Spree 1.0.3 has been released. The primary purpose of this release is to address a recently discovered security vulnerability which under certain circumstances allows any authenticated user to read the contents of another user’s order.
Please see the Github compare for a complete list of changes in this release. Due to this issue and other previously announced vulnerabilities you should upgrade to this version of Spree if you are running a prior version of Spree 1.0.×.
NOTE: Earlier this week we released Spree 1.0.2 which contained this fix. Before we could write up the release announcement we discovered a newly introduce bug that required a quick follow up release which is now Spree 1.0.3. It is recommended that you update to version 1.0.3 if you are running version 1.0.2 because of this bug but it is not required for security purposes.