Rails 3.2.13 was released yesterday, containing some important security fixes, but it is causing headaches for many developers.
After some recent well documented rails vulnerabilities, many developers are making sure to upgrade their rails versions as soon as security patches are released, but you might consider holding off until 3.2.14 comes out, or risk running into the following performance regressions and bugs:
The [CODE]action_missing[/CODE] function, which is a Rails controller’s equivalent of ruby’s [CODE]method_missing[/CODE] was completely broken in 3.2.13. See this issue and the attached pull request for details:
This issue has been well documented, since GitHub ran into an embarrassing bug caused by the scope behavior change. Basically, certain scoped database query parameters can be overwritten by later chaining operations in certain situations.
There are performance regressions in 3.2.13 for both view loading and asset loading. Rails 3.2.13 changed the way assets paths are resolved, handing that task to Sprockets instead of resolving internally, which seems to be the cause of the performance issues.
There are a bunch more ActiveRecord issues relating to database encoding and relations, so make sure to check out the full list of open rails issues to check which 3.2.13 regressions will affect your apps.
A “security fixes only” release would have gone a long way to avoiding the complexity that caused these issues to slip in.
Thanks to the Rails team for staying on top of recent security issues and being proactive in fixing them. If you’d like to help, there are a few things you can do: