Hi everybody! Rails 3.0.6 has been released!
Let's get the serious business out of the way first:
## Rails 3.0.6 contains an important security fix! Please upgrade!
Rails versions 3.0.x prior to 3.0.6 contain an XSS vulnerability. The vulnerability manifests itself via the `auto_link` method. The `auto_link` method will automatically mark input strings as "html safe" even if the input is from an unknown origin.
For example:
<%= auto_link(params[:content]) %>
If the "content" parameter contains malicious javascript, that script will be rendered without being escaped.
### How can I protect myself?
* Upgrade to Rails 3.0.6, then content passed to `auto_link` will be automatically escaped for you.
* If you cannot upgrade Rails, then apply the patch found [here](https://github.com/rails/rails/commit/61ee3449674c591747db95f9b3472c5c3bd9e84d). Then `auto_link` content will be escaped for you.
* If you cannot upgrade Rails, or apply the patch, then change your calls to `auto_link` to call sanitize like so:
<%= sanitize(auto_link(params[:content])) %>
If you trust the input, then change to this
<%= raw(auto_link(params[:content])) %>
### Credits
Thanks go to Torben Schulz for reporting this issue!
## SERIOUS BUSINESS COMPLETE ##
After two release candidates, we we we so excited to announce the release of Rails version 3.0.6! I want to thank everyone that tried out the release candidates and reported their feedback! I hope that we can continue soliciting feedback from the public before releasing final versions.
## LOL CHANGES!!!!
For changes in a particular package, please view the CHANGELOG in each particular project on [github](https://github.com/rails/rails/tree/3-0-6). Even better, you can check the [compare view](https://github.com/rails/rails/compare/v3.0.5...v3.0.6).
Changes of note are:
* The above security fix in ActionPack 61ee3449674c591747db95f9b3472c5c3bd9e84d
* Un-deprecating the `reorder` method in ActiveRecord 235a4142aa3fee73faa0f01e267a2b4254cea8ce
* A backport of "cheaper attributes reads" in ActiveRecord 86acbf1cc050c8fa8c74a10c735e467fb6fd7df8
* Correctling handling `before_type_cast` on timezone aware attributes 0823bbd757f3654a08d300e27873758da606f06a
* Escaping binary data in sqlite3 inserts 7222786c15eacbd432b2bce9798d3f3459f7e05f
* Fixing schema support for the mysql adapter eb1eac93151c1d45c3ef292d99bfcf74799185ea
This change list IS NOT exhaustive. They are just some of my favorites! For the complete list *please* see the CHANGELOG files or view the diff on github.
## GEM CHECKSUMS
If you totally want to make sure that you've got the right gems, here are my shasums before I pushed the gems!
$ shasum * fc7b0503bdf99d1ec08dc0dcee3677ca1dd29f0f actionmailer-3.0.6.gem e8fbefd5b0a46408dd557331700ea514a4c199ab actionpack-3.0.6.gem 8509520744ecd8e6712158311a16ba4782b454e2 activemodel-3.0.6.gem 3b392e811ba342a5bf430d89cf4f060d119aba64 activerecord-3.0.6.gem 9eea440bdf885e857ebfb5ff8e31119f76a18a4e activeresource-3.0.6.gem 175ba6286f7802edeeaab30f900d87a38f516728 activesupport-3.0.6.gem ebeea3c1f03db3309ea9a6640e1767ab144ff567 rails-3.0.6.gem 61e24f94ea87fc58175b2067f7f6a3a8c468bfe0 railties-3.0.6.gem $
## IN CLOSING
Thank you for waiting for me to finish vacation before I released this! I hope
that everyone enjoys this bugfix release of Rails. Next time I'll try not to
vacation so much! 
<3 <3 <3 <3 <3