We’re almost at the end of the road for Rails 4.0.0. This is intended to be the last release candidate before the final version is released. We have just under a hundred commits in since RC1. All just fixing regressions since the last release.

As last time, please give this release candidate an honest try. This is the version we’re going to ship on June 25th unless people find and report blocking issues. Please report all the issues you find on the Rails issue tracker.

As always, install the release with gem install rails --version 4.0.0.rc2 --no-ri --no-rdoc or depend on the v4.0.0.rc2 tag. You can also follow the 4-0-0 branch. 4-0-0-stable is now targeting 4.0.1 and master is targeting 4.1.

Go West, friends!

Google has announced the accepted projects for the Summer of Code 2013 and Rails has been granted five slots. Here’s what our students will be working on this summer:

Genadi Samokovarov will be working on adding a web-based console for development, debugging and testing your Rails applications. He will be mentored by Rails Core Team member Guillermo Iguaran.

Łukasz Strzałkowski will be working on seperating Action View from Action Pack and adding support for custom view classes. He will be mentored by Piotr Sarnacki, who was a Rails Summer of Code student in 2010 and has been a consistent contributor to Rails.

Ujjwal Thaakar will be working on adding support to Rails for bulk/collection actions with RESTful resources. He will be mentored by Rails Core Team member Andrew White.

Kasper Timm Hansen will be working on replacing the venerable html-scanner in the Rails HTML Sanitization API with Loofah and adding improvements to the API. He will be mentored by Rails Core Team member Rafael França.

John Wang will be working on refactoring the configuration and initialization of Rails applications. He will be mentored by Rails Core Team member Santiago Pastorino.

We’d like to thank all of the students and mentors who participated in the Summer of Code selection process - it was tough to get down to five projects, considering all the great proposals we had. We’re looking forward to seeing what all of our students bring to Rails this summer and we hope not to lose touch with others who are also excited about the prospects for Rails 4.0.

Just in time for the opening of RailsConf, we managed to push out the first release candidate of Rails 4.0. This incorporates no less than 1,368 commits since beta 1. You can see the full list of changes on Github. If you’re interested in a high-level review of what’s in Rails 4.0, please see the announcement we made for beta 1.

As last time, please give this release candidate an honest try. This is pretty much the version we’re going to ship unless people find and report blocking issues. Depending on how much stuff is unearthed, we expect that the final version could drop in as little as 3-4 weeks. Please report all the issues you find on the Rails issue tracker.

We’re still working on the upgrade guide from 3.2 to 4.0, but that’s a good place to start for help on how to do it. We’re also so lucky to have many authors and screencasters ready with material for 4.0. In the books department, you’ll find Rails 4.0-ready versions of Agile Web Development with Rails and Crafting Rails Applications. For screencasts, checkout the new Rails 4: Zombie Outlaws and Mike Clark’s Rails 4 class. There’s new material and books coming out all the time from a variety of other authors and broadcasters, so we’re really in good shape with training material timed for the release this time!

As always, install the release with gem install rails --version 4.0.0.rc1 --no-ri --no-rdoc or depend on the v4.0.0.rc1 tag. We also have a new 4-0-stable branch. Master is now safe to move on to developing features for 4.1.

Go West, friends!

We’re pleased to announce, Ruby on Rails has been accepted into Google Summer of Code 2013 as a mentoring organization. What does this mean to you? Potentially, if you’re the right person, you can get paid to work on Rails this summer! The “right person” in this case is one who is at least 18 years old (sorry, Google’s rule, not ours!) on or before May 27, 2013; a full or part-time college student; and passionate about improving Rails.

We’re building a potential list of project ideas on a GitHub wiki, but we welcome other interesting proposals. If your proposal gets accepted, Google will pay you $5000 over the course of three months to work on the code. If you’re interested, head over to the GSoC site and start reading about the process. Student applications can be submitted starting April 22 and the deadline is May 3.

If you’re wondering what’s involved in becoming a GSoC student then the Google Student Guide has all the details on what’s expected and what you will gain from taking part. Any further questions can be directed either to the mailing list or to me directly.

What if you’re not a student? You can still help out by discussing ideas on the special mailing list we’ve setup for this year’s program. Or if you’ve got previous experience of contributing to Rails and are ready to make a strong commitment to help out the next generation of developers, you can apply to be a mentor.

We’re looking forward to working with this year’s students, and expecting some outstanding contributions to Rails as a result!

Hi everyone!

Rails versions 3.2.13, 3.1.12, and 2.3.18 have been released. These releases contain important security fixes. It is recommended users upgrade as soon as possible.

Please check out these links for the security fixes:

• CVE-2013-1854 Symbol DoS vulnerability in Active Record
• CVE-2013-1855 XSS vulnerability in sanitize_css in Action Pack
• CVE-2013-1856 XML Parsing Vulnerability affecting JRuby users
• CVE-2013-1857 XSS Vulnerability in the sanitize helper of Ruby on Rails

All versions of Rails are impacted by one or more of these security issues, but per our maintenance policy, only versions 3.2.13, 3.1.12, and 2.3.18 have been released. You can find patches for older versions on each stable branch on GitHub:

• Rails 3-0-stable

as well as with the security advisories.

For other changes in each particular release, please see the CHANGELOG corresponding to that version. For all commits in each release, please follow the links below:

• Changes in 3.2.13
• Changes in 3.1.12
• Changes in 2.3.18

Here are the checksums for the released gems:

3.2.13

[aaron@higgins dist]$ shasum *3.2.13.gem
72b14536f1717121e8b2a5aa5a06c6194e02c87c  actionmailer-3.2.13.gem
a21166f7c364ff7825bf83f9757c33cc44fa0c00  actionpack-3.2.13.gem
9fa309dee3f87a53764db3aaefe3bbf6f9724ad2  activemodel-3.2.13.gem
469f6b4456d7fa1bf0336d488ad5878a6842e2da  activerecord-3.2.13.gem
0c89382354ffc5b4438ed37434b50d7cbc71d569  activeresource-3.2.13.gem
cdf230b698b28ae1cffb325ecbb9e219645ed68b  activesupport-3.2.13.gem
3785dc8d2af1521baddf2d90b67a9b61b2b31604  rails-3.2.13.gem
ff0607812bead596492272e4a4306ae3e950bdf4  railties-3.2.13.gem

3.1.12

[aaron@higgins dist]$ shasum *3.1.12.gem
b3f0ecee33032416170263508ccfb33d5dd65eef  actionmailer-3.1.12.gem
426fcf3f5d4e29ae6bf21f536a97d90d02bf73bb  actionpack-3.1.12.gem
2b01ba8bd85d67ded372f3908b694c1fa1ccb041  activemodel-3.1.12.gem
a3afc58fe3f7448ba09cdacb2046c9e10e474cb4  activerecord-3.1.12.gem
d3402193c0820f016b492162547194f942c96c1a  activeresource-3.1.12.gem
e25ed2f7e055d38b1bed482faf8b563a6b7e3899  activesupport-3.1.12.gem
75c2f85ed1e09d2bd1baa3efab5f097cdaef2a6b  rails-3.1.12.gem
618c5beb85124fbedfe41a72424079700f7a1d2c  railties-3.1.12.gem

2.3.18

[aaron@higgins dist]$ shasum *2.3.18.gem
09e361c4c96104303abad5faa4aec72ebe7c19d1  actionmailer-2.3.18.gem
deca0d8352858f734479b54162269e334faada21  actionpack-2.3.18.gem
e385b4b2e863592f9f06ca3248a67a18ea8c7e6c  activerecord-2.3.18.gem
ff4fb4a62c4d4007a6c596edf8f7055147948e60  activeresource-2.3.18.gem
1b9102fa31a47cf66b0c2583c99b707544d42054  activesupport-2.3.18.gem
f4aff07dce1db10ad6145e358344671cc482de70  rails-2.3.18.gem

Happy Monday!

<3<3<3

Hi everybody.

I’d like to announce that Rails 3.2.13.rc2 has been released.

Rails 3.2.13.rc2 contains fixes for regressions found in rc1. Please test out rc2. If you find regressions between 3.2.13.rc2 and 3.2.12, please email the rails-core mailing list, or file an issue on GitHub.

If there aren’t any major regressions, 3.2.13 final will be released on March 13, 2013.

• Changes in 3.2.12

Changes:

• 3.2.12 to 3.2.13.rc1
• 3.2.13.rc1 to 3.2.13.rc2

<3<3<3

Hey everyone! I am pumped to announce that Rails 3.2.13.rc1 has been released! If no regressions are found I will release 3.2.13 final in two weeks, on March 13, 2013. If you find one, please Open an Issue on GitHub so that I can fix it before the final release.

This is a bugfix release, with 287 commits. There is one big thing that is technically a fix but is sort of a feature: Ruby 2.0 support. Big thanks to Prem Sichanugrist for putting that together! Please give your applications a try on Ruby 2.0 and let me know how that goes.

CHANGES since 3.2.12

Action Mailer

No changes.

Action Pack

• Determine the controller#action from only the matched path when using the shorthand syntax. Previously the complete path was used, which led to problems with nesting (scopes and namespaces). Fixes #7554. Backport #9361.

  Example:

  # this will route to questions#new
  scope ':locale' do
    get 'questions/new'
  end
  

  Yves Senn

• Fix assert_template with render :stream => true. Fix #1743. Backport #5288.

  Sergey Nartimov

• Eagerly populate the http method loookup cache so local project inflections do not interfere with use of underscore method ( and we don’t need locks )

  Aditya Sanghi

• BestStandardsSupport no longer duplicates X-UA-Compatible values on each request to prevent header size from blowing up.

  Edward Anderson

• Fixed JSON params parsing regression for non-object JSON content.

  Dylan Smith

• Prevent unnecessary asset compilation when using javascript_include_tag on files with non-standard extensions.

  Noah Silas

• Fixes issue where duplicate assets can be required with sprockets.

  Jeremy Jackson

• Bump rack dependency to 1.4.3, eliminate Rack::File headers deprecation warning.

  Sam Ruby + Carlos Antonio da Silva

• Do not append second slash to root_url when using trailing_slash: true

  Fix #8700. Backport #8701.

  Example: # before root_url # => http://test.host//

  # after
  root_url # => http://test.host/
  

  Yves Senn

• Fix a bug in content_tag_for that prevents it for work without a block.

  Jasl

• Clear url helper methods when routes are reloaded by removing the methods explicitly rather than just clearing the module because it didn’t work properly and could be the source of a memory leak.

  Andrew White

• Fix a bug in ActionDispatch::Request#raw_post that caused env['rack.input'] to be read but not rewound.

  Matt Venables

• More descriptive error messages when calling render :partial with an invalid :layout argument.

  Fixes #8376.

  render :partial => 'partial', :layout => true
  # results in ActionView::MissingTemplate: Missing partial /true
  

  Yves Senn

• Accept symbols as #send_data :disposition value. [Backport #8329] Elia Schito

• Add i18n scope to distance_of_time_in_words. [Backport #7997] Steve Klabnik

• Fix side effect of url_for changing the :controller string option. [Backport #6003] Before:

  controller = '/projects'
  url_for :controller => controller, :action => 'status'
  
  puts controller #=> 'projects'
  

  After

  puts controller #=> '/projects'
  

  Nikita Beloglazov + Andrew White

• Introduce ActionView::Template::Handlers::ERB.escape_whitelist. This is a list of mime types where template text is not html escaped by default. It prevents Jack & Joe from rendering as Jack & Joe for the whitelisted mime types. The default whitelist contains text/plain. Fix #7976 [Backport #8235]

  Joost Baaij

• BestStandardsSupport middleware now appends it’s X-UA-Compatible value to app’s returned value if any. Fix #8086 [Backport #8093]

  Nikita Afanasenko

• prevent double slashes in engine urls when Rails.application.default_url_options[:trailing_slash] = true is set Fix #7842

  Yves Senn

• Fix input name when :multiple => true and :index are set.

  Before:

  check_box("post", "comment_ids", { :multiple => true, :index => "foo" }, 1)
  #=> <input name=\"post[foo][comment_ids]\" type=\"hidden\" value=\"0\" /><input id=\"post_foo_comment_ids_1\" name=\"post[foo][comment_ids]\" type=\"checkbox\" value=\"1\" />
  

  After:

  check_box("post", "comment_ids", { :multiple => true, :index => "foo" }, 1)
  #=> <input name=\"post[foo][comment_ids][]\" type=\"hidden\" value=\"0\" /><input id=\"post_foo_comment_ids_1\" name=\"post[foo][comment_ids][]\" type=\"checkbox\" value=\"1\" />
  

  Fix #8108

  Daniel Fox, Grant Hutchins & Trace Wax

Active Model

• Specify type of singular association during serialization Steve Klabnik

Active Record

• Reverted 921a296a3390192a71abeec6d9a035cc6d1865c8, ‘Quote numeric values compared to string columns.’ This caused several regressions.

  Steve Klabnik

• Fix overriding of attributes by default_scope on ActiveRecord::Base#dup.

  Hiroshige UMINO

• Fix issue with overriding Active Record reader methods with a composed object and using that attribute as the scope of a uniqueness_of validation. Backport #7072.

  Peter Brown

• Sqlite now preserves custom primary keys when copying or altering tables. Fixes #9367. Backport #2312.

  Sean Scally + Yves Senn

• Preloading has_many :through associations with conditions won’t cache the :through association. This will prevent invalid subsets to be cached. Fixes #8423. Backport #9252.

  Example:

  class User
    has_many :posts
    has_many :recent_comments, -> { where('created_at > ?', 1.week.ago) }, :through => :posts
  end
  
  a_user = User.includes(:recent_comments).first
  
  # this is preloaded
  a_user.recent_comments
  
  # fetching the recent_comments through the posts association won't preload it.
  a_user.posts
  

  Yves Senn

• Fix handling of dirty time zone aware attributes

  Previously, when time_zone_aware_attributes were enabled, after changing a datetime or timestamp attribute and then changing it back to the original value, changed_attributes still tracked the attribute as changed. This caused [attribute]_changed? and changed? methods to return true incorrectly.

  Example:

  in_time_zone 'Paris' do
    order = Order.new
    original_time = Time.local(2012, 10, 10)
    order.shipped_at = original_time
    order.save
    order.changed? # => false
  
    # changing value
    order.shipped_at = Time.local(2013, 1, 1)
    order.changed? # => true
  
    # reverting to original value
    order.shipped_at = original_time
    order.changed? # => false, used to return true
  end
  

  Backport of #9073 Fixes #8898

  Lilibeth De La Cruz

• Fix counter cache columns not updated when replacing has_many :through associations. Backport #8400. Fix #7630.

  Matthew Robertson

• Don’t update column_defaults when calling destructive methods on column with default value. Backport c517602. Fix #6115.

  Piotr Sarnacki + Aleksey Magusev + Alan Daud

• When #count is used in conjunction with #uniq we perform count(:distinct => true). Fix #6865.

  Example:

  relation.uniq.count # => SELECT COUNT(DISTINCT *)

  Yves Senn + Kaspar Schiess

• Fix ActiveRecord::Relation#pluck when columns or tables are reserved words. Backport #7536. Fix #8968.

  Ian Lesperance + Yves Senn + Kaspar Schiess

• Don’t run explain on slow queries for database adapters that don’t support it. Backport #6197.

  Blake Smith

• Revert round usec when comparing timestamp attributes in the dirty tracking. Fixes #8460.

  Andrew White

• Revert creation of through association models when using collection=[] on a has_many :through association from an unsaved model. Fix #7661, #8269.

  Ernie Miller

• Fix undefined method to_i when calling new on a scope that uses an Array; Fix FloatDomainError when setting integer column to NaN. Fixes #8718, #8734, #8757.

  Jason Stirk + Tristan Harward

• Serialized attributes can be serialized in integer columns. Fix #8575.

  Rafael Mendonça França

• Keep index names when using alter_table with sqlite3. Fix #3489. Backport #8522.

  Yves Senn

• Recognize migrations placed in directories containing numbers and ‘rb’. Fix #8492. Backport of #8500.

  Yves Senn

• Add ActiveRecord::Base.cache_timestamp_format class attribute to control the format of the timestamp value in the cache key. This allows users to improve the precision of the cache key. Fixes #8195.

  Rafael Mendonça França

• Add :nsec date format. This can be used to improve the precision of cache key. Please note that this format only works with Ruby 1.9, Ruby 1.8 will ignore it completely.

  Jamie Gaskins

• Unscope update_column(s) query to ignore default scope.

  When applying default_scope to a class with a where clause, using update_column(s) could generate a query that would not properly update the record due to the where clause from the default_scope being applied to the update query.

  class User < ActiveRecord::Base
    default_scope where(active: true)
  end
  
  user = User.first
  user.active = false
  user.save!
  
  user.update_column(:active, true) # => false
  

  In this situation we want to skip the default_scope clause and just update the record based on the primary key. With this change:

  user.update_column(:active, true) # => true
  

  Backport of #8436 fix.

  Carlos Antonio da Silva

• Fix performance problem with primary_key method in PostgreSQL adapter when having many schemas. Uses pg_constraint table instead of pg_depend table which has many records in general. Fix #8414

  kennyj

• Do not instantiate intermediate Active Record objects when eager loading. These records caused after_find to run more than expected. Fix #3313 Backport of #8403

  Yves Senn

• Fix pluck to work with joins. Backport of #4942.

  Carlos Antonio da Silva

• Fix a problem with translate_exception method in a non English environment. Backport of #6397.

  kennyj

• Fix dirty attribute checks for TimeZoneConversion with nil and blank datetime attributes. Setting a nil datetime to a blank string should not result in a change being flagged. Fixes #8310. Backport of #8311.

  Alisdair McDiarmid

• Prevent mass assignment to the type column of polymorphic associations when using build. Fixes #8265. Backport of #8291.

  Yves Senn

• When running migrations on Postgresql, the :limit option for binary and text columns is silently dropped. Previously, these migrations caused sql exceptions, because Postgresql doesn’t support limits on these types.

  Victor Costan

• #pluck can be used on a relation with select clause. Fixes #7551. Backport of #8176.

  Example:

  Topic.select([:approved, :id]).order(:id).pluck(:id)
  

  Yves Senn

• Use nil? instead of blank? to check whether dynamic finder with a bang should raise RecordNotFound. Fixes #7238.

  Nikita Afanasenko

• Fix deleting from a HABTM join table upon destroying an object of a model with optimistic locking enabled. Fixes #5332.

  Nick Rogers

• Use query cache/uncache when using ENV[“DATABASE_URL”]. Fixes #6951. Backport of #8074.

  kennyj

• Do not create useless database transaction when building has_one association.

  Example:

  User.has_one :profile
  User.new.build_profile
  

  Backport of #8154.

  Bogdan Gusiev

• AR::Base#attributes_before_type_cast now returns unserialized values for serialized attributes.

  Nikita Afanasenko

• Fix issue that raises NameError when overriding the accepts_nested_attributes in child classes.

  Before:

  class Shared::Person < ActiveRecord::Base
    has_one :address
  
    accepts_nested_attributes :address, :reject_if => :all_blank
  end
  
  class Person < Shared::Person
    accepts_nested_attributes :address
  end
  
  Person
  #=> NameError: method `address_attributes=' not defined in Person
  

  After:

  Person
  #=> Person(id: integer, ...)
  

  Fixes #8131.

  Gabriel Sobrinho, Ricardo Henrique

Active Resource

No changes.

Active Support

• Fix DateTime comparison with DateTime::Infinity object.

  Dan Kubb

• Remove surrogate unicode character encoding from ActiveSupport::JSON.encode The encoding scheme was broken for unicode characters outside the basic multilingual plane; since json is assumed to be UTF-8, and we already force the encoding to UTF-8 simply pass through the un-encoded characters.

  Brett Carter

• Fix mocha v0.13.0 compatibility. James Mead

• #as_json isolates options when encoding a hash. [Backport #8185] Fix #8182

  Yves Senn

• Handle the possible Permission Denied errors atomic.rb might trigger due to its chown and chmod calls. [Backport #8027]

  Daniele Sluijters

Railties

No changes.

Full listing

To see the full list of changes, check out all the commits on GitHub.

SHA-1

If you’d like to verify that your gem is the same as the one I’ve uploaded, please use these SHA-1 hashes:

• 6a33c2d10abb5512499addb675df658e179f2e79 actionmailer-3.2.13.rc1.gem
• 11d8303470698c5b0ac68f187a15093c07383c89 actionpack-3.2.13.rc1.gem
• a72dafd8b1e3372cc4dda9015b93bf5509b25baa activemodel-3.2.13.rc1.gem
• 3c6463ab11658b5ab0fe6a4ad06eb52968ef4492 activerecord-3.2.13.rc1.gem
• 06cec200b95dc1f64614cd03432e9ab06742a865 activeresource-3.2.13.rc1.gem
• 5ff59cacae5295baf30a6fb8fb656037f22af3c2 activesupport-3.2.13.rc1.gem
• facf4549445922d9dc2a836283ae928fa52df4f8 rails-3.2.13.rc1.gem
• 55e44f621efbf531d9ccade6d27259f7dabae167 railties-3.2.13.rc1.gem

<3<3<3

Hot on the heels of the first production version of Ruby 2.0 comes the first beta version of Rails 4.0. The two form a great pair and are already running in production on a number of applications, including Basecamp Breeze. In fact, Ruby 2.0 is the preferred Ruby to use with Rails 4.0.

The purpose of this beta is to get as many people as possible to try to upgrade from Rails 3.2 and earlier and to get an adventurous few to start new applications directly on Rails 4.0. That’s the only way we’re going to suss out all the issues and ensure that we can launch a solid final release. So please help us with that if you can!

Rails 4.0 is packed with new goodies and farewells to old goodies past their expiration date.

A big focus has been on making it dead simple to build modern web applications that are screaming fast without needing to go the client-side JS/JSON server route. Much of this work was pioneered for Rails in the new version of Basecamp and focuses on three aspects:

1. Make it super easy to do Russian Doll-caching through key-based expiration with automatic dependency management of nested templates (explored first in the cache_digests plugin).
2. Speed-up the client-side with Turbolinks, which essentially turns your app into a single-page javascript application in terms of speed, but with none of the developmental drawbacks (except, maybe, compatibility issues with some existing JavaScript packages).
3. Declarative etags makes it even easier to ensure you’re taking advantage of HTTP freshness.

Rails is of course still a great JSON server for people who want to build client-side JS views, but with the progress we’ve made for Rails 4.0, you certainly won’t need to go down that route just to have a super fast application.

We’ve also added live streaming for persistent connections and Rails 4.0 is now safe for threaded servers out of the box (no more need for config.threadsafe!).

Active Record has received a ton of love as well to make everything related to scoping and the query structure more consistent.

Given all the fun we’ve had with security issues, we have some great updates there as well:

• Session store is now encrypted by default (formerly just signed).
• Strong Parameters take over from attr_protected (now a plugin) to guard against foreign parameters.
• Security headers like X-Frame-Options, X-XSS-Protection, X-Content-Type-Options are on by default with solid values.
• XML Parameter parsing has been sent to a plugin.

On top of these new features and fixes, we have hundreds more of all sorts. Everything has been combed over, streamlined, simplified, and we’ve extracted out lots of old APIs and things that just don’t fit “most people most of the time”.

Active Resource, Active Record Observers, and Action Pack page and action caching are all examples of things that are no longer in core, but lives on in plugins.

We encourage you to peruse the CHANGELOGs for all the Rails frameworks and delight over the hundreds of improvements we’ve made to Rails 4.0: Action Pack, Active Model, Active Record, Active Support, Rails.

Now let’s all work together to ensure the release is final and enjoy the bad-ass combination of Ruby on Rails 24! (Or 42?). Please report all the issues you find on the Rails issue tracker. We’re still working on the upgrade guide from 3.2 to 4.0, but that’s a good place to start for help on how to do it. As always, install betas with gem install rails --version 4.0.0.beta1 --no-ri --no-rdoc (–pre and ri generation is busted on RubyGems 2.0 at the moment) or depend on the v4.0.0.beta1 tag.

Since the most recent patch releases there has been some confusion about what versions of Ruby on Rails are currently supported, and when people can expect new versions. Our maintenance policy is as follows.

Support of the Rails framework is divided into four groups: New features, bug fixes, security issues, and severe security issues. They are handled as follows, all versions in x.y.z format:

New Features

New Features are only added to the master branch and will not be made available in point releases.

Bug fixes

Only the latest release series will receive bug fixes. When enough bugs are fixed and its deemed worthy to release a new gem, this is the branch it happens from.

Currently included series: 3.2.z

After the Rails 4 release: 4.0.z

Security issues:

The current release series and the next most recent one will receive patches and new versions in case of a security issue.

These releases are created by taking the last released version, applying the security patches, and releasing. Those patches are then applied to the end of the x-y-stable branch. For example, a theoretical 1.2.3 security release would be built from 1.2.2, and then added to the end of 1-2-stable. This means that security releases are easy to upgrade to if you’re running the latest version of Rails.

Currently included series: 3.2.z, 3.1.z

After the Rails 4 release: 4.0.z, 3.2.z

Severe security issues:

For severe security issues we will provide new versions as above, and also the last major release series will receive patches and new versions. The classification of the security issue is judged by the core team.

Currently included series: 3.2.z, 3.1.z, 2.3.z

After the Rails 4 release: 4.0.z, 3.2.z

Unsupported Release Series

When a release series is no longer supported, it’s your own responsibility to deal with bugs and security issues. We may provide back-ports of the fixes and publish them to git, however there will be no new versions released. If you are not comfortable maintaining your own versions, you should upgrade to a supported version.

You should also be aware that Ruby 1.8 will reach End of Life in June 2013, no further Ruby security releases will be provided after that point. If your application is only compatible Ruby 1.8 you should upgrade accordingly.

Hi everybody.

I’d like to announce that Rails 3.2.12, 3.1.11, and 2.3.17 have been released.

3.2.12 and 3.1.11 contain one security fix, and 2.3.17 contains two security fixes. It is recommended that you update immediately.

You can read about the security fixes by following these links:

• CVE-2013-0276
• CVE-2013-0277

Please note that today a new JSON gem was released, and it also contains an important security fix. You should update the JSON gem as soon as possible. You can read about the security issue in the JSON gem here:

• CVE-2013-0269

In order to ease upgrading, the only major changes in each gem is the security fix. To see the detailed changes for each version, follow the links below:

• Changes in 3.2.12
• Changes in 3.1.11
• Changes in 2.3.17

Thanks to the people who responsibly reported these security issues.

Please note that per our maintenance policy there will be no 3.0.x version released.

Here are the SHA-1 checksums for each gem:

Rails 3.2.12

[aaron@higgins dist]$ shasum *3.2.*
5627c6d044cc52876128459d960f8805006b5f97  actionmailer-3.2.12.gem
336f76c045b6bcbd204831897131182cff82ddf8  actionpack-3.2.12.gem
89bec5d68861ad5d79ca776ef5d6df7c1cfc2b11  activemodel-3.2.12.gem
7d4327c54900f45c60947a63350e865843e193ef  activerecord-3.2.12.gem
4b8ed4190f98a85b800ee7893bae5afd1bee0874  activeresource-3.2.12.gem
c9e44eed288140f556e6543b93fc45f8dd57a415  activesupport-3.2.12.gem
24b3b4633d7f131e61e50decc3aa11590941c6e2  rails-3.2.12.gem
a84262f1968e83141d290c034b20a28d38886d10  railties-3.2.12.gem

Rails 3.1.11

[aaron@higgins dist]$ shasum *3.1.*
d80816e69614c1f0d96cb7d0f4a38bfdc8d84ff5  actionmailer-3.1.11.gem
f65cea0682b6051869d4125f7b441a7c6f59fcbe  actionpack-3.1.11.gem
549ec2b67d4332b38cef1620b23e00e50e0774e6  activemodel-3.1.11.gem
3d342764b7ba3bae05190f15bcb35d401cd8121e  activerecord-3.1.11.gem
19bd70bad6c4e4a555127a7738e71ac4829e6f61  activeresource-3.1.11.gem
7267b2f87bea5bd285f5d1bfe49bb2ba19df7c94  activesupport-3.1.11.gem
ca57e1243451385689343dbe2bb42e23058284df  rails-3.1.11.gem
48cc801bdb7c31c4b6939235a60ef3e5008f5dbb  railties-3.1.11.gem

Rails 2.3.17

[aaron@higgins dist]$ shasum *2.3.*
5df1fe13db46ac10dec8bb607ef515881dcf09c5  actionmailer-2.3.17.gem
d1165517a185ae73ca8a4ac89549e695a23fedfa  actionpack-2.3.17.gem
b24ff71e46b798d7c38504531cb7622955d9a20c  activerecord-2.3.17.gem
9cc2a7bd60a959dcba099425954a1b9c53235ce5  activeresource-2.3.17.gem
4ccc935fdc4d7ede78a1c376453ecb502e48b7ed  activesupport-2.3.17.gem
9613a97cb726f00de59ad6d0f901f7434f9c4733  rails-2.3.17.gem

<3<3<3