There’s been a minor security fix checked into the git repository this morning. The problem relates to users who used the spree gem to create a new spree application but did not change the value of the secret key in
config/environment.rb in the newly created app.
Your application is vulnerable if you have the following hash value for
config.action_controller_session in your app’s
<p>:secret => ’2271bed096798b2c9e7b7ec14263e669944808bb94cb56d4befa5757cbb931095a3644c785</p>
To fix it, simply change the value of the hash to some other random hash value with at least 30 characters. This has been fixed in the source and in the upcoming 0.3.0 release so newly generated applications will not have this problem.
For more details please see the related issue report.