Last week the Rails team announced a new release which addresses an important security vulnerability. This is a Rails security problem, but since Spree relies on these insecure versions of Rails, all Spree users are advised to upgrade to a more secure version immediately.
Existing Spree 1.3.0 users should upgrade to the new Spree 1.3.1 release. This release uses the more secure Rails 3.2.10 version and also includes some minor bug fixes unrelated to the security issue. You can review the Github compare for a complete list of changes.
Existing Spree 1.2.x users should upgrade to the new Spree 1.2.3 release. This release uses the more secure Rails 3.2.10 version and also includes some minor bug fixes unrelated to the security issue. You can review the Github compare for a complete list of changes.
Other Versions of Spree
If you are using Spree versions 1.1.x and older you should consider upgrading to Spree version 1.2.3 or higher. Our current policy is to only maintain the latest two versions of Spree along with the current master.
Upgrading Rails Without Updating Spree
If you’re not ready to update your version of Spree, you may want to consider updating just the version of Rails you’re using. Spree gems will not allow you to use arbitrary versions of Rails (we like to test them first) so you’ll have to do a little hacking if you want to go it alone. To accomplish this you need to work with the source code and checkout from Git using the exact tag of your version of Spree. You can then modify the gemspec to allow a newer version of Rails. Finally, you’ll need to push this change to a fork and modify the
Gemfile in your project to point to the fork.