206 Rails 5.2 LTS Changelog

Updated . Posted . Visible to the public.

May 14th 2024, Rails version

  • Added support for Ruby 3.3. See our upgrade guide.
  • (There is no release of Rack, version is already compatible with Ruby 3.3.)

Feb 23rd 2024, Rack version

  • Fixed DoS vulnerabilities CVE-2024-25126 and CVE-2024-26141, see here Show archive.org snapshot for more details.
  • Merged several upstream bug fixes from Rack 2.2.8.

Oct 18th 2023, Rails version

  • Fixed a bug for Ruby 3.1, where it was not possible to use scopes or class methods on scopes with keyword arguments.

Aug 23rd 2023, Rails version

Jun 27th 2023, Rails version

Apr 11th 2023, Rails version

  • Fixed an issue with migrations on Ruby 3.1 when using code of the form
    change_table do |t|
      t.integer :size, default: 0 # works
      t.integer :count, { default: 0 } # would create an additional column named "{default => 0}" 
    This could also cause weird columns to appear in the schema_migrations or ar_internal_metadata tables when creating a new database.

Apr 4th 2023, Rack version

  • Backported non-security fixes from upstream Rack 2.2.5 and 2.2.6. Changes are
    • Extend Rack::MethodOverride to handle QueryParser::ParamsTooDeepError error.
    • Rack::URLMap uses non-deprecated form of Regexp.new.

Apr 4th 2023, Rails version

  • Added monkey patches to address ReDoS vulnerabilities in the time and uri stdlibs (CVE-2023-28755, CVE-2023-28756), see here Show archive.org snapshot for more details

Mar 14th 2023: Rails version

Mar 14th 2023: Rack version

Mar 3rd, 2023: Rack version

  • Backported fix for [CVE-2023-27530] to address a potential DOS attack with rack multipart requests.
  • See here Show archive.org snapshot for additional details and a potential breaking change.

Jan 24th, 2023: Rails version

Jan 20th, 2023: Rails version

  • Fixed multiple ReDoS vulnerabilities in Rails: [CVE-2023-22792], [CVE-2023-22796], [CVE-2023-22795]
  • Fixed a DOS vulnerability in the PostgreSQL adapter for ActiveRecord [CVE-2022-44566]
    • ActiveRecord will now throw an exception, if you pass an integer > 64bit. You can opt out using
      config.active_record.raise_int_wider_than_64bit = false
  • Added a monkey patch to fix a ReDoS vulnerability in globalid [CVE-2023-22799]
  • See here Show archive.org snapshot for more details

Jan 20th, 2023: Rack version

Dec 16th, 2022: Rails version

  • Backported fix for CVE-2022-3704. This is an XSS vulnerability that only applies to development and not an actual security problem.

Dec 13th, 2022: Rails version

Dec 13th, 2022: Rack version

  • Based on our fork of rack.
  • Added support for Ruby 2.2
  • Added support for Ruby 3.1.
  • Includes fixes for CWE-444.
  • More info

Jul 21st, 2022: Version

Jul 14th, 2022: Version

  • Merged upstream bug fix for [CVE-2022-32224] Possible RCE escalation bug with Serialized Columns in Active Record. We tried to make it less of a breaking change than the official patch by adding a default set of permitted serializable classes. see details

May 18th, 2022: Version

Apr 27th, 2022: Version

  • Merged upstream fixes for CVE-2022-22577 and CVE-2022-27777, to include CSP headers on all all responses, and fixing possible XSS vulnerabilities via content_tag or tag helpers; see details Show archive.org snapshot .

Mar 12th, 2022: Version

Mar 09th, 2022: Version

  • Merged upstream fix for CVE-2022-21831, which fixes a potential code injection vulnerability in ActiveStorage by adding an allowlist to image processing methods, in case user input is passed to the #variant method. see here Show archive.org snapshot

Feb 12th, 2022: Version

Dec 09th, 2021: Version

  • Initial release of the LTS version of Rails 5.2.
  • This is identical to the official 5.2.6 release, except for the additional Rails LTS hardening config. This config currently has no effect but might be used for future fixes (in which case the advisory will point that out).
  • Supports Ruby 2.2, 2.5, and 2.7.
  • (Skipped to version .10 to avoid collision with a potential future community release.)
Tobias Kraze
Last edit
Tobias Kraze
Source code in this card is licensed under the MIT License.
Posted by Tobias Kraze to Rails LTS documentation (2021-12-09 12:28)