Aug 19th, 2022: Version 18.104.22.168
- Removed "rdoc" dependency, since some rdoc versions depend on a vulnerable version of the "json" gem
Jul 21st, 2022: Version 22.214.171.124
Jul 14th, 2022: Version 126.96.36.199
- Merged upstream bug fix for [CVE-2022-32224] Possible RCE escalation bug with Serialized Columns in Active Record. We tried to make it less of a breaking change than the official patch by adding a default set of permitted serializable classes. Note this patch has no effect for Rubies < 2.1 see details
May 18th, 2022: Version 188.8.131.52
Apr 27th, 2022: Version 184.108.40.206
- Backported fix for possible XSS vulnerabilities via
tag helpers (CVE-2022-27777);
Mar 11th, 2022: Version 220.127.116.11
- Relaxed version requirement for bycrypt. Old bcrypt versions have issues on some newer Linux distros, but it was not possible to update to a fixed version. With this version of 3.2 LTS, you can now set bcrypt-ruby to
~> 3.0 in your Gemfile and do a
bundle upgrade bcrypt-ruby with Rails complaining.
Dec 21st, 2021: Version 18.104.22.168
- Improved compatibility with newer Postgresql Versions. 3.2 LTS should now work with Postgresql up to version 14.
Sep 14th, 2021: Version 22.214.171.124
- Relaxed requirement for Bundler. It is now possible to use Rails 3.2 LTS with Bundler 2 (given a compatible version of Ruby and Rubygems).
Mar 06th, 2021: Version 126.96.36.199
Feb 11th, 2021: Version 188.8.131.52 (bugfix release)
- Fixed a "cannot modify frozen string" with params parsing in Ruby 2.7 (does not seem to occur with usual configuration).
- Reduce occurance of some deprecation warnings. We still recommend to use Ruby 2.7.2 which has these warning disabled by default.
Jan 27th, 2021: Version 184.108.40.206
Jan 25th, 2021: Version 220.127.116.11
- Added Ruby 2.7 compatibility.
Sep 10th, 2020: Version 18.104.22.168
- Backported fix for potential XSS vulnerability in Action View (CVE-2020-15169),
Jun 17th, 2020: Announcement regarding CVE-2020-8184
- No Rails 3.2 LTS release was necessary.
- We backported the patch to our
version of rack 1.4.
May 19th, 2020: Version 22.214.171.124
May 16th, 2020: Version 126.96.36.199
May 15th, 2020: Announcement regarding CVE-2020-8161 and CVE-2018-16471
May 07th, 2020: Version 188.8.131.52
- Backported fix for arbitrary file write/potential remote code execution attack in actionpack (CVE-2020-8159),
May 06th, 2020: Version 184.108.40.206
- Backported fix for information disclosure vulnerability in Active Resource (CVE-2020-8151),
Mar 20th, 2020: Version 220.127.116.11
- Fixed an XSS vulnerability in
- Fixed additional XSS vulnerabilities in
Dec 22nd, 2019: Version 18.104.22.168
ActiveRecord::SessionStore to not be vulnerable to timing attacks that can lead to session hijacking (CVE-2019-16782).
Mar 22nd, 2019: Amendment to CVE-2019-5418
- The previously reported CVE 2019-5418 has been upgraded to possible remote code execution. Rails LTS 22.214.171.124 protects your application against this exploit.
Mar 14th, 2019: Version 126.96.36.199
- Backport fixes for ActionView format / MIME type parsing (CVE-2019-5418 and CVE-2019-5419) (
- Confirmed that 3.2 LTS is not affected by CVE-2019-5420.
Jan 30th, 2019: Version 188.8.131.52
- Fix a crash in
rake db:structure:dump (and sometimes
rake db:migrate) when using a modern postgresql installation.
Jan 23rd, 2019: Version 184.108.40.206
- Add compatibility for Ruby 2.5.
Aug 27th, 2018: Version 220.127.116.11
Jun 21st, 2018: Version 18.104.22.168
Require sprockets version 2.2.3, since 2.2.1 and 2.2.2 are vulnerable to an information leak attack.
In our own investigations we found that Sprockets 2.2.3 is not vulnerable to CVE-2018-3760, despite the original advisory claiming so. Since no fixed sprockets versions were compatible with Rails 3.2, we've decided to freeze the dependency to 2.2.3, which has no vulnerability known to us.
Mar 20th, 2018: Not affected by sanitization CVEs
A vulnerability was disclosed for some Ruby sanitization gems like loofah (
) and sanitize (
). This also affects recent Rails versions, whose
sanitize() helper depends on loofah.
We have confirmed that the
sanitize() helper in Rails 3.2 is not affected by this issue.
Note that if your application uses one of the affected gems directly, you may still be affected and should update to the latest version of these gems.
Jan 16th, 2017: Version 22.214.171.124
Merged Ruby 2.3 compatibility fixes from the rails/3-2-stable branch.
Ruby 2.3 is now officially supported.
Aug 12th, 2016: Version 126.96.36.199
Merged a fix from the rails/3-2-stable branch:
Mar 1st, 2016: Version 188.8.131.52
- Change to the rails gemspec, to prevent Bundler from installing outdated rails versions under rare circumstances
- Functionally identical to 184.108.40.206.
Mar 1st, 2016: Version 220.127.116.11
Jan 26th, 2016: Version 18.104.22.168
Merged several security fixes from the rails/3-2-stable branch, that include
Additionally backported the following:
November 2nd, 2015: Version 22.214.171.124
- Add support for private gem servers.
June 17th, 2015: Version 126.96.36.199
June 17th, 2015: Version 188.8.131.52
- Ruby 2.2 compatibility
- Fix test suite
December 10th, 2014: Version 184.108.40.206