In case anyone missed the posts on the official blog.

A mandatory security patch to Ruby on Rails affecting version 1.1.0 to 1.1.4 was released a couple of days ago (1.1.5). This was updated yesterday (August 10) with another patch, 1.1.6, because the original patch only partly closed the security hole:

They've also created an announce-only security mailing list where you can get updates about critical patches.

Check it out if you haven't seen it already.