Aug 23rd 2023, Rails version 5.2.8.22
Jun 27th 2023, Rails version 5.2.8.21
Apr 11th 2023, Rails version 5.2.8.19
Apr 4th 2023, Rack version 2.2.6.14
- Backported non-security fixes from upstream Rack 2.2.5 and 2.2.6. Changes are
- Extend
Rack::MethodOverride
to handle QueryParser::ParamsTooDeepError
error.
-
Rack::URLMap
uses non-deprecated form of Regexp.new
.
Apr 4th 2023, Rails version 5.2.8.18
- Added monkey patches to address ReDoS vulnerabilities in the
time
and uri
stdlibs (CVE-2023-28755, CVE-2023-28756), see
here
Show archive.org snapshot
for more details
Mar 14th 2023: Rails version 5.2.8.17
Mar 14th 2023: Rack version 2.2.4.13
Mar 3rd, 2023: Rack version 2.2.4.12
- Backported fix for [CVE-2023-27530] to address a potential DOS attack with rack multipart requests.
- See
here
Show archive.org snapshot
for additional details and a potential breaking change.
Jan 24th, 2023: Rails version 5.2.8.16
Jan 20th, 2023: Rails version 5.2.8.15
- Fixed multiple ReDoS vulnerabilities in Rails: [CVE-2023-22792], [CVE-2023-22796], [CVE-2023-22795]
- Fixed a DOS vulnerability in the PostgreSQL adapter for ActiveRecord [CVE-2022-44566]
- Added a monkey patch to fix a ReDoS vulnerability in globalid [CVE-2023-22799]
- See
here
Show archive.org snapshot
for more details
Jan 20th, 2023: Rack version 2.2.4.11
- Fixed multiple ReDos vulnerabilites in Rack: [CVE-2022-44570], [CVE-2022-44571], [CVE-2022-44572]
- See
here
Show archive.org snapshot
for more details
Dec 16th, 2022: Rails version 5.2.8.14
- Backported fix for CVE-2022-3704. This is an XSS vulnerability that only applies to development and not an actual security problem.
Dec 13th, 2022: Rails version 5.2.8.13
Dec 13th, 2022: Rack version 2.2.4.10
- Based on our fork of rack.
- Added support for Ruby 2.2
- Added support for Ruby 3.1.
- Includes fixes for CWE-444.
- More info
Jul 21st, 2022: Version 5.2.8.12
Jul 14th, 2022: Version 5.2.8.11
- Merged upstream bug fix for [CVE-2022-32224] Possible RCE escalation bug with Serialized Columns in Active Record. We tried to make it less of a breaking change than the official patch by adding a default set of permitted serializable classes. see details
May 18th, 2022: Version 5.2.8.10
Apr 27th, 2022: Version 5.2.7.11
- Merged upstream fixes for CVE-2022-22577 and CVE-2022-27777, to include CSP headers on all all responses, and fixing possible XSS vulnerabilities via
content_tag
or tag
helpers;
see details
Show archive.org snapshot
.
Mar 12th, 2022: Version 5.2.7.10
Mar 09th, 2022: Version 5.2.6.12
- Merged upstream fix for CVE-2022-21831, which fixes a potential code injection vulnerability in ActiveStorage by adding an allowlist to image processing methods, in case user input is passed to the
#variant
method.
see here
Show archive.org snapshot
Feb 12th, 2022: Version 5.2.6.11
Dec 09th, 2021: Version 5.2.6.10
- Initial release of the LTS version of Rails 5.2.
- This is identical to the official 5.2.6 release, except for the additional Rails LTS hardening config. This config currently has no effect but might be used for future fixes (in which case the advisory will point that out).
- Supports Ruby 2.2, 2.5, and 2.7.
- (Skipped to version .10 to avoid collision with a potential future 5.2.6.1 community release.)
Posted by Tobias Kraze to Rails LTS documentation (2021-12-09 12:28)