Serendipity

Serendipity 1.3 has finally been released. The new release is mainly a feature consolidation release, but also contains XSS security fixes:

• The karma rating plugin has been upgraded to support nice, CSS-based rating graphics (see this post) and an overall rehaul on the its coding.
• Make the Spartacus plugin be able to use FTP upload, a workaround for SafeMode PHP restrictions. Also add a remote backend for plugin update checks.
• An importer for phpNuke and lifetype has been added.
• Support for pingbacks has been improved a lot. Trackbacks can now be blocked based on Sender IP checks.
• Add better CSS styling for some internal plugins and the embedding of images. Also made the Remote-RSS plugin to be capable of Smarty-Templating.
• Increased Smarty templating features for the {serendipity_fetchPrintEntries} function, to be able to check for entry properties.
• Add support for SQRelay.
• Minor CSS and graphic updates to the Bulletproof template.

The full list of 41 changes to this release are documented within the NEWS file.

Regarding Security, the bundled Smarty library has been updated to version 2.6.19 and adresses an issue in environments where the PHP security mode is required. Also, the new Serendipity release contains tighter backend XSS checks so that environments with untrusted authors can be more secure - many thanks to Hanno Böck for addressing this. Most importantly, an issue with XSS attacks within received trackbacks has been discovered by Peter Hüwe and was fixed.

The update is easy as usual, and recommended for Serendipity users - especially if you do not regularly moderate or check your incoming trackbacks.

Upgrade pointers can be found in the FAQ and is as easy as just to upload the new files.

Have fun!

Serendipity 1.3-beta1 has been released. This beta is considered a release candidate before the final 1.3 release, which is scheduled to be released at the end of this month.

The Freetag plugin has been updated to version 2.96 to fix a possible XSS to the tagcloud output.

XSS attacks can be used by visitors to display foreign HTML or JavaScript to visitors of the blog, if they visit specially crafted URLs. This attack basically allows for cookie stealing.

Users of the freetag plugin should upgrade to the latest version; upgrading via Spartacus-Plugin or Spartacus.s9y.org is just a matter of a few minutes. Thanks to Alex from Bitsploit.de for reporting this issue to us.

(This posting is written in german, as it currently only has relevance for german readers)

Wie man jetzt in meinem Blog auf der linken Seite erkennen kann, ist das von mir geschriebene offzielle Serendipity-Handbuch seit kurzem vorbestellbar.

Rund 700 Seiten liegen dem Verlag derzeit zur Korrektur und Verfeinerung vor, prall gefüllt mit ausführlichen Beschreibungen von allem, was mit Serendipity zu tun hat.

Viel Herzblut und Freizeit ist in das Buch geflossen, und ich hoffe damit sehr, den Nutzern endlich eine vollständige Dokumentation in die Hand geben zu können. Gleichermaßen ist es auch für Neulinge zum System gedacht, da alle Aspekte des Systems beschrieben werden.

Wer jetzt vorbestellt, kann dafür sorgen, dass das Buch etwas zügiger erscheint - und ihr es auch direkt in den Händen halten könnt. Der derzeitige Veröffentlichungstermin ist für Mai 2008 angepeilt. Vorbestellungen werden sowohl über Amazon, OpenSourcePress als auch bei jeder Bücherei angenommen.

Serendipity 1.2 has been well received by the community, there were only very few minor bugreports. Those have been addressed in the Serendipity 1.2.1 maintenance release, available now.

The new Serendipity version also includes some new Bulletproof Theme options (user-customized stylesheets) and addresses some very minor browser quirks. If you're using Bulletproof, it is suggested you perform the update.

Also this new version addresses a security issue in the Remote RSS sidebar plugin (reported by Hanno Böck), which did not properly treat links coming from an RSS feed, which could lead to possible XSS attack vectors, if you are showing foreign feeds that might distribute malicious content to you. If you're using this plugin with an unsafe RSS feed, you should upgrade Serendipity.

Serendipity 1.2.1 features a new WPXRSS importer and can import the new WordPress 2.3 database structure All bug fixes have also been applied to our current 1.3-release tree. This release currently features some new Smarty-Templating convenience features, a remote spartacus version information interface, full pingback support, a LifeType blog importer and support of SQLRelay.

Upgrading Serendipity is very easy, have a look at the FAQ. The new version is available on the Serendipity download page.

Enjoy Serendipity and have a nice Christmas time!

The Serendipity Anti-Spam plugin allows to utilize the blogg.de IP blacklist service to block spam. Their service seems to have ceased existence, or at least is rejecting connections. This can lead to comments to your serendipity blog to be rejected. You can easily disable the blogg.de blacklist service in your Anti-Spam plugin configuration.

Note that this option is by default disabled in Serendipity since blogg.de announced that they are no longer actively maintaining the blacklist. A well fit alternative to this service is the Akismet API, which the spamblock plugin also supports.