Feb 23rd 2024, Rack version 1.6.13.16

• Fixed DoS vulnerabilities CVE-2024-25126 and CVE-2024-26141, see here Show archive.org snapshot for more details.

Feb 23rd 2024, Rails version 4.2.11.36

• Fixed a regression for CVE-2013-0269, CVE-2020-10663 introducing a vulnerability for JSON.parse on Ruby version 2.7+, see here Show archive.org snapshot for more details. Thanks to Severin Schoepke for bringing this to our attention.

Aug 23rd 2023, Rails version 4.2.11.35

• Fixed a bug for Ruby 3.1, where it was not possible to use scopes or class methods on scopes with keyword arguments.

Jun 27th 2023, Rails version 4.2.11.34

• Fixed a possible XSS vulnerability via User Supplied Values to redirect_to (CVE-2023-28362), see here Show archive.org snapshot for more details

May 22th 2023, Rails versions 4.2.11.33

• Fixed a potential (non-security) issue with the 4.2.11.31 / 4.2.11.32 release with certain Ruby versions / version of the uri gem.

Apr 4th 2023, Rails versions 4.2.11.32

• Fixed a potential (non-security) issue with the 4.2.11.31 release for certain webserver configurations

Apr 4th 2023, Rails version 4.2.11.31

• Added monkey patches to address ReDoS vulnerabilities in the time and uri stdlibs (CVE-2023-28755, CVE-2023-28756), see here Show archive.org snapshot for more details

Mar 27th 2023, Rack version 1.6.13.15

• The earlier fix for CVE-2022-44571 was incomplete. This release corrects the issue.

Mar 14th 2023: Rails version 4.2.11.30

• Fixed XSS issue with SafeBuffer#bytesplice (CVE-2023-28120, only on Ruby 3.2, which is not currently supported), see here Show archive.org snapshot for more details.

Mar 14th 2023: Rack version 1.6.13.14

• Backported fix for DOS vulnerability CVE-2023-27539, see here Show archive.org snapshot for more details.

Mar 3rd, 2023: Rails version 4.2.11.29

• We've added the Rack::TempfileReaper middleware to the default middleware stack, see below.
• See here Show archive.org snapshot for additional details and a potential breaking change.

Mar 3rd, 2023: Rack version 1.6.13.13

• Backported fix for [CVE-2023-27530] to address a potential DOS attack with rack multipart requests.

Jan 24th, 2023: Rails version 4.2.11.28

• Bugfix for an issue with cookie domains introduced by [CVE-2023-22792]. Please read the details Show archive.org snapshot if you had 4.2.11.27 running in production.

Jan 20th, 2023: Rails version 4.2.11.27

• Fixed multiple ReDoS vulnerabilities in Rails: [CVE-2023-22792], [CVE-2023-22796], [CVE-2023-22795]
• Fixed a DOS vulnerability in the PostgreSQL adapter for ActiveRecord [CVE-2022-44566]
  • ActiveRecord will now throw an exception, if you pass an integer > 64bit. You can opt out using

    Copyconfig.active_record.raise_int_wider_than_64bit = false
    

• Added a monkey patch to fix a ReDoS vulnerability in globalid [CVE-2023-22799]
• See here Show archive.org snapshot for more details

Jan 20th, 2023: Rack version 1.6.13.12

• Fixed multiple ReDos vulnerabilites in Rack: [CVE-2022-44570], [CVE-2022-44571]
• See here Show archive.org snapshot for more details

Dec 21st, 2022: Rack version 1.6.13.11

• Fixed an issue that made rails server fail with certain web servers on Ruby 3.1.

Dec 13th, 2022: Rails version 4.2.11.26

• Added compatibility for Ruby 3.1.

Dec 13th, 2022: Rack version 1.6.13.10

• Based on our fork of rack.
• Added support for ruby 3.1.
• Includes fixes for CVE-2020-8161, CVE-2020-8184, CVE-2022-30122, CVE-2022-30123, CWE-444.
• More info

Jul 21st, 2022: Version 4.2.11.25

• Updated required tzinfo version to address CVE-2022-31163; see details Show archive.org snapshot

Jul 14th, 2022: Version 4.2.11.24

• Backported fix for [CVE-2022-32224] Possible RCE escalation bug with Serialized Columns in Active Record. We tried to make it less of a breaking change than the official patch by adding a default set of permitted serializable classes. see details

May 18th, 2022: Version 4.2.11.23

• Bug fix for recent security fix for CVE-2022-27777; see details Show archive.org snapshot .

Apr 27th, 2022: Version 4.2.11.22

• Backported fix for possible XSS vulnerabilities via content_tag or tag helpers (CVE-2022-27777); see details Show archive.org snapshot .

Sep 14th, 2021: Version 4.2.11.21

• Relaxed requirement for Bundler. It is now possible to use Rails 4.2 LTS with Bundler 2 (given a compatible version of Ruby and Rubygems).

Mar 06th, 2021: Version 4.2.11.20

• Fixed an information disclosure / unexpected method invocation vulnerability in Action Pack (CVE-2021-22885), see details Show archive.org snapshot
  This contains a breaking change.
• Fixed a DOS vulnerabilty in Action Pack (CVE-2021-22904) see details.

Feb 11th, 2021: Version 4.2.11.19

• Backported fix for DOS vulnerability in ActiveRecord (CVE-2021-22880), see details Show archive.org snapshot .

Jan 25th, 2021: Version 4.2.11.18

• Added Ruby 2.7 compatibility.

Sep 10th, 2020: Version 4.2.11.17

• Backported fix for potential XSS vulnerability in Action View (CVE-2020-15169), see details Show archive.org snapshot .

Jun 17th, 2020: Announcement regarding CVE-2020-8184

• No Rails 4.2 LTS release was necessary.
• We backported the patch to our forked Show archive.org snapshot version of rack 1.6.

May 19th, 2020: Version 4.2.11.16

• Addressed "Potentially unintended unmarshalling of user-provided objects in MemCacheStore" [CVE-2020-8165] Show archive.org snapshot .
  Note that potential code changes are needed, see here for details Show archive.org snapshot

May 16th, 2020: Version 4.2.11.15

• Applied patch for potential remote code execution of user-provided local names CVE-2020-8163 Show archive.org snapshot , see details Show archive.org snapshot .

May 15th, 2020: Announcement regarding CVE-2020-8161 and CVE-2018-16471

• No Rails 4.2 LTS release was necessary.
• We forked rack Show archive.org snapshot to backport CVE-2020-8161 Show archive.org snapshot .
• For more information read our advisory Show archive.org snapshot .

Mar 20th, 2020: Version 4.2.11.14

• Fixed an XSS vulnerability in #escape_javascript (CVE-2020-5267), see details Show archive.org snapshot

Dec 22nd, 2019: Announcement regarding CVE-2019-16782

• No Rails 4.2 LTS release was necessary.
• Users using the activerecord-session_store gem can upgrade to our fork Show archive.org snapshot .
• For more information read our advisory Show archive.org snapshot .

Apr 11th, 2019: Version 4.2.11.13

• Added some compatibility fixes to facilitate running Rails 4.2 LTS on Ruby 2.6.

Note: We do not officially support Ruby 2.6, so run it at your own risk. Rails unit tests pass with Ruby 2.6 as of this release.

Mar 22nd, 2019: Amendment to CVE-2019-5418

• The previously reported CVE 2019-5418 has been upgraded to possible remote code execution. Rails LTS 4.2.11.12 protects your application against this exploit.

Mar 14th, 2019: Version 4.2.11.12

• Merged upstream fixes for ActionView format / MIME type parsing (CVE-2019-5418 and CVE-2019-5419) ( see details Show archive.org snapshot )
• Confirmed that 4.2 LTS is not affected by CVE-2019-5420.

Oct 28th, 2018: Version 4.2.11.11

• Improve compatibility with Rails 2.3 and 3.2 LTS by defining ActionDispatch::Http::ParamsHashWithIndifferentAccess. This fixes potentially issues for users upgrading from LTS versions < 4, and should not affect anyone else. See here for a description of the issue.

Oct 28th, 2018: Version 4.2.11.10

• Merge patch for broken access control vulnerability in Active Job (CVE-2018-16476) Show archive.org snapshot .

Oct 25th, 2018: Version 4.2.10.10

• This release is identical to 4.2.10.1.
• There is a chance the Rails core team might release an official 4.2.10.1 for security fixes after the end of the maintenance period. To avoid conflicts, we skip some versions ahead.

Sep 28th, 2018: Version 4.2.10.1

• Initial release of the LTS version of Rails 4.2.
• This is identical to the official 4.2.10 release, except for the additional Rails LTS hardening options.
• Supports Ruby 2.1, 2.3, and 2.5.