The Rails developers have pushed out three new releases in tandem to fix the same security vulnerabilities. All three major branches have been covered. The vulnerabilities include:
- SQL injection vulnerability
- A way for attackers to render a view without first calling the corresponding action
- A XSS vulnerability in the strip_tags helper
- Another XSS vulnerability, this time having to do with the UTF8 parsing code
It's recommended that everyone upgrade, as the SQL injection and XSS vulnerabilities can be particularly damaging.