Rails version 2.3.4 has been released to fix two vulnerabilities.
- A timing weakness in the ClientCookieStore. Rails version 2.1.0 and all subsequent versions are affected. Detailed information can be found here.
- And a XSS vulnerability in the way Rails handles Unicode. This affects all versions in the Rails 2 branch, but not applications running with Ruby 1.9.
Upgrade to version 2.3.4 now, or apply a patch (available on the pages linked above).