303 Backported patches for legacy Ruby versions

The Rails LTS service only covers security updates for the Rails framework, not for Ruby.

As a courtesy to our customers, we sometimes backport security patches to legacy Ruby versions, which you can find below. However, we cannot guarantee future patches for legacy Ruby versions.

Patches for Ruby 1.8.7

Download ruby_1_8_7-p374-fixes-2015-04-14.patch and rename it to download.patch.

This patch applies to Ruby version **...

310 rspec-rails 1.3 compatibility fork for Rails LTS 2.3

An expectation like this will fail with Rails LTS 2.3:

should render_template(:edit)

The error will look like this:

expecting <:edit> but rendering with <"">

This is an issue with rspec-rails 1.x monkey-patching into ActionController during controller specs.


To fix this, use our compatibility fork of rspec-rails 1.3.

With Bundler

If ...

311 rspec-rails 2.14 compatibility fork for Rails 3.2 LTS

With Rails 3.2 LTS your RSpec 2 controller specs might fail with an error like this:

  undefined method `[]' for nil:NilClass


To fix this, use our compatibility fork of rspec-rails 2.14.

You can switch to the fork by updating your Gemfile:

gem 'rspec-rails', :git => 'https://github.com/makandra/rspec-rails.git', :branch => '2-14-lts'

Now run bundle update rspec-rails.

401 [CVE-2018-15578] Denial of Service vulnerability in Rails 3.2 LTS (Active Record)

There is a possible ReDoS (regular expression denial of service) vulnerability in the activerecord gem that is part of Rails LTS. An attacker using a specially crafted request can cause an application with certain vulnerable code to consume an excessive amount of CPU time.

Affected versions: Rails LTS and lower, Rails LTS and lower
Unaffected versions: Rails 2.3 LTS

Note: The flaw is also present in the official non-LTS 3.x version of Active Record, which is no longer maintained. Other non-LTS Rails versions are not af...

Change to ActiveRecord deserialization (CVE-2022-32224)

Mimicking the offical change in Rails 5.1.8 to protect against CVE-2022-32224, all versions of Rails LTS try to use YAML.safe_load to deserialize database columns in ActiveRecord. This is a potential breaking change.


When using something like

class MyModel < ActiveRecord::Base
  serialize :address_data
  # or alternatively
  store :settings, accessor: [:color, :homepage]

ActiveRecord will use YAML to serialize and deserialize data. However, YAML deserialization using YAML.load (or explicitly `YAML.unsafe...

Installation instructions for rails-ujs or jquery-ujs

We maintain several forks since [CVE-2023-23913] of rails-ujs and jquery-ujs.
Since each Rails app has a different way of handling asset packages, we introduced several new forked packages with a fix.
If you want to install one of those packages, please replace your npm package or gem with one of our forked versions.

Use the NPM package @railslts/jquery-ujs to replace the jquery-ujs NPM package, e.g. with npm install @railslts/jquery-ujs.
Use the NPM package @railslts/rails-ujs to replace the rails-ujs NPM package, e.g. with `npm...

Rack has been added to Rails LTS

Historically, the "rack" gem was not part of Rails LTS, simply because it was maintained and released separate from Ruby on Rails. However, since Rails cannot work without Rack, and since Rack did have a few minor security vulnerabilities, we've been maintaining forks of Rack on Github for a while.

This has now changed and Rack is now a core gem of Rails LTS. This means:

  • We are committed to maintaining and patching Rack, and will make sure it works on the same Ruby versions that Rails LTS supports.
  • We will serve rack over our gem server...

Ruby 3.1 support for Rails LTS


You can find the updated guide here.

We are pleased to announce that all versions of Rails LTS now support Ruby 3.1, additionally to all Ruby versions we previously supported.

As always, "support" means:

  • You should not run into errors that cannot be solved without changes to Rails.
  • We did our best to not require you to make too many changes.
  • There will most likely be issues within your own code and with third party gems.

We have successfully upgraded a...