Here’s a summary (shamelessly snagged from HN):
[CVE-2015-7581] Object leak vulnerability for wildcard controller routes in Action Pack: Look for routes that contain “:controller” and change it to something else. Hopefully you didn’t have this weird name in your routes.
[CVE-2015-7578/79] Possible XSS vulnerability in rails-html-sanitizer: You’re safe if you use a single page application that properly encode for you. Stripping tags isn’t the best way anyway to filter XSS, so if you’re encoding, you’re good.
[CVE-2016-0753] Possible Input Validation Circumvention in Active Model: params.permit! is negligence, you should not be doing that anyway
[CVE-2016-0752] Possible Information Leak Vulnerability in Action View: render params[:id] is not defensive programming, so you should not be doing that too
[CVE-2015-7577] Nested attributes rejection proc bypass in Active Record: Only if using nested_attributes and rejection proc. Wasn’t my case. Just patch.
[CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack: DoS is bad, just patch.
[CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller: Just patch.