Rails 3.2 LTS Changelog

Sep 10th, 2020: Version

  • Backported fix for potential XSS vulnerability in Action View (CVE-2020-15169), see details.

Jun 17th, 2020: Announcement regarding CVE-2020-8184

  • No Rails 3.2 LTS release was necessary.
  • We backported the patch to our forked version of rack 1.4.

May 19th, 2020: Version

May 16th, 2020: Version

May 15th, 2020: Announcement regarding CVE-2020-8161 and CVE-2018-16471

May 07th, 2020: Version

  • Backported fix for arbitrary file write/potential remote code execution attack in actionpack (CVE-2020-8159), see details

May 06th, 2020: Version

  • Backported fix for information disclosure vulnerability in Active Resource (CVE-2020-8151), see details

Mar 20th, 2020: Version

  • Fixed an XSS vulnerability in #escape_javascript (CVE-2020-5267), see details.
  • Fixed additional XSS vulnerabilities in #escape_javascript and #escape_json, see details

Dec 22nd, 2019: Version

  • Fixed ActiveRecord::SessionStore to not be vulnerable to timing attacks that can lead to session hijacking (CVE-2019-16782). see details

Mar 22nd, 2019: Amendment to CVE-2019-5418

  • The previously reported CVE 2019-5418 has been upgraded to possible remote code execution. Rails LTS protects your application against this exploit.

Mar 14th, 2019: Version

  • Backport fixes for ActionView format / MIME type parsing (CVE-2019-5418 and CVE-2019-5419) (see details)
  • Confirmed that 3.2 LTS is not affected by CVE-2019-5420.

Jan 30th, 2019: Version

  • Fix a crash in rake db:structure:dump (and sometimes rake db:migrate) when using a modern postgresql installation.

Jan 23rd, 2019: Version

  • Add compatibility for Ruby 2.5.

Aug 27th, 2018: Version

Jun 21st, 2018: Version

Require sprockets version 2.2.3, since 2.2.1 and 2.2.2 are vulnerable to an information leak attack. More Details

In our own investigations we found that Sprockets 2.2.3 is not vulnerable to CVE-2018-3760, despite the original advisory claiming so. Since no fixed sprockets versions were compatible with Rails 3.2, we've decided to freeze the dependency to 2.2.3, which has no vulnerability known to us.

Mar 20th, 2018: Not affected by sanitization CVEs

A vulnerability was disclosed for some Ruby sanitization gems like loofah (CVE-2018-8048) and sanitize (CVE-2018-3740). This also affects recent Rails versions, whose sanitize() helper depends on loofah.

We have confirmed that the sanitize() helper in Rails 3.2 is not affected by this issue.

Note that if your application uses one of the affected gems directly, you may still be affected and should update to the latest version of these gems.

Jan 16th, 2017: Version

Merged Ruby 2.3 compatibility fixes from the rails/3-2-stable branch.

Ruby 2.3 is now officially supported.

Aug 12th, 2016: Version

Merged a fix from the rails/3-2-stable branch:

Mar 1st, 2016: Version

  • Change to the rails gemspec, to prevent Bundler from installing outdated rails versions under rare circumstances
  • Functionally identical to

Mar 1st, 2016: Version

More Details

Jan 26th, 2016: Version

Merged several security fixes from the rails/3-2-stable branch, that include

Additionally backported the following:

More Details

November 2nd, 2015: Version

  • Add support for private gem servers.

June 17th, 2015: Version

June 17th, 2015: Version

  • Ruby 2.2 compatibility
  • Fix test suite

December 10th, 2014: Version

  • Initial release.
Henning Koch about 5 years ago
This website uses short-lived cookies to improve usability.
Accept or learn more