From ea198f16fe75075b904a1e77f9f3570a8fce38ff Mon Sep 17 00:00:00 2001
From: ankitdas13 <ankit.das@razorpay.com>
Date: Mon, 8 Jun 2026 18:48:28 +0530
Subject: [PATCH] version-bump v3.2.4

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 CHANGELOG.md              | 6 ++++++
 lib/razorpay/constants.rb | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6852beb..2b5a0f3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,12 @@ Changelog for Razorpay-Ruby SDK.
 
 ## Unreleased
 
+## [3.2.4] - 2026-06-08
+
+fix: Security fix for AES-GCM onboarding signature
+* Fixed nonce reuse vulnerability in `generate_onboarding_signature` by using a random nonce per call instead of a static IV derived from the secret key
+* New output format: `hex(iv[12] || ciphertext || tag[16])` — the receiver reads the first 24 hex chars as the IV before decrypting
+
 ## [3.2.3] - 2024-05-27
 
 feat: Added new API endpoints
diff --git a/lib/razorpay/constants.rb b/lib/razorpay/constants.rb
index 4822833..79c32b4 100644
--- a/lib/razorpay/constants.rb
+++ b/lib/razorpay/constants.rb
@@ -2,7 +2,7 @@
 module Razorpay
   BASE_URI = 'https://api.razorpay.com'.freeze
   TEST_URL = 'https://api.razorpay.com/'.freeze
-  VERSION  = '3.2.3'.freeze
+  VERSION  = '3.2.4'.freeze
   AUTH_URL = 'https://auth.razorpay.com'.freeze
   API_HOST = 'API'.freeze
   AUTH_HOST    = 'AUTH'.freeze