The good news is, upstream seems to have taken disclosure complaints to heart, and is now posting security advisories to the rubyonrails-security Google Group:
The bad news is, it looks like CVE-2007-3227 is only fixed properly in rails-1.2.5: http://groups.google.com/group/rubyonrails-security/browse_thread/thread/225dcc61aaefad42 Ciao, Sheldon.
signature.asc
Description: This is a digitally signed message part.