Serendipity

Serendipity 1.5-beta1 is the first public beta release of the upcoming Serendipity 1.5 version. Some important things have changed under the hood, that we would like to ask our users to try out and report back to us.

This version mainly addresses login security by changing our method how passwords are stored to use salted SHA1 chacksums instead of plain MD5 checksums. This makes password retrieval (rainbow attacks) through the database virtually impossible. Another thing is improved PHP 5.3 compatibility. See more about this in a special blog posting some time ago.

For users of our Bundled WYSIWYG-Editor Xinha users now have the ability to easily customize the appearance of this panel through a "my_custom.js" file inside the template directory (a draft of such a file can be found as fallback default in the htmlarea/ subdirectory).

One cool new feature for developers is that now also templates can register themselves inside the plugin API hooks to execute specific things, that don't require installation of an event plugin.

Other news include:

• new event API hooks
• fixed PDF thumbnail generation
• ability to auto-scroll on borders when Drag/Dropping plugins
• UTC server time zone support
• improvements in the Smarty functions to easier use Serendipity as a CMS for individual entry output.
• quicksearch improvements for doing a wildcard-search when too few searchresults were found on a fixed searchterm
• support for Typepad anti-spam server-checks, additionally to Akismet

The current release can be easily installed on any previous Serendipity installation. Just unpack, upload and visit your admin panel to perform possible database upgrades. Upon first login with an old password, Serendipity will store your old password in the new format - please be sure to make a backup of your Database prior to upgrading. Apart from that, the current beta release is already in production use on many blogs and there are no known problems/issues with this.

Softaculous is a provider for automatted web-application installations on cPanel/DirectAdmin environments. They have an automatted API for software vendors like Serendipity to be able to setup and install their applications.

Thanks to the hard work of the Softaculous-Team, they have created a package for Serendipity on their own efforts - many thanks for that!

So you can easily install Serendipity on a Softaculous-Platform and be able to upgrade to later installations easily. Check out their Demo site to see an auto-installed Serendipity at work. You can also use this as a free demo of Serendipity, including the backend. Also Softaculous itself has a admin-demo, if you want to have a look on how to automate your installations of web-applications.

On the Serendipity@Softaculous-Site, you can also rate Serendipity or contribute reviews. Currently there are none available, so please feel free to both vote and spread the word on Serendipity there!

Sebastian Spreen contacted us some time ago and offered to help out with a nicer presentation page of Serendipity templates, including some more convenient community features like voting and user-uploads.

His new website Serendipity-Templates.org is a nice addition to spartacus.s9y.org, where only a selection of templates is kept for automatted downloads and generic overviews.

So check out his page and tell him how you like it! The Serendipity team always appreciates the creation of sites dedicated to Serendipity, many thanks to Sebastian!

Since quite some time, Serendipity uses old-fashioned md5 hashes to secure your passwords for logins to the backend.

Because mechanisms to crack md5 hashes with rainbow tables or even "dictionary hash"-lookups are getting more and more popular, we have decided to finally take the step to raise the serendipity hashing mechanism to something salted, and more secure (SHA1). Even though md5 hashes are still reasonably(!) safe when you use long, randomized passwords, the old-style hashing is a one-way route to hell.

Serendipity has always been had high tributes to backwards compatibility and ease-of-use and ease-of-upgrading, we have decided to take the "soft" upgrade approach. That means, new Serendipity versions will accept your old MD5 login ONCE, and then will use your user-specified password to create the safer hash and store that to the database.

This will help in hypothetical attack situations, where someone might have gotten hand on your hash values stored inside the database, because he will no longer be able to reverse-engineer your original password.

We could need help from any developer or betatester trying out the new functionality. Upgrading to the latest snapshot (get it from the s9y nightly downloads) with Serendipity 1.5-alpha2 will deploy the necessary database upgrades. Note that the one-time MD5-login is only possible in the first 6 months after you performed the installation of this serendipity version (through a saved timestamp in the database), and after that timespan, you can no longer login with the old password and must reset your password through the Administrator (or manual means, if you are the administrator).

Once you perform the update (do not try this on production blogs currently), everything should continue as usual. If it does not, please report your exact problems here or in the Forums. It is suggested that once you have the new serendipity version you change your password, so that nobody that might have already gotten your old md5 hash can use the reverse-engineered password to login again with the new hash created from the same original password.

Feedback is appreciated. The current mechanism is subject to change and currently more a proof-of-concept - feedback will most definitely lead to improvement. :-)

Serendipity 1.4.1 has been released. This is mainly a bugfix release for the updated of the bundled Smarty library, which fixes issues with Serendipity 1.4.

Other small fixes include better antispam checks for pingbacks (they were too strict before), an update to the sql index key creation of the statistics plugin and removal of error messages on open_basedir enabled servers.

You only need to upgrade to Serendipity 1.4.1 if one of the mentioned bugs affect you. Updating is easy and documented online.