issues when using the rake rails:freeze:gems command
  • Depend on rake < 11.0, since rake 11 is no longer 1.8.7 compatible.

Mar 1st, 2016: Version 2.3.18.16

Jan 26th, 2016: Version 2.3.18.15

Backported a fix for CVE-2016-0751: Possible Object Leak and Denial of Service attack in Action Pack

Backported a fix for CVE-2016-0753: Possible Input Validation Circumvention in Active Model

Nov 10th, 2015: Version 2.3.18.14

Added support for installing LTS via our own gem server to reduce download times.

June 17th, 2015: Version 2.3.18.13

Backported a fix for Possible Denial of Service attack in Active Support (CVE-2015-3227)

You can now upgrade Rails LTS 2.3 to use rack 1.4. You should upgrade rack to at least 1.4.6 to address Potential Denial of Service Vulnerability in Rack (CVE-2015-3225).

This release also contains two backward-compatible fixes that makes it easier to upgrade to Ruby 2.2, courtesy of Peter Lind. Note that using Rails 2.3 with Ruby 2+ involves considerable work and is not supported by us.

April 14th, 2015: Ruby patches

A vulnerability was discosed in all versions of Ruby.

Since Ruby 1.8.7 und Ruby 1.9.3 are no longer maintained at this time, we have provided backported fixes for CVE-2015-1855: Ruby OpenSSL Hostname Verification.

Please note that the Rails LTS service only covers security patches for the Rails framework. We are unable to guarantee backported security patches for Ruby 1.8.7 or 1.9.3 in the future.

October 31st, 2014: Version 2.3.18.12

Backported a fix for Arbitrary file existence disclosure in Action Pack (CVE-2014-7818) (2.3 was affected)

Note that was also a vulnerability affecting Sprockets. 2.3 does not use Sprockets by default, but you might have integrated it manually.

June 3rd, 2014: Version 2.3.18.11

Backported a fix for SQL Injection Vulnerability in 'bitstring' quoting (CVE-2014-3482) affecting PostgreSQL users.

Note that there was also "SQL Injection Vulnerability in 'range' quoting" (CVE-2014-3483) which did not affect Rails 2.3.

May 20th, 2014: Version 2.3.18.10

Add a switch to fail on ambiguous table / column names to mitigate Unsafe Query Risk in Active Record.

May 7th, 2014: Version 2.3.18.9

Backported a fix for Directory Traversal Vulnerability With Certain Route Configurations (CVE-2014-0130).

February 19th, 2014: Version 2.3.18.8

February 14th, 2014: Version 2.3.18.7

Backported an old security advisory with CVE-2012-1099 to Rails LTS.

January 31st, 2014: Version 2.3.18.6

Rails LTS now offers a version number.

Starting with today's release, you can query RailsLts::VERSION to check which version you are using.

Applications such as Brakeman or Code Climate can make use of that information now, too.

December 4th, 2103: Version 2.3.18.5

Five security advisories were published on the official Rails security list:

  • CVE-2013-6414
  • CVE-2013-4491
  • CVE-2013-6415
  • CVE-2013-6417
  • CVE-2013-6416

We provided a patched version of Rails LTS for commercial plans as of today.

November 22nd, 2013

A vulnerability was discosed in all versions of Ruby.

Since Ruby 1.8.7 is no longer maintained at this time, we have provided a Backported fix for "Heap Overflow in Floating Point Parsing (CVE-2013-4164)".

Please note that the Rails LTS service only covers security patches for the Rails framework. We are unable to guarantee backported security patches for Ruby 1.8.7 in the future.

October 16th, 2103

150 days without accident! After a storm of severe security vulnerabilities earlier this year, the Ruby on Rails framework seems to be enjoying a short respite.
We continue to monitor the official Rails security list for new advisories.

June 20th, 2013

We are now officially supporting installation without Bundler or Git.

June 18th, 2013

Added missing tests that ensure fixes for CVE-2012-2660, CVE-2012-2694 and CVE-2013-0155.

June 3rd, 2013: Version 2.3.18.4

Fix XSS vulnerability in the translate helper method in Ruby on Rails.

This vulnerability was disclosed a long time ago (in November 2011) and affects Rails 2.3 applications with the rails_xss plugin. However, a fix for Rails 2.3 was never released, so we have fixed this in Rails LTS.

May 29th, 2013: Version 2.3.18.3

Backported a fix for a bug in the built-in HTML tokenizer, which would crash for certain types of malformed HTML.

May 27th, 2013

Fixed many broken tests.

May 21st, 2013: Version 2.3.18.2

Added optional switches to disable the parsing of XML params and JSON params. These are disabled by default in order to preserve compatibility with Rails 2.3.18.

The switches are enabled in hardened configuration mode.

May 15th, 2013: Version 2.3.18.1

Rails LTS is compatible with the official Rails 2.3.18 release.
Rails LTS now contains fixes for CVE-2012-3464, CVE-2012-3465, CVE-2012-2695.

Author of this card:

Avatar
Tobias Kraze
Last edit:
6 months ago
by Tobias Kraze
13 cards