Jul 21st, 2022: Version 22.214.171.124
Jul 14th, 2022: Version 126.96.36.199
- Backported fix for [CVE-2022-32224] Possible RCE escalation bug with Serialized Columns in Active Record. We tried to make it less of a breaking change than the official patch by adding a default set of permitted serializable classes. see details
May 18th, 2022: Version 188.8.131.52
Apr 27th, 2022: Version 184.108.40.206
- Backported fix for possible XSS vulnerabilities via
tag helpers (CVE-2022-27777);
Sep 14th, 2021: Version 220.127.116.11
- Relaxed requirement for Bundler. It is now possible to use Rails 4.2 LTS with Bundler 2 (given a compatible version of Ruby and Rubygems).
Mar 06th, 2021: Version 18.104.22.168
- Fixed an information disclosure / unexpected method invocation vulnerability in Action Pack (CVE-2021-22885),
This contains a breaking change.
- Fixed a DOS vulnerabilty in Action Pack (CVE-2021-22904) see details.
Feb 11th, 2021: Version 22.214.171.124
- Backported fix for DOS vulnerability in ActiveRecord (CVE-2021-22880),
Jan 25th, 2021: Version 126.96.36.199
- Added Ruby 2.7 compatibility.
Sep 10th, 2020: Version 188.8.131.52
- Backported fix for potential XSS vulnerability in Action View (CVE-2020-15169),
Jun 17th, 2020: Announcement regarding CVE-2020-8184
- No Rails 4.2 LTS release was necessary.
- We backported the patch to our
version of rack 1.6.
May 19th, 2020: Version 184.108.40.206
May 16th, 2020: Version 220.127.116.11
May 15th, 2020: Announcement regarding CVE-2020-8161 and CVE-2018-16471
Mar 20th, 2020: Version 18.104.22.168
Dec 22nd, 2019: Announcement regarding CVE-2019-16782
Apr 11th, 2019: Version 22.214.171.124
- Added some compatibility fixes to facilitate running Rails 4.2 LTS on Ruby 2.6.
Note: We do not officially support Ruby 2.6, so run it at your own risk. Rails unit tests pass with Ruby 2.6 as of this release.
Mar 22nd, 2019: Amendment to CVE-2019-5418
- The previously reported CVE 2019-5418 has been upgraded to possible remote code execution. Rails LTS 126.96.36.199 protects your application against this exploit.
Mar 14th, 2019: Version 188.8.131.52
- Merged upstream fixes for ActionView format / MIME type parsing (CVE-2019-5418 and CVE-2019-5419) (
- Confirmed that 4.2 LTS is not affected by CVE-2019-5420.
Oct 28th, 2018: Version 184.108.40.206
- Improve compatibility with Rails 2.3 and 3.2 LTS by defining
ActionDispatch::Http::ParamsHashWithIndifferentAccess. This fixes potentially issues for users upgrading from LTS versions < 4, and should not affect anyone else. See here for a description of the issue.
Oct 28th, 2018: Version 220.127.116.11
Oct 25th, 2018: Version 18.104.22.168
- This release is identical to 22.214.171.124.
- There is a chance the Rails core team might release an official 126.96.36.199 for security fixes after the end of the maintenance period. To avoid conflicts, we skip some versions ahead.
Sep 28th, 2018: Version 188.8.131.52
- Initial release of the LTS version of Rails 4.2.
- This is identical to the official 4.2.10 release, except for the additional Rails LTS hardening options.
- Supports Ruby 2.1, 2.3, and 2.5.