I’m sure many of you have heard, but Ruby on Rails version 2.3.x is no longer supported by the core Rails development team. This change is going to have drastic consequences for the many organizations still using 2.3.x.
Rails version 2.3.x will no longer receive security patches and maintenance updates.
The decision to stop supporting 2.3.x comes not too long after two major security breaches that occurred earlier in January. These vulnerabilities allowed attackers to execute arbitrary code on practically every application run on Ruby on Rails, with the applications only needing to be connected to the Internet. Patrick McKenzie of Kalzumeus Software had an excellent writeup about the issue. These security issues were caused by a vulnerability with a serialization format known as YAML, which is able to ‘deserialize’ into arbitrary objects, which can result in the execution of arbitrary code.
With the release of Rails 4, the core Rails team no longer see it necessary to support it with the better options available.
If you have been affected by this change in any way, you can’t close your eyes and pray that everything will be OK. That will probably end poorly. Libraries will quickly become out of date, causing errors and incompatibilities with your current systems. You basically have three options:
Without taking some countermeasures, the lack of support for Rails 2.3.x means that systems running it will soon be (or already are) vulnerable in highly critical areas. Make sure this isn’t you!