Security

Serendipity 1.3.1 has been released. This is a bugfix and security related release, basically adressing a potential XSS issue within the Top Referrers plugin as well as hypothetical XSS issues with the installer.

This release also adresses some basic PostgreSQL8 related problems, because implicit type casts have been removed from this version, causing breakage with several Serendipity core features. The fix for this is only partial and will still happen in (less common) functions of Serendipity. There is no ultimate solution to this because implicit type casts are required for certain entryproperty operations. Maybe the PostgreSQL8 team will think about if implicit type casts are not also quite helpful. ;-)

The only new feature addition is the exposition of a new smarty {serendipity_getImageSize} function.

This upgrade is recommended for users that use the Top Referrers plugin and new installations of Serendipity. Many thanks to Hanno Böck, once again, for reporting (and fixing) the two XSS issues (CVE-2008-1385 and CVE-2008-1386)!

You can find the new release on the s9y.org download page. Upgrade by simply uploading the deflated archive files to your webspace.

Serendipity 1.3 has finally been released. The new release is mainly a feature consolidation release, but also contains XSS security fixes:

• The karma rating plugin has been upgraded to support nice, CSS-based rating graphics (see this post) and an overall rehaul on the its coding.
• Make the Spartacus plugin be able to use FTP upload, a workaround for SafeMode PHP restrictions. Also add a remote backend for plugin update checks.
• An importer for phpNuke and lifetype has been added.
• Support for pingbacks has been improved a lot. Trackbacks can now be blocked based on Sender IP checks.
• Add better CSS styling for some internal plugins and the embedding of images. Also made the Remote-RSS plugin to be capable of Smarty-Templating.
• Increased Smarty templating features for the {serendipity_fetchPrintEntries} function, to be able to check for entry properties.
• Add support for SQRelay.
• Minor CSS and graphic updates to the Bulletproof template.

The full list of 41 changes to this release are documented within the NEWS file.

Regarding Security, the bundled Smarty library has been updated to version 2.6.19 and adresses an issue in environments where the PHP security mode is required. Also, the new Serendipity release contains tighter backend XSS checks so that environments with untrusted authors can be more secure - many thanks to Hanno Böck for addressing this. Most importantly, an issue with XSS attacks within received trackbacks has been discovered by Peter Hüwe and was fixed.

The update is easy as usual, and recommended for Serendipity users - especially if you do not regularly moderate or check your incoming trackbacks.

Upgrade pointers can be found in the FAQ and is as easy as just to upload the new files.

Have fun!

The Freetag plugin has been updated to version 2.96 to fix a possible XSS to the tagcloud output.

XSS attacks can be used by visitors to display foreign HTML or JavaScript to visitors of the blog, if they visit specially crafted URLs. This attack basically allows for cookie stealing.

Users of the freetag plugin should upgrade to the latest version; upgrading via Spartacus-Plugin or Spartacus.s9y.org is just a matter of a few minutes. Thanks to Alex from Bitsploit.de for reporting this issue to us.

Serendipity 1.2 has been well received by the community, there were only very few minor bugreports. Those have been addressed in the Serendipity 1.2.1 maintenance release, available now.

The new Serendipity version also includes some new Bulletproof Theme options (user-customized stylesheets) and addresses some very minor browser quirks. If you're using Bulletproof, it is suggested you perform the update.

Also this new version addresses a security issue in the Remote RSS sidebar plugin (reported by Hanno Böck), which did not properly treat links coming from an RSS feed, which could lead to possible XSS attack vectors, if you are showing foreign feeds that might distribute malicious content to you. If you're using this plugin with an unsafe RSS feed, you should upgrade Serendipity.

Serendipity 1.2.1 features a new WPXRSS importer and can import the new WordPress 2.3 database structure All bug fixes have also been applied to our current 1.3-release tree. This release currently features some new Smarty-Templating convenience features, a remote spartacus version information interface, full pingback support, a LifeType blog importer and support of SQLRelay.

Upgrading Serendipity is very easy, have a look at the FAQ. The new version is available on the Serendipity download page.

Enjoy Serendipity and have a nice Christmas time!

The Serendipity Team is proud to present the final release and immediate availability of Serendipity 1.2.

This release is a feature consolidation release and focuses on small usability improvements, a shiny new template (bulletproof) as well as backend templating and backend login mechanisms as well as some tighter security restrictions.

Some more changes in depth are:

• Templates: The new bulletproof template is an awesome example to show off Serendipity's cool template options. This template allows you to easily configure the look of your Serendipity site: Place navigation links, choose sidebar layouts, indicate if you want to use/show trackbacks and comments, pick your custom header image or even custom colorsets. Don Chambers, Matthias Mees and David Cummins as well as other contributors have worked very hard on this template that provides an awesome, unified template structure. Go to their site at http://s9y-bulletproof.com to check out the details!
• Templates: The admin backend (overview page and entry editor) can now be styled via Smarty and gives you the full flexibility to make a custom look of the backend. Plus, more CSS classes have been added to the default admin theme that make CSS-only changes much easier. Templates now also can have large preview images by clicking on their thumbnail.
• Usability: Moved the problematic option to withdraw your own privileges from personal configuration to the user configuration panel.
• Feature: Added SQLite3 and PDO:PostgreSQL support.
• Feature: Allow to configure whether article overviews for a certain category should include articles of subcategories or not.
• Performance: Improved SQL performance for archive overview generation and permalink lookups.
• Plugins: Plugins can now hook in much earlier to make external authentication easier (like trough the OpenID plugin).
• Spam: Enhanced the spamblock plugin with captcha previews, .htaccess generation and some more options.
• Security: Stronger autologin cookie encryption and template option handling, thanks (once again) to Stefan Esser. Proper session fixation prevention, thanks to David Vieira-Kurz.
• Bugfix: Sending pingbacks now properly works.
• Bugfix: The Track-Exits plugin now properly tracks links in conjunction with the caching of the entryproperties plugin.

The full list of changes can be found in the NEWS-file of the release.

You can download the new release as always on the Serendipity homepage at http://www.s9y.org/3.html. Updating is easy: Just upload the new files, visit your Serendipity installation and let the upgrader do the rest.

After the upgrade you might want to purge your browser's cookies (due to the new authentication mechanism of Serendipity 1.2) to prevent login problems. Detailed upgrade instructions can be found in the FAQ on our website.

Enjoy Serendipity, and thanks to everyone who participated in the release process!

For the team,
Garvin.

Thanks to Erich Schubert, we were made aware of a bug and security issue in the Plugin Extended properties for entries. Since this plugin is delivered with the core release, we have created a new Serendipity release for both the current stable 1.1 version tree, as well as a new 1.2 beta version.

Serendipity Users that are using the mentioned plugin do not need to upgrade the full release, they can just fetch the updated version of the plugin through this direct link. Put that updated file into your plugins/ serendipity_event_entryproperties/ serendipity_event_entryproperties.php file.

The actual bug was, that people were able to deliver custom entryproperties settings to the Serendipity Frontend via a HTTP-Request, which made them able to bypass a possibly used passwort protection. Any other restriction of viewability of entries done via category read-privileges were not affected, though.

Bottom line is: If you are using password protection for entries, this security update is mandatory for you. Also if you were generally using the entryproperties plugin (which is not installed by default in Serendipity), you are urged to update your plugin. Only people not using this plugin need not care about this issue.

You can download the new full releases as always on the Serendipity download page.