Rails 3.2 LTS Changelog
- Fixed an information disclosure / unexpected method invocation vulnerability in Action Pack (CVE-2021-22885), see details
This contains a breaking change.
- Fixed a "cannot modify frozen string" with params parsing in Ruby 2.7 (does not seem to occur with usual configuration).
- Reduce occurance of some deprecation warnings. We still recommend to use Ruby 2.7.2 which has these warning disabled by default.
- Fixed regression in #translate helper, see details.
- Added Ruby 2.7 compatibility.
- Backported fix for potential XSS vulnerability in Action View (CVE-2020-15169), see details.
- No Rails 3.2 LTS release was necessary.
- We backported the patch to our forked version of rack 1.4.
- Addressed "Potentially unintended unmarshalling of user-provided objects in MemCacheStore" [CVE-2020-8165].
Note that potential code changes are needed, see here for details
- Backported fix for potential remote code execution of user-provided local names CVE-2020-8163, see details.
- No Rails 3.2 LTS release was necessary.
- We forked rack to backport CVE-2020-8161.
- For more information read our advisory.
- Backported fix for arbitrary file write/potential remote code execution attack in actionpack (CVE-2020-8159), see details
- Backported fix for information disclosure vulnerability in Active Resource (CVE-2020-8151), see details
- Fixed an XSS vulnerability in
- Fixed additional XSS vulnerabilities in
#escape_json, see details
ActiveRecord::SessionStoreto not be vulnerable to timing attacks that can lead to session hijacking (CVE-2019-16782). see details
- The previously reported CVE 2019-5418 has been upgraded to possible remote code execution. Rails LTS 18.104.22.168 protects your application against this exploit.
- Backport fixes for ActionView format / MIME type parsing (CVE-2019-5418 and CVE-2019-5419) (see details)
- Confirmed that 3.2 LTS is not affected by CVE-2019-5420.
- Fix a crash in
rake db:structure:dump(and sometimes
rake db:migrate) when using a modern postgresql installation.
- Add compatibility for Ruby 2.5.
Require sprockets version 2.2.3, since 2.2.1 and 2.2.2 are vulnerable to an information leak attack. More Details
In our own investigations we found that Sprockets 2.2.3 is not vulnerable to CVE-2018-3760, despite the original advisory claiming so. Since no fixed sprockets versions were compatible with Rails 3.2, we've decided to freeze the dependency to 2.2.3, which has no vulnerability known to us.
A vulnerability was disclosed for some Ruby sanitization gems like loofah (CVE-2018-8048) and sanitize (CVE-2018-3740). This also affects recent Rails versions, whose
sanitize() helper depends on loofah.
We have confirmed that the
sanitize() helper in Rails 3.2 is not affected by this issue.
Note that if your application uses one of the affected gems directly, you may still be affected and should update to the latest version of these gems.
Merged Ruby 2.3 compatibility fixes from the rails/3-2-stable branch.
Ruby 2.3 is now officially supported.
Merged a fix from the rails/3-2-stable branch:
- Change to the rails gemspec, to prevent Bundler from installing outdated rails versions under rare circumstances
- Functionally identical to 22.214.171.124.
- Fixes CVE-2016-2097: Possible Information Leak Vulnerability in Action View
- Fixes CVE-2016-2098: Possible remote code execution vulnerability in Action Pack
Merged several security fixes from the rails/3-2-stable branch, that include
- a fix for CVE-2015-7576: Timing attack vulnerability in basic authentication in Action Controller
- a fix for CVE-2016-0751: Possible Object Leak and Denial of Service attack in Action Pack
- a fix for CVE-2015-7577: Nested attributes rejection proc bypass in Active Record
- a fix for CVE-2015-7581: Object leak vulnerability for wildcard controller routes in Action Pack
Additionally backported the following:
- a fix for CVE-2016-0752: Possible Information Leak Vulnerability in Action View
- a fix for CVE-2016-0753: Possible Input Validation Circumvention in Active Model
- Add support for private gem servers.
- Add additional security features, such as the hardened default configuration.
- Ruby 2.2 compatibility
- Fix test suite
- Initial release.