Fixed a regression for CVE-2013-0269, CVE-2020-10663 introducing a vulnerability for JSON.parse on Ruby version 2.7+, see hereShow archive.org snapshot for more details. Thanks to Severin Schoepke for bringing this to our attention.
Feb 19th 2024, Rails version 3.2.22.45
Relaxed requirement on the mysql2 gem to allow Rails LTS to work with mysql2 version 0.5.6+.
Oct 18th 2023, Rack version 1.4.7.17
Fixed an incompatibility with newer version of the rack-cache gem.
Oct 18th 2023, Rails version 3.2.22.44
Fixed a bug for Ruby 3.1, where it was not possible to use scopes or class methods on scopes with keyword arguments.
Fixed a possible XSS vulnerability via User Supplied Values to redirect_to (CVE-2023-28362), see hereShow archive.org snapshot for more details
May 22th 2023, Rails versions 3.2.22.42
Fixed a potential (non-security) issue with the 3.2.22.40 / 3.2.22.41 release with certain Ruby versions / version of the uri gem.
Apr 4th 2023, Rails versions 3.2.22.41
Fixed a potential issue with the 3.2.22.40 release for certain webserver configurations
Apr 4th 2023, Rails version 3.2.22.40
Added monkey patches to address ReDoS vulnerabilities in the time and uri stdlibs (CVE-2023-28755, CVE-2023-28756), see hereShow archive.org snapshot for more details
Relaxed i18n dependency to allow versions 1.x. To avoid getting a newer version, add gem 'i18n', '< 1' to your Gemfile. This has no security implications.
Mar 27th 2023, Rack version 1.4.7.15
The earlier fix for CVE-2022-44571 was incomplete. This release corrects the issue.
Mar 23rd 2023, Rails version 3.2.22.39
Added partial mitigation for CVE-2013-3221, which is relevant when querying MySQL string columns with integers. See hereShow archive.org snapshot for more details.
Mar 14th 2023: Rails version 3.2.22.38
Fixed XSS issue with SafeBuffer#bytesplice (only on Ruby 3.2, which is not currently supported), see hereShow archive.org snapshot for more details.
Relaxed version requirement for rack-ssl. You can upgrade rack-ssl to 1.4.x to fix CVE-2014-2538 (a low severity XSS vulnerability that is unlikely to affect a properly configured production instance).
Merged upstream bug fix for [CVE-2022-32224] Possible RCE escalation bug with Serialized Columns in Active Record. We tried to make it less of a breaking change than the official patch by adding a default set of permitted serializable classes. Note this patch has no effect for Rubies < 2.1see details
Relaxed version requirement for bycrypt. Old bcrypt versions have issues on some newer Linux distros, but it was not possible to update to a fixed version. With this version of 3.2 LTS, you can now set bcrypt-ruby to ~> 3.0 in your Gemfile and do a bundle upgrade bcrypt-ruby with Rails complaining.
Dec 21st, 2021: Version 3.2.22.26
Improved compatibility with newer Postgresql Versions. 3.2 LTS should now work with Postgresql up to version 14.
Sep 14th, 2021: Version 3.2.22.25
Relaxed requirement for Bundler. It is now possible to use Rails 3.2 LTS with Bundler 2 (given a compatible version of Ruby and Rubygems).
Fixed ActiveRecord::SessionStore to not be vulnerable to timing attacks that can lead to session hijacking (CVE-2019-16782). see detailsShow archive.org snapshot
Mar 22nd, 2019: Amendment to CVE-2019-5418
The previously reported CVE 2019-5418 has been upgraded to possible remote code execution. Rails LTS 3.2.22.13 protects your application against this exploit.
In our own investigations we found that Sprockets 2.2.3 is not vulnerable to CVE-2018-3760, despite the original advisory claiming so. Since no fixed sprockets versions were compatible with Rails 3.2, we've decided to freeze the dependency to 2.2.3, which has no vulnerability known to us.