The open source web application framework Ruby on Rails updated to version 3.2.2 to fix two important security issues and several other bugs.
Because of the serious nature of the security issues, users should upgrade their installations as quickly as possible. Users of Rails 3.0 and 3.1 will find new versions, 3.0.12 and 3.1.4, that also address the vulnerabilities.
The two cross-site scripting vulnerabilities officials fixed allowed attackers to take advantage of improperly sanitized options tag fields and direct manipulation of a safebuffer to execute arbitrary HTML in the browser of users visiting a Rails site. Further details of the option tag issue and safebuffer issue are available.
The Rails 3.2.2 update also includes fixes which ensure flushed log files and that failing tests will exit with non-zero status codes. It also removes calls to some deprecated methods and includes various Ruby 2.0 compatibility fixes.
More information on the changes since version 3.2.1 is available on GitHub. Users can download Rails 3.2.2 using RubyGems.