Rails 3.2 LTS Changelog
Jun 17th, 2020: Announcement regarding CVE-2020-8184
- No Rails 3.2 LTS release was necessary.
- We backported the patch to our forked version of rack 1.4.
May 19th, 2020: Version 188.8.131.52
- Addressed "Potentially unintended unmarshalling of user-provided objects in MemCacheStore" [CVE-2020-8165].
Note that potential code changes are needed, see here for details
May 16th, 2020: Version 184.108.40.206
- Backported fix for potential remote code execution of user-provided local names CVE-2020-8163, see details.
May 15th, 2020: Announcement regarding CVE-2020-8161 and CVE-2018-16471
- No Rails 3.2 LTS release was necessary.
- We forked rack to backport CVE-2020-8161.
- For more information read our advisory.
May 07th, 2020: Version 220.127.116.11
- Backported fix for arbitrary file write/potential remote code execution attack in actionpack (CVE-2020-8159), see details
May 06th, 2020: Version 18.104.22.168
- Backported fix for information disclosure vulnerability in Active Resource (CVE-2020-8151), see details
Mar 20th, 2020: Version 22.214.171.124
- Fixed an XSS vulnerability in
- Fixed additional XSS vulnerabilities in
#escape_json, see details
Dec 22nd, 2019: Version 126.96.36.199
ActiveRecord::SessionStoreto not be vulnerable to timing attacks that can lead to session hijacking (CVE-2019-16782). see details
Mar 22nd, 2019: Amendment to CVE-2019-5418
- The previously reported CVE 2019-5418 has been upgraded to possible remote code execution. Rails LTS 188.8.131.52 protects your application against this exploit.
Mar 14th, 2019: Version 184.108.40.206
- Backport fixes for ActionView format / MIME type parsing (CVE-2019-5418 and CVE-2019-5419) (see details)
- Confirmed that 3.2 LTS is not affected by CVE-2019-5420.
Jan 30th, 2019: Version 220.127.116.11
- Fix a crash in
rake db:structure:dump(and sometimes
rake db:migrate) when using a modern postgresql installation.
Jan 23rd, 2019: Version 18.104.22.168
- Add compatibility for Ruby 2.5.
Aug 27th, 2018: Version 22.214.171.124
Jun 21st, 2018: Version 126.96.36.199
Require sprockets version 2.2.3, since 2.2.1 and 2.2.2 are vulnerable to an information leak attack. More Details
In our own investigations we found that Sprockets 2.2.3 is not vulnerable to CVE-2018-3760, despite the original advisory claiming so. Since no fixed sprockets versions were compatible with Rails 3.2, we've decided to freeze the dependency to 2.2.3, which has no vulnerability known to us.
Mar 20th, 2018: Not affected by sanitization CVEs
A vulnerability was disclosed for some Ruby sanitization gems like loofah (CVE-2018-8048) and sanitize (CVE-2018-3740). This also affects recent Rails versions, whose
sanitize() helper depends on loofah.
We have confirmed that the
sanitize() helper in Rails 3.2 is not affected by this issue.
Note that if your application uses one of the affected gems directly, you may still be affected and should update to the latest version of these gems.
Jan 16th, 2017: Version 188.8.131.52
Merged Ruby 2.3 compatibility fixes from the rails/3-2-stable branch.
Ruby 2.3 is now officially supported.
Aug 12th, 2016: Version 184.108.40.206
Merged a fix from the rails/3-2-stable branch:
Mar 1st, 2016: Version 220.127.116.11
- Change to the rails gemspec, to prevent Bundler from installing outdated rails versions under rare circumstances
- Functionally identical to 18.104.22.168.
Mar 1st, 2016: Version 22.214.171.124
- Fixes CVE-2016-2097: Possible Information Leak Vulnerability in Action View
- Fixes CVE-2016-2098: Possible remote code execution vulnerability in Action Pack
Jan 26th, 2016: Version 126.96.36.199
Merged several security fixes from the rails/3-2-stable branch, that include
- a fix for CVE-2015-7576: Timing attack vulnerability in basic authentication in Action Controller
- a fix for CVE-2016-0751: Possible Object Leak and Denial of Service attack in Action Pack
- a fix for CVE-2015-7577: Nested attributes rejection proc bypass in Active Record
- a fix for CVE-2015-7581: Object leak vulnerability for wildcard controller routes in Action Pack
Additionally backported the following:
- a fix for CVE-2016-0752: Possible Information Leak Vulnerability in Action View
- a fix for CVE-2016-0753: Possible Input Validation Circumvention in Active Model
November 2nd, 2015: Version 188.8.131.52
- Add support for private gem servers.
June 17th, 2015: Version 184.108.40.206
- Add additional security features, such as the hardened default configuration.
June 17th, 2015: Version 220.127.116.11
- Ruby 2.2 compatibility
- Fix test suite
December 10th, 2014: Version 18.104.22.168
- Initial release.