Jul 21st, 2022: Version 4.2.11.25

• Updated required tzinfo version to address CVE-2022-31163; see details Archive

Jul 14th, 2022: Version 4.2.11.24

• Backported fix for [CVE-2022-32224] Possible RCE escalation bug with Serialized Columns in Active Record. We tried to make it less of a breaking change than the official patch by adding a default set of permitted serializable classes. see details Archive

May 18th, 2022: Version 4.2.11.23

• Bug fix for recent security fix for CVE-2022-27777; see details Archive .

Apr 27th, 2022: Version 4.2.11.22

• Backported fix for possible XSS vulnerabilities via content_tag or tag helpers (CVE-2022-27777); see details Archive .

Sep 14th, 2021: Version 4.2.11.21

• Relaxed requirement for Bundler. It is now possible to use Rails 4.2 LTS with Bundler 2 (given a compatible version of Ruby and Rubygems).

Mar 06th, 2021: Version 4.2.11.20

• Fixed an information disclosure / unexpected method invocation vulnerability in Action Pack (CVE-2021-22885), see details Archive
  This contains a breaking change.
• Fixed a DOS vulnerabilty in Action Pack (CVE-2021-22904) see details.

Feb 11th, 2021: Version 4.2.11.19

• Backported fix for DOS vulnerability in ActiveRecord (CVE-2021-22880), see details Archive .

Jan 25th, 2021: Version 4.2.11.18

• Added Ruby 2.7 compatibility.

Sep 10th, 2020: Version 4.2.11.17

• Backported fix for potential XSS vulnerability in Action View (CVE-2020-15169), see details Archive .

Jun 17th, 2020: Announcement regarding CVE-2020-8184

• No Rails 4.2 LTS release was necessary.
• We backported the patch to our forked Archive version of rack 1.6.

May 19th, 2020: Version 4.2.11.16

• Addressed "Potentially unintended unmarshalling of user-provided objects in MemCacheStore" [CVE-2020-8165] Archive .
  Note that potential code changes are needed, see here for details Archive

May 16th, 2020: Version 4.2.11.15

• Applied patch for potential remote code execution of user-provided local names CVE-2020-8163 Archive , see details Archive .

May 15th, 2020: Announcement regarding CVE-2020-8161 and CVE-2018-16471

• No Rails 4.2 LTS release was necessary.
• We forked rack Archive to backport CVE-2020-8161 Archive .
• For more information read our advisory Archive .

Mar 20th, 2020: Version 4.2.11.14

• Fixed an XSS vulnerability in #escape_javascript (CVE-2020-5267), see details Archive

Dec 22nd, 2019: Announcement regarding CVE-2019-16782

• No Rails 4.2 LTS release was necessary.
• Users using the activerecord-session_store gem can upgrade to our fork Archive .
• For more information read our advisory Archive .

Apr 11th, 2019: Version 4.2.11.13

• Added some compatibility fixes to facilitate running Rails 4.2 LTS on Ruby 2.6.

Note: We do not officially support Ruby 2.6, so run it at your own risk. Rails unit tests pass with Ruby 2.6 as of this release.

Mar 22nd, 2019: Amendment to CVE-2019-5418

• The previously reported CVE 2019-5418 has been upgraded to possible remote code execution. Rails LTS 4.2.11.12 protects your application against this exploit.

Mar 14th, 2019: Version 4.2.11.12

• Merged upstream fixes for ActionView format / MIME type parsing (CVE-2019-5418 and CVE-2019-5419) ( see details Archive )
• Confirmed that 4.2 LTS is not affected by CVE-2019-5420.

Oct 28th, 2018: Version 4.2.11.11

• Improve compatibility with Rails 2.3 and 3.2 LTS by defining ActionDispatch::Http::ParamsHashWithIndifferentAccess. This fixes potentially issues for users upgrading from LTS versions < 4, and should not affect anyone else. See here for a description of the issue.

Oct 28th, 2018: Version 4.2.11.10

• Merge patch for broken access control vulnerability in Active Job (CVE-2018-16476) Archive .

Oct 25th, 2018: Version 4.2.10.10

• This release is identical to 4.2.10.1.
• There is a chance the Rails core team might release an official 4.2.10.1 for security fixes after the end of the maintenance period. To avoid conflicts, we skip some versions ahead.

Sep 28th, 2018: Version 4.2.10.1

• Initial release of the LTS version of Rails 4.2.
• This is identical to the official 4.2.10 release, except for the additional Rails LTS hardening options.
• Supports Ruby 2.1, 2.3, and 2.5.