Please also note from the blog post that CVE-2013-0269 refers to the "json" gem, which may not get upgraded with the rails gem updates. You may need to add it as a separate dependency to your Gemfile to make sure you are using json version 1.7.7, 1.6.8, or 1.5.5.

It is also important to note that at least the 3.2.12 release forces you to upgrade rack too. This is due to seperate vulnerabilities reported in rack recently (see http://rack.github.com/).

There have been other commits that made it into the 3-2-stable branch, and I would have expected that those fixes would have made it into the next 3.2.x release, but that's not the case. Is that normal for Rails updates?

For example, https://github.com/rails/rails/pull/8718 is a PR that was merged into 3-2-stable to deal with a regression in 3.2.8.

I know we shouldn't rely on security by obscurity but I hope people will stop posting proof of concepts within the first 24 hours of the announcement.

Meh. I don't use attr_protected anyway, and neither should anyone else. Security 101 - whitelist, don't blacklist.

That said the JSON issue looks worrying, so an update and redeploy is necessary.

This is really wonderful work, both from the investigators who've documented and described the vulnerabilities and the Rails folks for being quick to fix them.

My co-founder and I had talked about YAMLgate when it had happened--our conclusion was that Rails is going to be under very close scrutiny for a while, and that there will be a lot of these things found, but that the framework will be all the stronger for it.

Always bear in mind this: even if it means more work for admins and devs, this promptness of response and willingness to admit failings is a sign of a healthy ecosystem.

So, why did the Rails maintainers arbitrarily decide to stop supporting 3.0.x versions, while still supporting 2.3.x versions?

Updating Rails (an article with details and advice):

http://railsapps.github.com/updating-rails.html

Let me know if I got anything wrong. It's for anyone who is not sure how to upgrade to a new Rails version.

The release text is not that clear. Is that a new big security issue?

Noob question: I just installed the newest version of rails with "gem install rails" but when I run "rails -v" I stil get 3.2.11

How do tell the computer to start using the newest version of Rails?

Does anyone have a copy of the CVEs that's not on Google Groups? Something in the js or cookie-handling is broken for me and the page includes no text.

Anyone know when 4.0 is coming out?