Two new Ruby on Rails versions have been released yesterday because of 4 security vulnerabilities in Rails.

Potential XSS Problem with mail_to :encode => :javascript

Versions Affected: All.

Not affected: Applications which don’t use :encode => :javascript

Fixed Versions: 3.0.4, 2.3.11

CSRF Protection Bypass in Ruby on Rails

Versions Affected: 2.1.0 and above

Not affected: Applications which don’t use the built in CSRF protection.

Fixed Versions: 3.0.4, 2.3.11

Do read the instructions carefully because it will affect your session and may require additional steps other than just updating. More here and in the Rails Security Guide.

Potential SQL Injection in Rails 3.0.x

Versions Affected: 3.0.0-3.0.3

Not affected: Releases before 3.0.0

Fixed Versions: 3.0.4

Unfortunately this has been fixed in earlier versions already.

Versions Affected: 3.0.0-3.0.3

Not affected: 2.3.x versions and all earlier versions. Applications deployed on case-sensitive filesystems.

Fixed Versions: 3.0.4