Serendipity

The Serendipity Team is proud to present the final release of Serendipity 1.6. We are steadily walking towards a Serendipity 2.0 release and would be happy about any developer who may want to join our cause. The list of things is available on http://www.s9y.org/238.html and open for discussion on the Serendipity Forums.

This new version mainly covers:

• Bundle jQuery by default to enable plugin and template authors to easier provide extended functionality to the frontend
• Support for templates, so that they can also use config-groups like plugins already have (added to bulletproof template)
• Templates can now enable core-provided options like a global navigation setup
• Fixed a bug in the automatic media database synchronization that did not properly add new files with the same basename but different file extensions
• Added a .htaccess parameter to prevent IE9 CSS-trouble
• API changes: Added "shortcuts" to commonly used constructs (language loading, hack protection)
• Several minor feature additions in plugins (Karma, Akismet, Mailer) and the core (comment subscriptions, multiple comment moderation)
• Fulltextsearch improvements with "*" expansion
• Added a "hidden" option for specific author groups, so that their members are not revealed on usual author listings by plugins etc.
• Fixes a backend XSS issue in the karma plugin and media database filtering, thanks to Stefan Schurtz!

The current release can be easily installed on any previous Serendipity installation. Just unpack, upload and visit your admin panel to perform possible database upgrades. Upon first login with an old password, Serendipity will store your old password in the new format - please be sure to make a backup of your Database prior to upgrading, and read the upgrade pointers on Upgrading Serendipity.

Also, this release marks our move from the closing BerliOS service (thanks for the great service during those years) on to our new GitHub repository. Contributions are welcome of course!

Have fun using Serendipity, and let us know on the Forums if you have any issues!

This is just a reference posting to indicate something important going on. Please read here on the process of the Serendipity source code repository being about to move to GitHub

Read the posting on the s9y forums

Serendipity's code repository is being hosted on BerliOS for several years. Their free service is now closing down, which means that Serendipity will move its versioning control to a new provider.

The current idea is to migrate SVN over to GitHub.com. This might even motivate some new contributors to get accustomed with the Serendipity core code and make contributing patches easier.

We are planning to move the code repository at the end of October and will keep you posted here. If there are people reading this who are well familiar with Git and especially SVN migration, please step up here or in the forums to help us in the process.

Asides from the SVN service, Serendipity is currently using this infrastructure:

• A self-hosted webserver providing a phpBB board on http://board.s9y.org. This is quite active and will stay in the future.
• A self-hosted wiki software on http://www.s9y.org/ that allows for a custom navigation and wiki documentation by users. We might switch this to another software, but are not happy with the way MediaWiki handles navigation. We'll see if GitHub is an option to power this.
• A self-hosted Serendipity installation on http://blog.s9y.org/
• The http://spartacus.s9y.org/ plugin and theme repository, hosted on SourceForge.Net
• The code repository for plugins and themes, also hosted on SourceForge.Net and maintained through CVS. Depending on the usage license of GitHub, we are looking into if we can merge plugins/templates and the Core code on GitHub.
• A issue tracker, hosted on SourceForge.net. We might utilize the GitHub-Tracker for this in the future.
• A mailinglist, that is not very active anymore, also hosted on SourceForge.Net. Since we favor the s9y forums, we might not further spend time on changing this mailinglist.

MustLive discovered a HTML-injection vulnerability in the tagcloud.swf Flashfile that the Freetag-Plugin bundles and makes optionally available.

The issue is fixed in version 1.23 of the flashfile, which has now been committed to the Serendipity plugin (in version 3.30).

Since the swf-File is always bundled with the update, it is recommended to update to the latest version of the plugin for all users, or to delete that specific .swf file.

Thanks to MustLive for sharing the information with us.

Christian Boltz notified us and provided a patch to fix the spartacus plugin properly being able to retrieve remote files. This became necessary when SourceForge.net changed their underlying structure.

If you are using Spartacus, you have several possibilities to fix this issue for you:

1: Manually download the updated plugin file plugins/ serendipity_event_spartacus/ serendipity_event_spartacus.php from here: serendipity_event_spartacus.php for Serendipity 1.6 / Development, serendipity_event_spartacus.php for Serendipity 1.5.

2: You can also simply configure your spartacus plugin and enable the use of Netmirror.org, or you can enter a custom mirror: http://php-blog.cvs.sourceforge.net/viewvc/php-blog/|http://netmirror.org/mirror/serendipity/

3: You can also simply edit your serendipity_event_spartacus.php file and replace all 2 occurences of the string *checkout* with viewvc.

Thanks to Christian for notifying us!

Thanks to Stefan Schurtz, who reported a XSS issue in the serendipity_event_freetag plugin (SSCHADV2011-004). The issue was fixed in version 3.22 of the plugin, you can fetch the update through Spartacus or download via Spartacus.s9y.org.

The bug was introduced in version 3.20 of the plugin. Users of the plugin should upgrade, as it allows malicious users to trick people into visiting a specially crafted link on your blog to steal cookie login information for example, if you click on such a link.