There is another security release which addresses once again the to_json vulnerability. It now has a CVE. If you used to_json in a page you generate:
<script type="text/javascript">
var customers = <%= @customers.to_json %>;
</script>
var customers = <%= @customers.to_json %>;
</script>
you should upgrade to 1.2.5. Besides it fixes some bugs from 1.2.4.
