--NMuMz9nt05w80d4+
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi everyone,

Rails 3.0.10 has been released.  This release contains critical security fi=
xes.

## CHANGES=20

You can find an exhaustive list of changes on [github](https://github.com/r=
ails/rails/compare/v3.0.9...v3.0.10).  Here are some notable excerpts:=20

### 4 Security Fixes

  * [Filter Skipping bugs](http://groups.google.com/group/rubyonrails-secur=
ity/browse_thread/thread/3420ac71aed312d6)
  * [SQL Injection issues](http://groups.google.com/group/rubyonrails-secur=
ity/browse_thread/thread/6a1e473744bc389b)
  * [Parse error in `strip_tags`](http://groups.google.com/group/rubyonrail=
s-security/browse_thread/thread/2b9130749b74ea12)
  * [UTF-8 escaping vulnerability](http://groups.google.com/group/rubyonrai=
ls-security/browse_thread/thread/56bffb5923ab1195)

Please follow the links to see specific information about each vulnerabilit=
y, along with individual patches for fixing them.

Please note that these security fixes do not have CVE identifiers.  We requ=
ested identifiers on August 5th, and have yet to received a response.  When=
 we get identifiers, we'll update the notices with those values.

Also remember to subscribe to the [Ruby on Rails Security mailing list](htt=
p://groups.google.com/group/rubyonrails-security).

### ActionPack:=20

  * Fixes an issue where cache sweepers with only after filters would have =
no controller object, it would raise undefined method `controller_name` for=
 `nil` [jeroenj]=20
  * Ensure status codes are logged when exceptions are raised.=20
  * Subclasses of OutputBuffer are respected.=20
  * Fixed `ActionView::FormOptionsHelper#select` with `:multiple =3D> false=
`=20
  * Avoid extra call to `Cache#read` in case of a fragment cache hit=20

### ActiveRecord:=20

  * Magic encoding comment added to schema.rb files=20
  * schema.rb is written as UTF-8 by default.=20
  * Ensuring an established connection when running `rake db:schema:dump`=
=20
  * Association conditions will not clobber join conditions.=20
  * Destroying a record will destroy the HABTM record before destroying its=
elf.  GH #402.=20
  * Make `ActiveRecord::Batches#find_each` to not return `self`.=20
  * Update `table_exists?` in PG to to always use current `search_path` or =
schema if explictly set.=20

### Why was this release delayed?

You may have noticed this release was originally slated to be released on A=
ugust 8th.  We decided to delay the release in order to obtain CVE identifi=
ers.  Unfortunately, identifiers still have not been issued.  We felt that =
getting the security fixes to our users was more important than obtaining C=
VE values.

That is why our release is late, and contains no CVE identifiers.

## THE END=20

Thanks! <3=20

--=20
Aaron Patterson
http://tenderlovemaking.com/

--NMuMz9nt05w80d4+
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)

iQEcBAEBAgAGBQJOSv43AAoJEJUxcLy0/6/GHvsH/isayiLq+VJQfUwhIXh898x+
nvSqJ1grHN0G7tHlev5KaD1s1veksZaF3X4fWkh7YWNPSrtE9Z8rw76gMyjsc+sY
IC39aR8xofFAgbbzsE0TTpJUFYVlg/jgCeeg8wqYbtzFpmVXwHjR9pJ6F6A9OPMG
R5Qs7k7kmyO6xtYJInsVuBMAHg3Ayded95HuvboI60GOq1LexXOlDmRbI6JRE1va
PvC4E57ilOrrSvEYuPZ68f3gwV0edpW5nRdO4WDpouq1GNBWiDDSaZqSoEkBT7dW
SBhziZyWA2zsZliRkbJHiwwTNqZEeISmmiSClfgeqZkULje5dcWAqS5lmQoQuN4=
=SFi4
-----END PGP SIGNATURE-----

--NMuMz9nt05w80d4+--