Rails 3.0.1 and Rails 2.3.10 Released To Counter Nested Attributes Vulnerability
Michael Koziarski (a.k.a. nzkoz) has announced the simultaneous release of Rails 3.0.1 and 2.3.10. Don't get too excited - they're only very minor security releases intended to resolve a nasty bug that surfaced in 2.3.9 and 3.0.0. Upgrade if possible but if you're unsure, read on for some pointers.
The bug in question surrounds nested attributes that are accepted through the
accepts_nested_attributes_for method. If you're not using this method, you're probably OK, though I have a big fat disclaimer over that (if you don't upgrade and your app gets fried, don't blame me ;-)).
If you're using 2.3.9 or 3.0.0 and are truly unable to upgrade at this point but are using nested attributes, Michael has included patches on this post. You might also appreciate the discussion on Hacker News if you want more info and insight.