Ruby is a nice language, but its community makes me sick.
On December 7, 2009, CVE-2009-4124 was fixed by SVN revision 26038. However, this fix was a bit buggy: #2463. This issue was fixed in trunk by SVN revision 26052 on December 9, 2009.
Now the funny thing. http://www.ruby-lang.org/en/downloads/ says "The current stable version is 1.9.1" and "Ruby 1.9.1-p376 (md5: ebb20550a11e7f1a2fbd6fdec2a3e0a3) Stable Version (recommended)".
For those who still don't get it: neither 1.9.1-p376 nor ruby_1_9_1 branch at all contains fix for #2463. I tried to add another issue, which was immediately closed as "duplicate of #2463".
19 days have passed so far and current recommended stable version still contains bug that nobody cares about. By the way, this bug affects Rails.
Have a nice day.