Rails 4.2 LTS Changelog

May 14th 2024, Rails version

May 14th 2024, Rack version

Feb 23rd 2024, Rack version

Feb 23rd 2024, Rails version

  • Fixed a regression for CVE-2013-0269, CVE-2020-10663 introducing a vulnerability for JSON.parse on Ruby version 2.7+, see here Show archive.org snapshot for more details. Thanks to Severin Schoepke for bringing this to our attention.

Aug 23rd 2023, Rails version

  • Fixed a bug for Ruby 3.1, where it was not possible to use scopes or class methods on scopes with keyword arguments.

Jun 27th 2023, Rails version

May 22th 2023, Rails versions

  • Fixed a potential (non-security) issue with the / release with certain Ruby versions / version of the uri gem.

Apr 4th 2023, Rails versions

  • Fixed a potential (non-security) issue with the release for certain webserver configurations

Apr 4th 2023, Rails version

  • Added monkey patches to address ReDoS vulnerabilities in the time and uri stdlibs (CVE-2023-28755, CVE-2023-28756), see here Show archive.org snapshot for more details

Mar 27th 2023, Rack version

  • The earlier fix for CVE-2022-44571 was incomplete. This release corrects the issue.

Mar 14th 2023: Rails version

  • Fixed XSS issue with SafeBuffer#bytesplice (CVE-2023-28120, only on Ruby 3.2, which is not currently supported), see here Show archive.org snapshot for more details.

Mar 14th 2023: Rack version

Mar 3rd, 2023: Rails version

  • We've added the Rack::TempfileReaper middleware to the default middleware stack, see below.
  • See here Show archive.org snapshot for additional details and a potential breaking change.

Mar 3rd, 2023: Rack version

  • Backported fix for [CVE-2023-27530] to address a potential DOS attack with rack multipart requests.

Jan 24th, 2023: Rails version

Jan 20th, 2023: Rails version

  • Fixed multiple ReDoS vulnerabilities in Rails: [CVE-2023-22792], [CVE-2023-22796], [CVE-2023-22795]
  • Fixed a DOS vulnerability in the PostgreSQL adapter for ActiveRecord [CVE-2022-44566]
    • ActiveRecord will now throw an exception, if you pass an integer > 64bit. You can opt out using
      config.active_record.raise_int_wider_than_64bit = false
  • Added a monkey patch to fix a ReDoS vulnerability in globalid [CVE-2023-22799]
  • See here Show archive.org snapshot for more details

Jan 20th, 2023: Rack version

Dec 21st, 2022: Rack version

  • Fixed an issue that made rails server fail with certain web servers on Ruby 3.1.

Dec 13th, 2022: Rails version

Dec 13th, 2022: Rack version

  • Based on our fork of rack.
  • Added support for ruby 3.1.
  • Includes fixes for CVE-2020-8161, CVE-2020-8184, CVE-2022-30122, CVE-2022-30123, CWE-444.
  • More info

Jul 21st, 2022: Version

Jul 14th, 2022: Version

  • Backported fix for [CVE-2022-32224] Possible RCE escalation bug with Serialized Columns in Active Record. We tried to make it less of a breaking change than the official patch by adding a default set of permitted serializable classes. see details

May 18th, 2022: Version

Apr 27th, 2022: Version

Sep 14th, 2021: Version

  • Relaxed requirement for Bundler. It is now possible to use Rails 4.2 LTS with Bundler 2 (given a compatible version of Ruby and Rubygems).

Mar 06th, 2021: Version

Feb 11th, 2021: Version

Jan 25th, 2021: Version

  • Added Ruby 2.7 compatibility.

Sep 10th, 2020: Version

Jun 17th, 2020: Announcement regarding CVE-2020-8184

May 19th, 2020: Version

May 16th, 2020: Version

May 15th, 2020: Announcement regarding CVE-2020-8161 and CVE-2018-16471

Mar 20th, 2020: Version

Dec 22nd, 2019: Announcement regarding CVE-2019-16782

Apr 11th, 2019: Version

  • Added some compatibility fixes to facilitate running Rails 4.2 LTS on Ruby 2.6.

Note: We do not officially support Ruby 2.6, so run it at your own risk. Rails unit tests pass with Ruby 2.6 as of this release.

Mar 22nd, 2019: Amendment to CVE-2019-5418

  • The previously reported CVE 2019-5418 has been upgraded to possible remote code execution. Rails LTS protects your application against this exploit.

Mar 14th, 2019: Version

  • Merged upstream fixes for ActionView format / MIME type parsing (CVE-2019-5418 and CVE-2019-5419) ( see details Show archive.org snapshot )
  • Confirmed that 4.2 LTS is not affected by CVE-2019-5420.

Oct 28th, 2018: Version

  • Improve compatibility with Rails 2.3 and 3.2 LTS by defining ActionDispatch::Http::ParamsHashWithIndifferentAccess. This fixes potentially issues for users upgrading from LTS versions < 4, and should not affect anyone else. See here for a description of the issue.

Oct 28th, 2018: Version

Oct 25th, 2018: Version

  • This release is identical to
  • There is a chance the Rails core team might release an official for security fixes after the end of the maintenance period. To avoid conflicts, we skip some versions ahead.

Sep 28th, 2018: Version

  • Initial release of the LTS version of Rails 4.2.
  • This is identical to the official 4.2.10 release, except for the additional Rails LTS hardening options.
  • Supports Ruby 2.1, 2.3, and 2.5.
Tobias Kraze