Fixed a regression for CVE-2013-0269, CVE-2020-10663 introducing a vulnerability for JSON.parse on Ruby version 2.7+, see hereShow archive.org snapshot for more details. Thanks to Severin Schoepke for bringing this to our attention.
Aug 23rd 2023, Rails version 4.2.11.35
Fixed a bug for Ruby 3.1, where it was not possible to use scopes or class methods on scopes with keyword arguments.
Jun 27th 2023, Rails version 4.2.11.34
Fixed a possible XSS vulnerability via User Supplied Values to redirect_to (CVE-2023-28362), see hereShow archive.org snapshot for more details
May 22th 2023, Rails versions 4.2.11.33
Fixed a potential (non-security) issue with the 4.2.11.31 / 4.2.11.32 release with certain Ruby versions / version of the uri gem.
Apr 4th 2023, Rails versions 4.2.11.32
Fixed a potential (non-security) issue with the 4.2.11.31 release for certain webserver configurations
Apr 4th 2023, Rails version 4.2.11.31
Added monkey patches to address ReDoS vulnerabilities in the time and uri stdlibs (CVE-2023-28755, CVE-2023-28756), see hereShow archive.org snapshot for more details
Mar 27th 2023, Rack version 1.6.13.15
The earlier fix for CVE-2022-44571 was incomplete. This release corrects the issue.
Mar 14th 2023: Rails version 4.2.11.30
Fixed XSS issue with SafeBuffer#bytesplice (CVE-2023-28120, only on Ruby 3.2, which is not currently supported), see hereShow archive.org snapshot for more details.
Backported fix for [CVE-2022-32224] Possible RCE escalation bug with Serialized Columns in Active Record. We tried to make it less of a breaking change than the official patch by adding a default set of permitted serializable classes. see details
Added some compatibility fixes to facilitate running Rails 4.2 LTS on Ruby 2.6.
Note: We do not officially support Ruby 2.6, so run it at your own risk. Rails unit tests pass with Ruby 2.6 as of this release.
Mar 22nd, 2019: Amendment to CVE-2019-5418
The previously reported CVE 2019-5418 has been upgraded to possible remote code execution. Rails LTS 4.2.11.12 protects your application against this exploit.
Confirmed that 4.2 LTS is not affected by CVE-2019-5420.
Oct 28th, 2018: Version 4.2.11.11
Improve compatibility with Rails 2.3 and 3.2 LTS by defining ActionDispatch::Http::ParamsHashWithIndifferentAccess. This fixes potentially issues for users upgrading from LTS versions < 4, and should not affect anyone else. See here for a description of the issue.
There is a chance the Rails core team might release an official 4.2.10.1 for security fixes after the end of the maintenance period. To avoid conflicts, we skip some versions ahead.
Sep 28th, 2018: Version 4.2.10.1
Initial release of the LTS version of Rails 4.2.
This is identical to the official 4.2.10 release, except for the additional Rails LTS hardening options.