Sep 14th, 2021: Version 3.2.22.25

• Relaxed requirement for Bundler. It is now possible to use Rails 3.2 LTS with Bundler 2 (given a compatible version of Ruby and Rubygems).

Mar 06th, 2021: Version 3.2.22.24

• Fixed an information disclosure / unexpected method invocation vulnerability in Action Pack (CVE-2021-22885), see details Archive
  This contains a breaking change.

Feb 11th, 2021: Version 3.2.22.23 (bugfix release)

• Fixed a "cannot modify frozen string" with params parsing in Ruby 2.7 (does not seem to occur with usual configuration).
• Reduce occurance of some deprecation warnings. We still recommend to use Ruby 2.7.2 which has these warning disabled by default.

Jan 27th, 2021: Version 3.2.22.22

• Fixed regression in #translate helper, see details Archive .

Jan 25th, 2021: Version 3.2.22.21

• Added Ruby 2.7 compatibility.

Sep 10th, 2020: Version 3.2.22.20

• Backported fix for potential XSS vulnerability in Action View (CVE-2020-15169), see details Archive .

Jun 17th, 2020: Announcement regarding CVE-2020-8184

• No Rails 3.2 LTS release was necessary.
• We backported the patch to our forked Archive version of rack 1.4.

May 19th, 2020: Version 3.2.22.19

• Addressed "Potentially unintended unmarshalling of user-provided objects in MemCacheStore" [CVE-2020-8165] Archive .
  Note that potential code changes are needed, see here for details Archive

May 16th, 2020: Version 3.2.22.18

• Backported fix for potential remote code execution of user-provided local names CVE-2020-8163 Archive , see details Archive .

May 15th, 2020: Announcement regarding CVE-2020-8161 and CVE-2018-16471

• No Rails 3.2 LTS release was necessary.
• We forked rack Archive to backport CVE-2020-8161 Archive .
• For more information read our advisory Archive .

May 07th, 2020: Version 3.2.22.17

• Backported fix for arbitrary file write/potential remote code execution attack in actionpack (CVE-2020-8159), see details Archive

May 06th, 2020: Version 3.2.22.16

• Backported fix for information disclosure vulnerability in Active Resource (CVE-2020-8151), see details Archive

Mar 20th, 2020: Version 3.2.22.15

• Fixed an XSS vulnerability in #escape_javascript (CVE-2020-5267), see details Archive .
• Fixed additional XSS vulnerabilities in #escape_javascript and #escape_json, see details Archive

Dec 22nd, 2019: Version 3.2.22.14

• Fixed ActiveRecord::SessionStore to not be vulnerable to timing attacks that can lead to session hijacking (CVE-2019-16782). see details Archive

Mar 22nd, 2019: Amendment to CVE-2019-5418

• The previously reported CVE 2019-5418 has been upgraded to possible remote code execution. Rails LTS 3.2.22.13 protects your application against this exploit.

Mar 14th, 2019: Version 3.2.22.13

• Backport fixes for ActionView format / MIME type parsing (CVE-2019-5418 and CVE-2019-5419) ( see details Archive )
• Confirmed that 3.2 LTS is not affected by CVE-2019-5420.

Jan 30th, 2019: Version 3.2.22.12

• Fix a crash in rake db:structure:dump (and sometimes rake db:migrate) when using a modern postgresql installation.

Jan 23rd, 2019: Version 3.2.22.11

• Add compatibility for Ruby 2.5.

Aug 27th, 2018: Version 3.2.22.10

• Fixes a DOS vulnerability in activerecord (CVE-2018-15578).

Jun 21st, 2018: Version 3.2.22.9

Require sprockets version 2.2.3, since 2.2.1 and 2.2.2 are vulnerable to an information leak attack. More Details Archive

In our own investigations we found that Sprockets 2.2.3 is not vulnerable to CVE-2018-3760, despite the original advisory claiming so. Since no fixed sprockets versions were compatible with Rails 3.2, we've decided to freeze the dependency to 2.2.3, which has no vulnerability known to us.

Mar 20th, 2018: Not affected by sanitization CVEs

A vulnerability was disclosed for some Ruby sanitization gems like loofah ( CVE-2018-8048 Archive ) and sanitize ( CVE-2018-3740 Archive ). This also affects recent Rails versions, whose sanitize() helper depends on loofah.

We have confirmed that the sanitize() helper in Rails 3.2 is not affected by this issue.

Note that if your application uses one of the affected gems directly, you may still be affected and should update to the latest version of these gems.

Jan 16th, 2017: Version 3.2.22.8

Merged Ruby 2.3 compatibility fixes from the rails/3-2-stable branch.

Ruby 2.3 is now officially supported.

Aug 12th, 2016: Version 3.2.22.7

Merged a fix from the rails/3-2-stable branch:

• a fix for CVE-2016-6316: Possible XSS Vulnerability in Action View Archive

Mar 1st, 2016: Version 3.2.22.6

• Change to the rails gemspec, to prevent Bundler from installing outdated rails versions under rare circumstances
• Functionally identical to 3.2.22.5.

Mar 1st, 2016: Version 3.2.22.5

• Fixes CVE-2016-2097: Possible Information Leak Vulnerability in Action View Archive
• Fixes CVE-2016-2098: Possible remote code execution vulnerability in Action Pack Archive

More Details Archive

Jan 26th, 2016: Version 3.2.22.4

Merged several security fixes from the rails/3-2-stable branch, that include

• a fix for CVE-2015-7576: Timing attack vulnerability in basic authentication in Action Controller Archive
• a fix for CVE-2016-0751: Possible Object Leak and Denial of Service attack in Action Pack Archive
• a fix for CVE-2015-7577: Nested attributes rejection proc bypass in Active Record Archive
• a fix for CVE-2015-7581: Object leak vulnerability for wildcard controller routes in Action Pack Archive

Additionally backported the following:

• a fix for CVE-2016-0752: Possible Information Leak Vulnerability in Action View Archive
• a fix for CVE-2016-0753: Possible Input Validation Circumvention in Active Model Archive

More Details Archive

November 2nd, 2015: Version 3.2.22.3

• Add support for private gem servers.

June 17th, 2015: Version 3.2.22.2

• Add additional security features, such as the hardened default configuration.

June 17th, 2015: Version 3.2.22.1

• Ruby 2.2 compatibility
• Fix test suite

December 10th, 2014: Version 3.2.21.1

• Initial release.