A Serendipitous Birthday Present

On March 29th in 2003, Jannis Hermanns officially renamed his jBlog to Serendipity. Now, 13 years later, we are still actively working on improving what was meant to be a simple and expansive blogging infrastructure.

In April, we will have our second user/developer meetup in Germany (Essen) and hopefully decide on a couple of remaining issues for releasing version 2.1 of Serendipity and launching the currently "work in progress" version of docs.s9y.org. This new page will better present Serendipity and offer new and more streamlined documentation.

A few years ago, a Serendipity Book was published in german language by Garvin Hicking, which was later open-sourced and put into our documentation repository. Out of this, our fellow core developer Ian (Timbalu) has put an awesome amount of time and effort into updating this german documentation for recent Serendipity versions.

You can find this on docs.s9y.org/Book/ and you will see that it is still marked as "Draft" - which means, we would appreciate your feedback and input. We do hope to get this book translated to english at some point, any help on this is appreciated.

On behalf of the team, many thanks to Ian (Timbalu) and we're excited to keep making Serendipity be a great blogging tool for your needs.

Serendipity 2.0.3 released

Happy new Year! Serendipity 2.0.3 has just been released to address a XSS security issue found and reported by Onur Yilmaz and Robert Abela from Netsparker.com. Thanks a lot for contacting us and working with us to address the issue.

The issue only affects logged-in authors, where HTML can be inserted into the comment editing form when they click specially crafted links. Due to the required authentification we consider the issue of medium impact, but suggest everyone to perform the update.

We are currently still working on an improved s9y.org presentation page and its documentation, as well as on the 2.1 branch of Serendipity - check out our current 2.1 changelog, if you are interested and willing to help testing!

Serendipity 2.0.2 Security Fix Release

Thanks to the report of Tim Coen (of Curesec GmbH) we were able to adress three security issues in the Serendipity Code.

The first issue was found because authenticed authors are allowed to upload files with extension .pht(ml), that can be executed for PHP code on Apache webserver configurations that use this suffix. If your blog allows upload access for untrusted authors, you should regard this issue as a critical risk.

The second issue is a missing escaping of comment approval tokens, when enabled in your blog which allows for possible SQL injection for data leak and DOS, and also an authenticated user must be tricked into clicking a specifically crafted URL to exploit this (medium risk).

The third issue is missing escaping of a commenting user's name by a javascript of the 2k11 theme (used by default) which is triggered when a user clicks on the "Reply" link (medium risk).

We have prepared two new releases for each of our currently maintained Serendipity version branches and suggest to update your Serendipity version:

  • 2.0.2 is the recommended release
  • 1.7.9 is the hotfix release for everyone not yet running Serendipity 2.x (you should!)

Check out the download locations for the release files.

Of course, everyone who is using our Github repository to checkout the Serendipity files will get the patches by pulling our 2.0 branch or the master (2.1.x) for our current development version.

Updating Serendipity is painless; upload/checkout the release files and go to the Administration suite where you can confirm the upgrade. Also, by using the auto-update plugin you can install the blog from within your administration suite once we are able to upload the release to our SourceForge repository (which is down right now).

We are happy to be able to coordinate this release with Tim and provide improved security for our users.

Serendipity on Scaleway

Our core-developer onli has created a Serendipity-Bundle for the "Baremetal SSD cloud server" service Scaleway, which allows an easy deployment of Serendipity on those servers.

A (german) write up of this can be found in his blog article. Have fun using/testing this!

Serendipity 2.0.1 released

Serendipity 2.0.1 has just been released. This is the first maintenance release which fixes a couple of minor issues, and one security-related issue where improper escaping of category names can lead to a possible XSS attack. This atnly be performed by authenticated editors, so we consider it medium-impact. If you run a multi-user blog with untrusted authors, you are urged to upgrade to the new release. Many thanks to Edric Teo for reporting this issue to us, which could then be fixed within the same day.

Some other notable bug fixes are:

  • Report errors, if inclusion of JavaScript files may throw PHP errors to help in diagnosing an installation
  • Support for user.css backend CSS additions, without needing to edit the 2k11 backend theme.
  • Some JavaScript fixes for the backend, better theme fallback methods.

As usual the complete list of changes can be see in our docs/NEWS-file. Upgrading is simple as always: Download the release, unpack, upload, say hi to our upgrader, done.

Serendipity Camp 2015 and the near future of Serendipity

This weekend marked the first time a couple of developers and users finally shared a room and their faces with each other. We hope this was only be the first time, and will be repeated at least annually.

Our goal for this weekend was to connect names to faces, get to know each other and discuss the past and future of Serendipity. Seen from both viewpoints, users and developers.

Luckily, the kind people of the Linuxhotel in Essen (Germany) have a great offer for OpenSource projects like us: comfortable rooms, food, wifi and a special ambience for a price that is hard to beat. Thanks so much for having us!

Also, the city of Essen was a good middle ground for most of our people to meetup (from left to right):

Continue reading "Serendipity Camp 2015 and the near future of Serendipity"