Serendipity 1.0.4 released!

Friday, December 1. 2006
Posted by Garvin Hicking in Announcements, Development, Plugins, Security

Comments (4)
Trackbacks (9)

This new Serendipity release addresses a local file inclusion security issue discovered yesterday. It was possible to give a special parameter to a serendipity file to include a file on your own web-tree (or other files the webserver has read access to). If used on clear-text files, this could be used to disclose information like the apache logfiles on your website.

This error can only happen in a scenario with two prerequisites: Register_Globals needs to be turned on in your PHP configuration AND your webserver must ignore the default Serendipity .htaccess file. This .htaccess file usually prevents to directly call Serendipity's include files via HTTP. Thus we feel that only a very low percentage of installations should be affected by this bug.

However, Serendipity 1.0.4 is a recommended upgrade for everyone taking security responsibly, like we do. We are thankful to the community for inspecting Serendipity, searching for bugs and security issues and reporting them to us. In this case, many thanks to Majestic from the forums for notifying us.

Most of the plugins (both bundled and available via spartacus) were upgraded to also circumvent that bug, so you should upgrade all of your active plugins to the recent versions as well.

The Serendipity 1.1 release tree was also modified with a patch for this issue. It will be contained in todays snapshot, and the 1.1-beta6 release file. The easy steps to perform an upgrade are documented in our FAQ on http://www.s9y.org/.


Trackbacks
Trackback specific URI for this entry

Serendipity 1.0.4
Eigentlich ist mein Blog ja mehr oder weniger Serendipity-freie Zone, seit ich auch das offizielle Blog mit Infos befülle. Aus gegebenem Anlass: Scheinbar bringt die Weihnachtszeit auch mehr Freizeit für Exploiter mit sich, die gestern eine Sicherheits
Weblog: superBlog
Tracked: Dec 01, 10:41
Kleinkram: Shopping, Serendipity 1.0.4
Peter Glaser schreibt unter der für mich nicht nachvollziehbaren Überschrift “Dye To Buy”: Konsumieren ist die letzte verbleibende Form öffentlicher Aktivität, sagt der Architekt Rem Kohlhaas. Wie eine Insektenkolonie hat es praktisch jed
Weblog: Aufrechte Neuigkeitenverbreitung Vauzwei
Tracked: Dec 01, 12:40
Serendipity Update
Ich habe diesen Blog soeben auf Serendipity v1.0.4 aktualisiert. Wie immer ging das Update absolut problemlos!
Weblog: ridcully.info
Tracked: Dec 01, 12:57
Serendipity in Version 1.0.4 released
Heute wurde die Blogsoftware Serendipity in der Version 1.0.4 veroffentlicht. Dieses Release schließt eine akute Sicherheitslücke und sollte somit von jedem Nutzen installiert werden. Neuerungen wurden laut dem Unternehmensblog nicht in das Release...
Weblog: Bloganbieter.de
Tracked: Dec 01, 20:47
Serendipity 1.0.4. downloadbar
Aufgrund eines Sicherheitslecks - das angeblich nur wenige betreffen kann - wurde heute eine bereinigte Version 1.0.4 von Serendipity/S9y veröffentllicht. Wichtiger Hinweis: Um das Sicherheitsleck vollständig zu stopfen sind über Spartacus auch etliche
Weblog: Nur ein Blog
Tracked: Dec 02, 00:04
s9y update
Gestern wurde eine Security-Update von Serendipity veröffentlicht. Runterladen, entpacken, auf den Webspace kopieren und ausführen. Ging wie immer total unkompliziert via lux
Weblog: laemmys blog
Tracked: Dec 02, 09:42
S9Y updated
Seems like there was another vulnerability found in S9Y. So I just updated my blog to the latest release (1.0.4a). Chris and Fox: yep... I updated your blog as well (via laemmy)
Weblog: Doomshammer's Weblog
Tracked: Dec 02, 11:34
Auch ich hab upgedatet
Thx an Lux, Laemmy & Doomy für die Info. Wer sonst noch S9Y benutzt sollte auch schnell updaten!
Weblog: Der Freizeitblogger
Tracked: Dec 02, 14:58
aggiornato serendipity ed il template
Dopo l'aggiornamento fatto ieri sera alla versione 1.0.4 di Serendipty (dovuto ad una patch di sicurezza) ho deciso di cambiare anche lo stile del mio blog.Ecco le operazioni eseguite. Dopo il dump del database ho salvato il file serendipity_config
Weblog: Raimondo Fanale
Tracked: Dec 03, 17:40

Comments
Display comments as (Linear | Threaded)

That's what I call a fast response to a security issue! Thanks a lot, Garvin!

BTW, the links to 1.1-beta6 on the download page haven't been updated yet (they're still pointing to Beta 5).

Best regards,
-Manuel
#1 Manuel Charisius (Homepage) on 2006-12-01 12:10
Excellent. This kind of responsible, proactive, approach to security is why I plan to be a long-term serendipity user. Thanks!!
#2 moo on 2006-12-03 09:29
Where is the documentation for the installation? It would be good if it was on the zip itself, not on the webpage! Now where can I find it!?
#3 z on 2006-12-21 13:53
Hi!

Documentation always changes and is enlarged, so packing it offline in a ZIP is not clever.

Our documentation is on www.s9y.org, you sadly have to wait until our server is restored.

Regards,
Garvin
#3.1 Garvin on 2006-12-21 13:57

Add Comment

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

BBCode format allowed
 
 
 
 

Frontpage - Top level

 

Quicksearch


Categories


All categories

Archives


Development state

The current nightly/GitHub trunk state is: testing 1.7

Recommendation(s): Use 1.6.2 release

Please report issues and bugs on our Bugtracker. Your help is very much appreciated.


Syndicate This Blog


More RSS Feeds

Event Plugins
Sidebar Plugins
SVN/CVS commits
Serendipity around the world

Handbuch für Serendipity


Das offizielle, umfassende Serendipity-Handbuch für Einsteiger und Profis ist nun im Handel und kann online bei Amazon oder Open Source Press bestellt werden, oder auch bei jedem Buchhändler.