Rails 4.2 LTS Changelog
May 22th 2023, Rails versions 4.2.11.33
- Fixed a potential (non-security) issue with the 4.2.11.31 / 4.2.11.32 release with certain Ruby versions / version of the
uri
gem.
Apr 4th 2023, Rails versions 4.2.11.32
- Fixed a potential (non-security) issue with the 4.2.11.31 release for certain webserver configurations
Apr 4th 2023, Rails version 4.2.11.31
- Added monkey patches to address ReDoS vulnerabilities in the
time
and uri
stdlibs (CVE-2023-28755, CVE-2023-28756), see
here
Show archive.org snapshot
for more details
Mar 27th 2023, Rack version 1.6.13.15
- The earlier fix for CVE-2022-44571 was incomplete. This release corrects the issue.
Mar 14th 2023: Rails version 4.2.11.30
- Fixed XSS issue with
SafeBuffer#bytesplice
(only on Ruby 3.2, which is not currently supported), see
here
Show archive.org snapshot
for more details.
Mar 14th 2023: Rack version 1.6.13.14
Mar 3rd, 2023: Rails version 4.2.11.29
- We've added the
Rack::TempfileReaper
middleware to the default middleware stack, see below.
- See
here
Show archive.org snapshot
for additional details and a potential breaking change.
Mar 3rd, 2023: Rack version 1.6.13.13
- Backported fix for [CVE-2023-27530] to address a potential DOS attack with rack multipart requests.
Jan 24th, 2023: Rails version 4.2.11.28
Jan 20th, 2023: Rails version 4.2.11.27
- Fixed multiple ReDoS vulnerabilities in Rails: [CVE-2023-22792], [CVE-2023-22796], [CVE-2022-22795]
- Fixed a DOS vulnerability in the PostgreSQL adapter for ActiveRecord [CVE-2022-44566]
- Added a monkey patch to fix a ReDoS vulnerability in globalid [CVE-2023-22799]
- See
here
Show archive.org snapshot
for more details
Jan 20th, 2023: Rack version 1.6.13.12
Dec 21st, 2022: Rack version 1.6.3.11
- Fixed an issue that made
rails server
fail with certain web servers on Ruby 3.1.
Dec 13th, 2022: Rails version 4.2.11.26
Dec 13th, 2022: Rack version 1.6.3.10
- Based on our fork of rack.
- Added support for ruby 3.1.
- Includes fixes for CVE-2020-8161, CVE-2020-8184, CVE-2022-30122, CVE-2022-30123, CWE-444.
- More info
Jul 21st, 2022: Version 4.2.11.25
Jul 14th, 2022: Version 4.2.11.24
- Backported fix for [CVE-2022-32224] Possible RCE escalation bug with Serialized Columns in Active Record. We tried to make it less of a breaking change than the official patch by adding a default set of permitted serializable classes. see details
May 18th, 2022: Version 4.2.11.23
Apr 27th, 2022: Version 4.2.11.22
Sep 14th, 2021: Version 4.2.11.21
- Relaxed requirement for Bundler. It is now possible to use Rails 4.2 LTS with Bundler 2 (given a compatible version of Ruby and Rubygems).
Mar 06th, 2021: Version 4.2.11.20
Feb 11th, 2021: Version 4.2.11.19
Jan 25th, 2021: Version 4.2.11.18
- Added Ruby 2.7 compatibility.
Sep 10th, 2020: Version 4.2.11.17
Jun 17th, 2020: Announcement regarding CVE-2020-8184
May 19th, 2020: Version 4.2.11.16
May 16th, 2020: Version 4.2.11.15
May 15th, 2020: Announcement regarding CVE-2020-8161 and CVE-2018-16471
Mar 20th, 2020: Version 4.2.11.14
Dec 22nd, 2019: Announcement regarding CVE-2019-16782
Apr 11th, 2019: Version 4.2.11.13
- Added some compatibility fixes to facilitate running Rails 4.2 LTS on Ruby 2.6.
Note: We do not officially support Ruby 2.6, so run it at your own risk. Rails unit tests pass with Ruby 2.6 as of this release.
Mar 22nd, 2019: Amendment to CVE-2019-5418
- The previously reported CVE 2019-5418 has been upgraded to possible remote code execution. Rails LTS 4.2.11.12 protects your application against this exploit.
Mar 14th, 2019: Version 4.2.11.12
- Merged upstream fixes for ActionView format / MIME type parsing (CVE-2019-5418 and CVE-2019-5419) (
see details
Show archive.org snapshot
)
- Confirmed that 4.2 LTS is not affected by CVE-2019-5420.
Oct 28th, 2018: Version 4.2.11.11
- Improve compatibility with Rails 2.3 and 3.2 LTS by defining
ActionDispatch::Http::ParamsHashWithIndifferentAccess
. This fixes potentially issues for users upgrading from LTS versions < 4, and should not affect anyone else. See here for a description of the issue.
Oct 28th, 2018: Version 4.2.11.10
Oct 25th, 2018: Version 4.2.10.10
- This release is identical to 4.2.10.1.
- There is a chance the Rails core team might release an official 4.2.10.1 for security fixes after the end of the maintenance period. To avoid conflicts, we skip some versions ahead.
Sep 28th, 2018: Version 4.2.10.1
- Initial release of the LTS version of Rails 4.2.
- This is identical to the official 4.2.10 release, except for the additional Rails LTS hardening options.
- Supports Ruby 2.1, 2.3, and 2.5.
Tobias Kraze
Over 4 years ago