

Rails 3.2.21, 4.0.12, and 4.1.8 have been released - gerjomarty
http://weblog.rubyonrails.org/2014/11/17/Rails-3-2-21-4-0-12-and-4-1-8-have-been-released/

======
tcopeland
I'm betting most people have this setting already:

    
    
        irb(main):001:0> Rails.configuration.serve_static_assets
        => false
    

But anyhow, it's an easy upgrade since it's just the security fix.

~~~
taf2
Thanks Tom! I was wondering how could this impact our applications.

------
taf2
I can imagine there could be some files on the file system that would be
useful to detect for certain types of undisclosed attacks... But anyone here
have ideas about how serious of a threat this is?

------
whyowhyowhy
The web framework that is chock-full of security blunders continues unabated.

How do people persist with it? Inertia?

~~~
jtc331
Actually it's probably more secure than the vast majority of frameworks.

And certainly it's more secure by default than most web apps. Have you looked
into how many PHP apps still suffer from obvious SQL injection attacks?

