Rails Security Hole
I now have the fixed version of typo (soon to be 4.0.2), around an hour after it was committed.
As to the whole “full disclosure” thing by the rails team? They handled it pretty badly. As somebody else commented, it didn’t work for OpenBSD a while back and if anybody could do that, OpenBSD could.