Rails 18.104.22.168 and 22.214.171.124 have been released!
These two releases contain only security fix that was already released as 4.0.12 and 4.1.8.
You can read more about the issue here (CVE-2014-7829).
4.0.12 and 4.1.8 were inadvertently based on their respective stable branches, and so incorporated
additional changes beyond those necessary to resolve the security issue. In keeping with our security
policy, it is our intention to include only the minimum necessary changes in security releases, to
ensure everyone can upgrade without fear of regressions. As those releases included unrelated changes,
we are providing new releases, based on the previous release, which contain only the security fix
If you have already successfully upgraded to 4.0.12 or 4.1.8, no further action is required.
Otherwise, if you are still on 4.0.11 or 4.1.7, please do upgrade to 126.96.36.199 or 188.8.131.52 at your
The 3.2.21 release did incorporate a second change, but that change was intended: by policy, minor
security-relevant bugs (which do not independently warrant a security release) are occasionally
backported to 3-2-stable, and rolled into a subsequent security release.
The commits for 184.108.40.206 can be found here,
and the commits for 220.127.116.11 can be found here.
Here are the checksums for 18.104.22.168:
$ shasum *22.214.171.124*
Here are the checksums for 126.96.36.199:
$ shasum *188.8.131.52*