Rails has announced the availability of 3 news versions today, 3.2.13, 3.1.12, and 2.3.18, these releases contain important security fixes. It is recommended users upgrade as soon as possible.
Please check out these links for the security fixes:
- CVE-2013-1854 Symbol DoS vulnerability in Active Record
- CVE-2013-1855 XSS vulnerability in sanitize_css in Action Pack
- CVE-2013-1856 XML Parsing Vulnerability affecting JRuby users
- CVE-2013-1857 XSS Vulnerability in the sanitize helper of Ruby on Rails
All versions of Rails are impacted by one or more of these security issues, but per their maintenance policy, only versions 3.2.13, 3.1.12, and 2.3.18 have been released. You can find patches for older versions on each stable branch on GitHub:
as well as with the security advisories. For other changes in each particular release, please see the CHANGELOG corresponding to that version.