Rails 2.3.5 is out but the official release notes have not yet appeared. So I thought it might be useful to share my own notes on what's new in this version. This list is only the highlights, but it should give you an overview.

An XSS vulnerability in strip_tags is fixed.

Rails 2.3.5 supports the xss_safe plugin, which gives you the XSS escaping features that will be the default in Rails 3.0.

There are a bunch of Ruby 1.9 compatibility fixes, including changes to MessageVerifier#secure_compare (which was tweaked in 2.3.4 to fix a timing vulnerability), the -c and -c options to the rails command, Time#beginning_of_day, and String#strip.

The nested attributes bits get some attention, including fixes to avoid trying to validate records that are marked for destruction and allowing fields_for on a nested attribute to accept a collection to use. The :_delete option in nested attributes has been renamed to :_destroy, and the old name is deprecated. You can also declare that there are a maximum number of nested records: accepts_nested_attributes_for :orders, :limit => 4

The MySQL adapter is updated to allow the use of stored procedures.

Building or creating objects on a has_one association is now more consistent with the way it works on a has_many: record creation from the association is scoped if a hash is used. has_one :account, :conditions => {:enabled => true} will create an enabled account with @company.create_account or @company.build_account.

Rails is tested with newer versions of Rack (1.0.1), the MySQL adapter (2.8.1), Mocha (0.9.8), and the sqlite3-ruby adapter (1.2.5). sqlite 2 is only supported if you're using Ruby 1.8.x.

A problem that prevented the debugger from going into IRB mode has been fixed.

If you're using Rails 2.3.x, you should upgrade to this version as soon as possible, to get the security fixes that it contains. If you're using Rails 2.2, there's a separate patch available. Rails versions older than 2.2 are no longer supported with security patches, and should be retired/upgraded as soon as possible.