Posted 8 months ago. Visible to the public.
Rails 5.2 LTS Changelog
Jul 21st, 2022: Version 5.2.8.12
- Updated required tzinfo version to address CVE-2022-31163; see details Archive
Jul 14th, 2022: Version 5.2.8.11
- Merged upstream bug fix for [CVE-2022-32224] Possible RCE escalation bug with Serialized Columns in Active Record. We tried to make it less of a breaking change than the official patch by adding a default set of permitted serializable classes. see details Archive
May 18th, 2022: Version 5.2.8.10
- Merged upstream bug fix for recent security fix for CVE-2022-27777 and improved it; see details Archive .
Apr 27th, 2022: Version 5.2.7.11
- Merged upstream fixes for CVE-2022-22577 and CVE-2022-27777, to include CSP headers on all all responses, and fixing possible XSS vulnerabilities via
content_tag
ortag
helpers; see details Archive .
Mar 12th, 2022: Version 5.2.7.10
Mar 09th, 2022: Version 5.2.6.12
- Merged upstream fix for CVE-2022-21831, which fixes a potential code injection vulnerability in ActiveStorage by adding an allowlist to image processing methods, in case user input is passed to the
#variant
method. see here Archive
Feb 12th, 2022: Version 5.2.6.11
- Merged upstream fix for CVE-2022-23633, addressing potential cross-request information leakage in Action Pack. see here Archive
Dec 09th, 2021: Version 5.2.6.10
- Initial release of the LTS version of Rails 5.2.
- This is identical to the official 5.2.6 release, except for the additional Rails LTS hardening config. This config currently has no effect but might be used for future fixes (in which case the advisory will point that out).
- Supports Ruby 2.2, 2.5, and 2.7.
- (Skipped to version .10 to avoid collision with a potential future 5.2.6.1 community release.)
Does your version of Ruby on Rails still receive security updates?
Rails LTS provides security patches for unsupported versions of Ruby on Rails (2.3, 3.2, 4.2 and 5.2).