--lMM8JwqTlfDpEaS6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi everyone,

Rails 3.1.0.rc6 has been released.  This release contains critical security=
 fixes.

## CHANGES=20

You can find an exhaustive list of changes on [github](https://github.com/r=
ails/rails/compare/v3.1.0.rc5...v3.1.0.rc6).  Along with the [closed issues=
 marked for v3.1.0](https://github.com/rails/rails/issues?sort=3Dcreated&di=
rection=3Ddesc&state=3Dclosed&page=3D1&milestone=3D1).

You can also see issues [we haven't closed](https://github.com/rails/rails/=
issues?sort=3Dcreated&direction=3Ddesc&state=3Dopen&page=3D1&milestone=3D1)=
=2E=20

A comprehensive CHANGELOG will be announced when 3.1.0 final is released.  =
Barring any show stopping bugs, Rails 3.1.0 will be released on August 30th.

### 4 Security Fixes

  * [Filter Skipping bugs](http://groups.google.com/group/rubyonrails-secur=
ity/browse_thread/thread/3420ac71aed312d6)
  * [SQL Injection issues](http://groups.google.com/group/rubyonrails-secur=
ity/browse_thread/thread/6a1e473744bc389b)
  * [Parse error in `strip_tags`](http://groups.google.com/group/rubyonrail=
s-security/browse_thread/thread/2b9130749b74ea12)
  * [UTF-8 escaping vulnerability](http://groups.google.com/group/rubyonrai=
ls-security/browse_thread/thread/56bffb5923ab1195)

Please follow the links to see specific information about each vulnerabilit=
y, along with individual patches for fixing them.

Please note that these security fixes do not have CVE identifiers.  We requ=
ested identifiers on August 5th, and have yet to received a response.  When=
 we get identifiers, we'll update the notices with those values.

Also remember to subscribe to the [Ruby on Rails Security mailing list](htt=
p://groups.google.com/group/rubyonrails-security).

### Why was this release delayed?

You may have noticed this release was originally slated to be released on A=
ugust 8th.  We decided to delay the release in order to obtain CVE identifi=
ers.  Unfortunately, identifiers still have not been issued.  We felt that =
getting the security fixes to our users was more important than obtaining C=
VE values.

That is why our release is late, and contains no CVE identifiers.

## THE END=20

Thanks! <3=20

--=20
Aaron Patterson
http://tenderlovemaking.com/

--lMM8JwqTlfDpEaS6
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)

iQEcBAEBAgAGBQJOSv5oAAoJEJUxcLy0/6/GiEkH/29Se5RbOY3rpjYKz82QlyFT
Hli3u2Bqoidws2z2Z7WYIFKyHe4peo6Q/c+Xv7JfDNe0+EnoX60gdbXgMAxJ7Xqp
zaip5IwR4d+N7nZuJjCrdUSZZAGb6KCvAfFPI9ytGdtxI2NfnxrC9+kxIY78c19O
cd3RpHi8Ioek94aVRP0HDnKeKKyQqcwoeQm2qUXY33hp1MmJnlYcMha3w/CIppBT
0A9NGVL8CgCuWztdcO0k19MaaYPwMByHswnK6irNDWAWZDGNq8D/GbS8D/dFHDeh
SWp+TOsQg2qrDwJLrq+nL5uOZ3R5Mams93SYZHRhBLQP9iVGhSTO1oN3+u9I5pA=
=UyUt
-----END PGP SIGNATURE-----

--lMM8JwqTlfDpEaS6--

Hi everyone,

Rails 3.1.0.rc6 has been released.  This release contains critical security=
 fixes.

## CHANGES=20

You can find an exhaustive list of changes on [github](https://github.com/r=
ails/rails/compare/v3.1.0.rc5...v3.1.0.rc6).  Along with the [closed issues=
 marked for v3.1.0](https://github.com/rails/rails/issues?sort=3Dcreated&di=
rection=3Ddesc&state=3Dclosed&page=3D1&milestone=3D1).

You can also see issues [we haven't closed](https://github.com/rails/rails/=
issues?sort=3Dcreated&direction=3Ddesc&state=3Dopen&page=3D1&milestone=3D1)=
=2E=20

A comprehensive CHANGELOG will be announced when 3.1.0 final is released.  =
Barring any show stopping bugs, Rails 3.1.0 will be released on August 30th.

### 4 Security Fixes

  * [Filter Skipping bugs](http://groups.google.com/group/rubyonrails-secur=
ity/browse_thread/thread/3420ac71aed312d6)
  * [SQL Injection issues](http://groups.google.com/group/rubyonrails-secur=
ity/browse_thread/thread/6a1e473744bc389b)
  * [Parse error in `strip_tags`](http://groups.google.com/group/rubyonrail=
s-security/browse_thread/thread/2b9130749b74ea12)
  * [UTF-8 escaping vulnerability](http://groups.google.com/group/rubyonrai=
ls-security/browse_thread/thread/56bffb5923ab1195)

Please follow the links to see specific information about each vulnerabilit=
y, along with individual patches for fixing them.

Please note that these security fixes do not have CVE identifiers.  We requ=
ested identifiers on August 5th, and have yet to received a response.  When=
 we get identifiers, we'll update the notices with those values.

Also remember to subscribe to the [Ruby on Rails Security mailing list](htt=
p://groups.google.com/group/rubyonrails-security).

### Why was this release delayed?

You may have noticed this release was originally slated to be released on A=
ugust 8th.  We decided to delay the release in order to obtain CVE identifi=
ers.  Unfortunately, identifiers still have not been issued.  We felt that =
getting the security fixes to our users was more important than obtaining C=
VE values.

That is why our release is late, and contains no CVE identifiers.

## THE END=20

Thanks! <3=20

--=20
Aaron Patterson
http://tenderlovemaking.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)

iQEcBAEBAgAGBQJOSv5oAAoJEJUxcLy0/6/GiEkH/29Se5RbOY3rpjYKz82QlyFT
Hli3u2Bqoidws2z2Z7WYIFKyHe4peo6Q/c+Xv7JfDNe0+EnoX60gdbXgMAxJ7Xqp
zaip5IwR4d+N7nZuJjCrdUSZZAGb6KCvAfFPI9ytGdtxI2NfnxrC9+kxIY78c19O
cd3RpHi8Ioek94aVRP0HDnKeKKyQqcwoeQm2qUXY33hp1MmJnlYcMha3w/CIppBT
0A9NGVL8CgCuWztdcO0k19MaaYPwMByHswnK6irNDWAWZDGNq8D/GbS8D/dFHDeh
SWp+TOsQg2qrDwJLrq+nL5uOZ3R5Mams93SYZHRhBLQP9iVGhSTO1oN3+u9I5pA=
=UyUt
-----END PGP SIGNATURE-----