204 Rails 3.2 LTS Changelog

Updated . Posted . Visible to the public.

May 14th 2024, Rails version

May 14th 2024, Rack version

Feb 23rd 2024, Rack version

Feb 23rd 2024, Rails version

  • Fixed a regression for CVE-2013-0269, CVE-2020-10663 introducing a vulnerability for JSON.parse on Ruby version 2.7+, see here Show archive.org snapshot for more details. Thanks to Severin Schoepke for bringing this to our attention.

Feb 19th 2024, Rails version

  • Relaxed requirement on the mysql2 gem to allow Rails LTS to work with mysql2 version 0.5.6+.

Oct 18th 2023, Rack version

  • Fixed an incompatibility with newer version of the rack-cache gem.

Oct 18th 2023, Rails version

  • Fixed a bug for Ruby 3.1, where it was not possible to use scopes or class methods on scopes with keyword arguments.

July 21st 2023, Rack version

Jun 27th 2023, Rails version

May 22th 2023, Rails versions

  • Fixed a potential (non-security) issue with the / release with certain Ruby versions / version of the uri gem.

Apr 4th 2023, Rails versions

  • Fixed a potential issue with the release for certain webserver configurations

Apr 4th 2023, Rails version

  • Added monkey patches to address ReDoS vulnerabilities in the time and uri stdlibs (CVE-2023-28755, CVE-2023-28756), see here Show archive.org snapshot for more details
  • Relaxed i18n dependency to allow versions 1.x. To avoid getting a newer version, add gem 'i18n', '< 1' to your Gemfile. This has no security implications.

Mar 27th 2023, Rack version

  • The earlier fix for CVE-2022-44571 was incomplete. This release corrects the issue.

Mar 23rd 2023, Rails version

  • Added partial mitigation for CVE-2013-3221, which is relevant when querying MySQL string columns with integers. See here Show archive.org snapshot for more details.

Mar 14th 2023: Rails version

  • Fixed XSS issue with SafeBuffer#bytesplice (CVE-2023-28120, only on Ruby 3.2, which is not currently supported), see here Show archive.org snapshot for more details.

Mar 14th 2023: Rack version

Mar 3rd, 2023: Rails version

  • We've added the Rack::TempfileReaper middleware to the default middleware stack, see below.

Mar 3rd, 2023: Rack version

  • Backported fix for [CVE-2023-27530] to address a potential DOS attack with rack multipart requests.
  • Also backported the Rack::TempfileReaper middleware.
  • See here Show archive.org snapshot for additional details and a potential breaking change.

Feb 27th, 2023: Rails version

  • Relaxed version requirement for rack-ssl. You can upgrade rack-ssl to 1.4.x to fix CVE-2014-2538 (a low severity XSS vulnerability that is unlikely to affect a properly configured production instance).

Jan 24th, 2023: Rails version

Jan 20th, 2023: Rails version

  • Fixed multiple ReDoS vulnerabilities in Rails: [CVE-2023-22792], [CVE-2023-22796]
  • Fixed a DOS vulnerability in the PostgreSQL adapter for ActiveRecord [CVE-2022-44566]
    • ActiveRecord will now throw an exception, if you pass an integer > 64bit. You can opt out using
      config.active_record.raise_int_wider_than_64bit = false
  • See here Show archive.org snapshot for more details

Jan 20th, 2023: Rack version

Dec 21st, 2022: Rack version

  • Fixed an issue that made rails server fail with certain web servers on Ruby 3.1.

Dec 13th, 2022: Rails version

Dec 13th, 2022: Rack version

  • Based on our fork of rack.
  • Added support for ruby 3.1.
  • Includes fixes for CVE-2018-16471, CVE-2020-8161, CVE-2020-8184, CVE-2022-30122, CVE-2022-30123, CWE-444, CWE-290.
  • More info

Aug 19th, 2022: Version

  • Removed "rdoc" dependency, since some rdoc versions depend on a vulnerable version of the "json" gem

Jul 21st, 2022: Version

Jul 14th, 2022: Version

  • Merged upstream bug fix for [CVE-2022-32224] Possible RCE escalation bug with Serialized Columns in Active Record. We tried to make it less of a breaking change than the official patch by adding a default set of permitted serializable classes. Note this patch has no effect for Rubies < 2.1 see details

May 18th, 2022: Version

Apr 27th, 2022: Version

Mar 11th, 2022: Version

  • Relaxed version requirement for bycrypt. Old bcrypt versions have issues on some newer Linux distros, but it was not possible to update to a fixed version. With this version of 3.2 LTS, you can now set bcrypt-ruby to ~> 3.0 in your Gemfile and do a bundle upgrade bcrypt-ruby with Rails complaining.

Dec 21st, 2021: Version

  • Improved compatibility with newer Postgresql Versions. 3.2 LTS should now work with Postgresql up to version 14.

Sep 14th, 2021: Version

  • Relaxed requirement for Bundler. It is now possible to use Rails 3.2 LTS with Bundler 2 (given a compatible version of Ruby and Rubygems).

Mar 06th, 2021: Version

Feb 11th, 2021: Version (bugfix release)

  • Fixed a "cannot modify frozen string" with params parsing in Ruby 2.7 (does not seem to occur with usual configuration).
  • Reduce occurance of some deprecation warnings. We still recommend to use Ruby 2.7.2 which has these warning disabled by default.

Jan 27th, 2021: Version

Jan 25th, 2021: Version

  • Added Ruby 2.7 compatibility.

Sep 10th, 2020: Version

Jun 17th, 2020: Announcement regarding CVE-2020-8184

May 19th, 2020: Version

May 16th, 2020: Version

May 15th, 2020: Announcement regarding CVE-2020-8161 and CVE-2018-16471

May 07th, 2020: Version

May 06th, 2020: Version

Mar 20th, 2020: Version

Dec 22nd, 2019: Version

Mar 22nd, 2019: Amendment to CVE-2019-5418

  • The previously reported CVE 2019-5418 has been upgraded to possible remote code execution. Rails LTS protects your application against this exploit.

Mar 14th, 2019: Version

  • Backport fixes for ActionView format / MIME type parsing (CVE-2019-5418 and CVE-2019-5419) ( see details Show archive.org snapshot )
  • Confirmed that 3.2 LTS is not affected by CVE-2019-5420.

Jan 30th, 2019: Version

  • Fix a crash in rake db:structure:dump (and sometimes rake db:migrate) when using a modern postgresql installation.

Jan 23rd, 2019: Version

  • Add compatibility for Ruby 2.5.

Aug 27th, 2018: Version

Jun 21st, 2018: Version

Require sprockets version 2.2.3, since 2.2.1 and 2.2.2 are vulnerable to an information leak attack. More Details Show archive.org snapshot

In our own investigations we found that Sprockets 2.2.3 is not vulnerable to CVE-2018-3760, despite the original advisory claiming so. Since no fixed sprockets versions were compatible with Rails 3.2, we've decided to freeze the dependency to 2.2.3, which has no vulnerability known to us.

Mar 20th, 2018: Not affected by sanitization CVEs

A vulnerability was disclosed for some Ruby sanitization gems like loofah ( CVE-2018-8048 Show archive.org snapshot ) and sanitize ( CVE-2018-3740 Show archive.org snapshot ). This also affects recent Rails versions, whose sanitize() helper depends on loofah.

We have confirmed that the sanitize() helper in Rails 3.2 is not affected by this issue.

Note that if your application uses one of the affected gems directly, you may still be affected and should update to the latest version of these gems.

Jan 16th, 2017: Version

Merged Ruby 2.3 compatibility fixes from the rails/3-2-stable branch.

Ruby 2.3 is now officially supported.

Aug 12th, 2016: Version

Merged a fix from the rails/3-2-stable branch:

Mar 1st, 2016: Version

  • Change to the rails gemspec, to prevent Bundler from installing outdated rails versions under rare circumstances
  • Functionally identical to

Mar 1st, 2016: Version

More Details Show archive.org snapshot

Jan 26th, 2016: Version

Merged several security fixes from the rails/3-2-stable branch, that include

Additionally backported the following:

More Details Show archive.org snapshot

November 2nd, 2015: Version

  • Add support for private gem servers.

June 17th, 2015: Version

June 17th, 2015: Version

  • Ruby 2.2 compatibility
  • Fix test suite

December 10th, 2014: Version

  • Initial release.
Henning Koch
Last edit
Source code in this card is licensed under the MIT License.
Posted by Henning Koch to Rails LTS documentation (2015-10-08 14:22)