Rails 2.3.x

NES Release Notes

2.3.18.58

Notes

  • This is the initial release of the NES Rails 2.3.x series. It also includes the intial release of Rack v1.4.7.19. As well as the below bug fixes.

Bug Fixes

  • CVE-2023-28362 (actionpack) – Fixed a possible cross-site scripting (XSS) vulnerability when handling user-supplied values in redirect_to.
  • CVE-2016-0751 (actionpack) – Fixed a denial-of-service (DoS) vulnerability caused by a crafted HTTP Accept header.
  • CVE-2021-22885 (actionpack) – Fixed an information disclosure and unintended method execution vulnerability in Action Pack.
  • CVE-2016-0752 (actionpack) – Directory traversal vulnerability does not apply to version 2.3.18.
  • CVE-2022-32224 (activerecord) – Fixed a remote code execution (RCE) vulnerability with serialized columns in Active Record.
  • CVE-2022-44566 (activerecord) – Fixed a denial-of-service (DoS) vulnerability in Active Record's PostgreSQL adapter.
  • CVE-2014-3482 (activerecord) – Fixed a SQL injection vulnerability in Active Record.
  • CVE-2020-8151 (activeresource) – Fixed an information disclosure issue in Active Resource.
  • CVE-2024-25126 (rack) – Fixed a Regular Expression Denial-of-Service (ReDoS) vulnerability in content type parsing.
  • CVE-2023-27530 (rack) – Fixed a possible DoS vulnerability in Multipart MIME parsing.
  • CVE-2020-8161 (rack) – Fixed a directory traversal vulnerability in the Rack::Directory app bundled with Rack.
  • CVE-2018-16471 (rack) – Fixed a cross-site scripting (XSS) vulnerability in Rack.
  • CVE-2022-30122 (rack) – Fixed a denial-of-service (DoS) vulnerability in Rack Multipart Parsing.
  • CVE-2020-8184 (rack) – Fixed an issue where Rack allowed percent-encoded cookies to overwrite existing prefixed cookie names.
  • CVE-2022-30123 (rack) – Fixed a possible shell escape sequence injection vulnerability in Rack.
  • CVE-2024-26141 (rack) – Fixed a possible DoS vulnerability with the Range Header in Rack.
  • CVE-2024-26146 (rack) - Fixed a Rack Header Parsing leads to Possible Denial of Service Vulnerability
  • CVE-2015-3227 (activesupport) - Fixed activesupport vulnerable to Denial of Service via large XML document depth
  • CVE-2019-16782 (rack) - Fixed a possible Information Leak / Session Hijack Vulnerability in Rack
  • CVE-2024-26146 (rack) - Fixed Rack Header Parsing leads to Possible Denial of Service Vulnerability
Release Notes
Latest updates and changes for Rails NES
Previous Article
Rails 3.2.x
NES Release Notes
Next Article