New security/bugfix release: Serendipity 0.8.3 is out

Thursday, August 4. 2005
Posted by Garvin Hicking in Announcements, Security

Comments (9)
Trackbacks (11)

There's good and bad news.

The bad news are:

  • A possible Cross-Site Scripting injection has been reported by Ilia Alshanetsky (thank you!), that allows commenting users to inject special markup into your entry.
  • Another bug has been found in the handling of received comments. It was possible to receive comments for non-existing entries and thus allowed for mails being sent to the owner of the blog and injecting headers to that E-Mail. Ultimately this could lead to your server being used for sending specially crafted emails.

The good news are:

  • Serendipity 0.8.3 has been released, which fixes this bug.
  • The upgrade once again is very easy: Download the release, unpack the files to your webspace (overwriting old files, but keeping your personal plugins/templates/media files), open your blog administration and click on "Perform update". Always be sure to make a backup of your old files and database tables first and make sure that the files serendipity_config_local.inc.php and .htaccess are writable for your PHP/webserver user. If you have made manual changes to any of the bundled files, we suggest you to connect to our CVS or SVN repositories and make a diff of your changes.
  • The XSS only allows for a reduced set of malicious exploits to occur. And as most of you authors possibly check the comments of your users on your blog, you would spot easily if a user is posting you "bad code".
  • The current generation of "advanced web scanners", which scan HTML pages for XSS attacks does not find any more XSS loopholes on the pages produced by Serendipity.

The even better news are that also new features are introduced:

  • We used this opportunity of a new release to backport some more (minor) bugfixes of the upcoming 0.9 release and updated our bundled libraries.
  • Full korean language support with translation of almost all plugins, thanks to Wesley Hwang-Chung.
  • New template hooks to allow plugins (serendipity_event_pagenugget) to output header/footer HTML nuggets.
  • New configuration directive to configure the used Blog e-mail address for sending comments.

We are very sorry for the inconvenience this may cause to you. We are desperately trying to deliver all of our users a blog application as secure and feature-loaded as possible, but since we all are failing humans there are always errors that slip through. In every project, be it OpenSource or Commercial. We take it as a chance and opportunity, to fix bugs and issues reported to us and improve Serendipity to be the most stable blogging system available. This year has brought many XSS vulnerabilities and has raised the overall attention of code quality, which we feel is a good thing for every project.

Please also note that we are working hard on the current 0.9 version of Serendipity. This introdudes flexible and granular privilege control, custom permalinks, per-category templating, UTF-8 languages and much much more. Read our ChangeLog for more information and check out the nightly snapshot in our download area. Feedback, as always, is appreciated.

In the end, have fun with Serendipity! :-)

Download link: Serendipity 0.8.3

On behalf of the Serendipity Team,
Garvin


Trackbacks
Trackback specific URI for this entry

New security/bugfix release
Neue Bugs, neuer Release, wieder was zu tun (Oha, bei s9y wird jetzt auch gebackported ...)
Weblog: YellowLeds Weblog
Tracked: Aug 04, 18:43
Korean support out-of-box: s9y 0.8.3
The new point release of Serendipity (s9y), version 0.8.3, came out a few hours ago, which can be found in the official download page. This marks the first official s9y release with full Korean support, completed by yours truly. Previously, the first s9y
Weblog: Wesley's Tool-Box
Tracked: Aug 04, 19:31
Serendipity Update auf 0.8.3
Zu meiner Blog Engine Serendipity ist heute ein Update auf 0.8.3 herausgekommen. Kaum heruntergeladen ist es jetzt auch schon installiert...
Weblog: Nur ein Blog
Tracked: Aug 04, 21:19
s9y 0.8.3
Das beste Blog von Welt gibt's nun in einer weiter fehlerbereinigten Version mit noch mehr Geschmack bei noch weniger Sicherheitslücken. Ausführlicheres dazu von den Machern selbst. This upgrade is recommended.
Weblog: /* basquiat's lovely winter riot */
Tracked: Aug 05, 00:29
Serendipity 0.8.3
Und wieder mal ein Update: aufgrund einer XSS-Lücke in der 0.8.2er Version habe ich soeben S9Y auf die neueste Version 0.8.3 aktualisiert. Das Update funktionierte wie immer ohne Probleme. Nähreres zum dringend empfohlenen Update findet ihr im S9Y Blog.
Weblog: nodomain.cc
Tracked: Aug 05, 05:35
S9Y Update
Im S9Y Blog wurde der Release von S9Y 0.8.3 angekuendigt. Behoben werden zwei Sicherheitsluecken: Eine Luecke bietet die Moeglichkeit fuer eine XSS Attacke im Kommentarsystem. Die andere nutzt ebenfalls das Kommentarsystem um manipulierte Mails zu sch
Weblog: echox's blog
Tracked: Aug 05, 08:49
Update auf Serendipity 0.8.3
Ich habe noch nie ein Update von S9Y gemacht. Letztes Mal bin ich ja bloß umgezogen und dabei habe ich gleich das neuste S9Y installiert (0.8.2). Jetzt gibt es ein Sicherheitsupdate das eine Lücke für XSS-Attacken im Kommentarsystem schließt. Na dann bin
Weblog: Anonymous
Tracked: Aug 05, 11:37
Serendipity 0.8.3
Eine gefixte Cross-Site-Scripting-Lücke und eine Lücke beim Versenden von Mails nach Kommentaren, das sind die größeren Änderungen in der neuen S9Y-Version. Genaueres gibts hier, den Download hier.
Weblog: KnoedelDealer.de
Tracked: Aug 05, 13:39
New security/bugfix release - s9y 0.83 is released
Again a vulnerability was found in S9Y. I just updated to the latest release 0.83.As you can read in the S9Y-Blog its really urged to update.Read more about it: http://blog.s9y.org/archives/53-New-securitybugfix-release-Serendipity-0.8.3-is-out.html
Weblog: Doomshammer's Weblog
Tracked: Aug 05, 22:06
Neues Update - beinahe verpennt
So kann es kommen. Man hat sein System eingerichtet und es läuft und läuft und läuft .... (Nein. Ich meine jetzt nicht den Duracell-Hasen.) Doch dabei habe ich doch glatt das Update auf die neueste Version von Serendipity verpennt. Nichtmal meine sons
Weblog: S48
Tracked: Aug 10, 17:18
Das nächste S9Y-Update
Ich beginne, meinen "desktop news aggregator" Straw immer mehr zu mögen, da ich mit dessen Hilfe einen wunderbaren Überblick über diverse Newsfeeds und sonstige Nettigkeiten behalte, die ich tagtäglich verfolge. Darunter ist natürlich auch das Serendipty-
Weblog: Captain's Blog
Tracked: Aug 11, 01:00

Comments
Display comments as (Linear | Threaded)

First of all, thanks for the new release!

> UTF-8 languages

I'm looking forward to that features, so there will be no need for converting the files manually for me.
#1 Boris on 2005-08-04 19:04 (Reply)
Thx for this! I appriciate the work u guys do, keep it up!
#2 Sander (Homepage) on 2005-08-04 23:04 (Reply)
Does the current 0.9 alpha 4 have the Cross-Site Scripting injection fixed.
#3 MySchizoBuddy (Homepage) on 2005-08-04 23:25 (Reply)
IIRC, any fix applied to the 0.8 branch is applied to the latest SVN of 0.9 as well.
#3.1 Wesley (Homepage) on 2005-08-05 03:49 (Reply)
Boris, right - for people like you we invented this. *g*

And Wesley is right about the bugs - all bugs and issues fixed are always fixed in the latest development release and backported to branches after that.
#4 Garvin (Homepage) on 2005-08-05 08:53 (Reply)
Thanks a lot.

Is it likely that 0.9 will be released within the next two months?

I am asking, because I can't do the updating alone and wonder whether I should ask a friend to help me now or rather wait for the 0.9 version. (Currently I am using 0.72)
#5 atlanticus on 2005-08-06 17:14 (Reply)
Speaking of inconveniences... I thought there was no news!
But it turns out the feed no longer validates, so my RSS/Atom reader gets confused and calls it an invalid feed.

I tried in Firefox, and it says:
XML Parsing Error: mismatched tag. Expected: .
Location: http://blog.s9y.org/feeds/atom.xml
Line Number 278, Column 68.
#6 Keilaron (Homepage) on 2005-08-06 20:45 (Reply)
Oops. That should be:
Expected: /P tag.
#6.1 Keilaron (Homepage) on 2005-08-06 20:47 (Reply)
Atlanticus: 0.9 may be out in 2 months, I certainly hope so.

You should never theless upgrade to 0.8.3 ASAP! There are serious XML-RPC bugs on versions prior to 0.8.2, and you should be aware that versions prior to 0.8.3 are vulnerable to XSS attacks. If you moderate every comment, this is not the most serious issue, but XML-RPC is.

Keilaron: You should always use the RSS2.0 feeds; Atom feeds are often likely to break because of its stright XHTML compliance! I fixed the error now, but others might always happen...

Regards,
Garvin
#7 Garvin (Homepage) on 2005-08-06 23:27 (Reply)

Add Comment

E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

BBCode format allowed
 
 
 
 

Frontpage - Top level

 

Quicksearch


Categories


All categories

Archives

August 2008
July 2008
June 2008
Recent...
Older...

SVN/CVS state

The current nightly/SVN trunk state is: testing 1.4

News: Performance of entryproperties-plugin

Recommendation(s): Use 1.3 release

Please report issues and bugs on our Bugtracker. Your help is very much appreciated.


Syndicate This Blog


More RSS Feeds

Event Plugins
Sidebar Plugins
SVN/CVS commits
Serendipity around the world

Handbuch für Serendipity


Das offizielle, umfassende Serendipity-Handbuch für Einsteiger und Profis ist nun im Handel und kann online bei Amazon oder Open Source Press bestellt werden, oder auch bei jedem Buchhändler.