One of security fixes impacts all users and is related to HTML escaping code. The other two fixes impacts people using select_tag's prompt option and strip_tags helper from ActionPack.
Rails 3.2.8 is now in the tree. I hope to get to the older versions in the weekend.
CVE-2012-3465 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3465): Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb in the strip_tags helper in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup. CVE-2012-3464 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3464): Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character. CVE-2012-3463 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3463): Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_tag_helper.rb in Ruby on Rails 3.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via the prompt field to the select_tag helper.
Rails 3.0.17 and 3.1.8 now also in the tree.
Thanks, Hans. Please don't forget to remove vulnerable versions. Closing noglsa for ~arch only.
