The rails core team has released ruby on rails 1.2.6 to address a bug in the fix for session fixation attacks (CVE-2007-5380). The CVE Identifier for this new issue is CVE-2007-6077. You should upgrade to this new release if you do not take specific session-fixation counter measures in your application.
1.2.6 also fixes some regressions when working with has_many associations on unsaved ActiveRecord objects.
As with other 1.2.x releases, this is intended as a drop in upgrade for users of earlier versions in the 1.2 series.
From the Rails log.
