10 Jan 2013
In order to raise awareness of the issue, here's a Rails-security related bit:
TL;DR Stop what you're doing right now and go plug the giant security hole in ALL your Rails apps!
You surely already heard of the security announcement and succeeding Rails patch releases. The issue is very serious and if you haven't updated or patched all your Rails apps anyone can execute any Ruby code (and therefore also system commands) by merely performing a simple, crafted HTTP request against your application!
The Rails security announcement outlines how you can plug the hole fairly easily by disabling the XML request params parser, which probably no uses anyway nowadays. You need to do at least this RIGHT NOW, for any Rails app you have running. Unless you rely on XML params input you should not have to upgrade any gems and your app should not break.
Please note that the popular exploit-framework Metasploit has a working module that exploits this issue, and it is very likely that scanning of the net for attackable applications has been in full swing for hours, if not days as working Proof of Concepts have been floating around the internet already.
On a side note, if you accept YAML user input (which is the real offender here because you can embed it in XML params while YAML makes it possible to initialize Ruby objects and call methods on deserialization, and there does not seem to be a way to disable that) via other means than the XML params parser, you should check whether this can be exploited too.
I sincerely hope that before you read to the end of this posting you have already deployed fixed versions of all your Rails applications.