Spree 0.40.3 has been officially released. This is a minor patch release with a few fixes. All users should consider an immediate upgrade due to the recently announced security vulnerability in previous versions of Rails. Spree now requires Rails 3.0.4 which resolves this problem.
We also made an important fix for anyone using payment gateways that do not support a credit card profile (this includes the standard Authorize.net gateway.) If you are developing on a version of Spree 0.30.x with one of these gateways you’ve probably already experienced difficulties submitted the card details to the gateway. Theses issues are solved in version 0.40.3 along with a separate issue related to voids.
If you’re running a version of Spree less than 0.30.0 or if you are using Authoriz.net CIM then you are not affected by this problem (but upgrading is still recommended due to the security fix mentioned above.)