Update effort of Serendipity 3.0

There is yet work to be done!

We are trying to move Serendipity to properly utilizing composer and being installable via composer, as well as allowing official Docker images for Serendipity, so that it can be easily tried out or maintained.

That is a lot of work, and we can use any help we get.

Please check out the GitHub issue about this and the Git Repository with README on the planned changes.

The easiest way to get in touch with us about this is via the GitHub issue, if you are interested. Cheerio, onward and upward! To Serendipity and beyond! .... the class? anyone? anyone? Bueller?

Serendipity 2.5.0 released (Maintenance and security)

We are very happy to announce the availability of the final release for Serendipity 2.5.0, our new stable version! 2.5.0 contains the changes that were part of the 2.5-beta1, plus some additional changes.

With this version 2.5.0, Serendipity works with PHP 7.4 up to and including PHP 8.2. We also got positive reports about the compatibility with PHP 8.3, but this newest PHP version is not yet officially supported by us. The compatibility with PHP 8.2 is the main purpose of this release.

In this version, we further worked on how the bundled dependencies are managed. They got updated for PHP 8.x support, including some legacy dependencies where it was missed before, and more of them are now managed by the dependency management system composer. For those changes the file placement under bundled-libs/ has changed a bit, with wrappers added for compatibility. Despite those wrappers for backwards compatibility, authors of custom plugins that relied manually on files under bundled-libs/ are advised to check that their plugins still work.

The release contains some additional changes to 2.4.0, like bundling the webfonts used by the default theme 2k11, to avoid legal issues in Germany, fixes for an incompatibility with MySQL 5.7, fixes for the usergroup permission display and an improved russian translation.

It also fixes a potential security issue discovered for this project by @hannob, by removing the prior included composer.phar. That file was only useful for developers, but could be misused in some specific server environments. Though the necessary conditions for the attack are not a given, since this is a security fix a timely upgrade to 2.5.0 is highly recommended to all existing serendipity installations. As another possible mitigation, you can safely delete the file "composer.phar" in your root directory.

Upgrade hints: If you see errors when extracting this release archive that mention bundled-libs/, delete said folder in your old installation and extract the archive again. If you run an older version of serendipity than 2.4.0 and/or if you are not using PHP 8.x yet, please have a look at the PHP 8 upgrade guide.

If you encounter bugs, please report an issue here at Github or open a thread in our forum. The forum is also the right place for general questions and support.

The project thanks all contributors to the release, including the testers and issue reporters.

MD5: 1dfb1f34483038179ac511666de60b8f

Link: https://github.com/s9y/Serendipity/releases/tag/2.5.0

serendipity_event_freetag: Security update

Together with the security-release of Serendipity 2.1.3, a possible SQL injection has been reported in the serendipity_event_freetag plugin, reported by Brian Carpenter (geeknik) and Hanno Böck. Many thanks for reporting this.

The issue has been fixed in version 3.69 of the plugin which you can install through Spartacus (or manually).

Greetings from Serendipity #s9ycamp

Our group of developers says "Hi!" from the Linux-Hotel in Essen. We met up for the third time (thanks for hosting us!), and it was entertaining and productive as ever - great to have such a nice community and same-spirited people.

We mainly worked on releasing Serendipity 2.1, addressing some last-minute PHP7 things and went through our open issues.

We also talked a lot about coming features for the next Serendipity version, how we want to implement responsive images, improve on our login/hashing framework and went through all of our plugins to see how we can consolidate some of them and remove deprecated ones.

Serendipity 2.1.1 released

Sadly a regression slipped into our Serendipity 2.1.0 release, which made it impossible to reset a plugin configuration variable to a FALSE/empty state and indicate the proper state in the plugin configuration. We have fixed this in 2.1.1 and changed the release announcement to point directly to 2.1.1.

Serendipity 2.0.5 and 2.1-beta3 released

Serendipity 2.0.5 is a maintenance security release which addresses these issues:

  • [Security] Improve preventing fetching local files, thanks to Xu Yue.
  • [Security] Prevent XSS in adding category and directory names, thanks to Edric Teo @smarterbitbybit, CVE-2016-9681.

Alongside a new Serendipity 2.1-beta3 version has been released, with the same fixes plus some more progress on the road to the 2.1 release.

Simply upgrade by unpacking and uploading the release file and confirming our web-based upgrader.