Jason, you are actually right. 2-2-stable and 2-1-stable are not supported anymore even though we provided patches for the CSRF fix:
"Please note that only the 2.3.x and 3.0.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee continued security fixes indefinitely." http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2d95a3cc23e03665 So it is likely that we will drop 2-3-stable support once 3.1 is out. On Feb 10, 7:00 pm, Jason King <[email protected]> wrote: > On Thu, Feb 10, 2011 at 9:28 AM, fowlduck <[email protected]> wrote: > > > 2) The patch provided by rails core doesn't work on 2.3.2-2.3.4 due to > > form_authenticity_param being missing and doesn't work on 2.3.5 due to > > the lack of the html_safe method. Applying the patch to vendored > > rails, in this case, would have resulted in a broken app (which even > > if fixed may not work as expected). > > I think you're misunderstanding what the last number in 2.3.2, 2.3.4 etc. > means. And everyone is using the word "version" to mean two different > things here. > > > Which versions of rails are considered supported with regard to > > security fixes, then? That's a compelling reason to upgrade with every > > patch release. > > Yes it is. > > The *versions* of Rails supported are 2.3 and 3.0 (although José says 2.1 > and 2.2 as well) - which is why both had a patch release with the security > patches. In the proper sense of the word, "upper-case V" Version if you > like, 2.3.5 is not a *version* of Rails, it's patch release 5 of version > 2.3. > > 2 = Major version > 3. = Minor version > 5 = Patch number > > Cheers, > Jason -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
