A good writeup from the folks at GitHub.
I liked this:
We have fixed this issue on our affected applications and are working with the Rails core team to determine if this change was intentional as well as what action other users should take.
The risk is that what looks like a routine system update includes a change that looks to be innocuous but that has side effects for people who are using the system in ways that are unexpected by the coders.