Security

The Serendipity Team is proud to offer two new releases:

Serendipity 1.0.1 addresses a few minor bugfixes in the otherwise very well-received 1.0 stable release. Those are related to utf8-iconv conversion on older PHP setups, sending comment mails to users without an email address and a WYSIWYG image insertion issue.

The most important fix and reasing for the 1.0.1 release is a security issue that has been reported by Sebastian Nohn using the cool new Security-Scanner Chorizo. The only reported issue by Chorizo was the possibility of Users who could add plugins to the installation (usually only Administrators) to insert file references to other arbitrary PHP files that are then included. We feel this is a minor impact, because usually all administrators already would have full access to the PHP filebase and could include remote files with different means. Also note that users with safemode/open_basedir restrictions would not be affected by this.

Users with multi-users installations, giving plugin access to untrusted users are urged to upgrade to the latest release!

Serendipity 1.1-beta1 brings the long awaited new features to a first public release. The 1.1-alpha versions have been tested in the past quite well and are thought to run quite stable.

The 1.1 version brings those major new features (also see an earlier blog entry for details):

The Serendipity Team is proud to announce the final release version of Serendipity 1.0, an advanced and flexible blogging/cms web application. With its comprehensive feature set, including multiple authors, internationalization, templated output, and an open plugin architecture, Serendipity's stable 1.0 release is ready to become the most popular Web application in the world!

INTRODUCTION

Serendipity is a PHP-powered weblog application which gives the user an easy way to maintain an online diary, weblog or even a complete homepage. While the default package is designed for the casual blogger, Serendipity offers a flexible, expandable and easy-to-use framework with the power for professional applications.

Casual users appreciate the way Serendipity's sophisticated plugin architecture allows you to easily modify both the appearance of your blog and its features. A single click installs any of more than 120 plugins, instantly enhancing your blog's functionality. No need to edit code! Likewise, one click installs any of more than 40 official templates, so your blog looks the way you like it. And Serendipity's SPARTACUS plugin automatically checks the central repository for upgrades and new functionality whenever you check the list.

Advanced users value Serendipity's Smarty templates for combining simplicity with well-documented web standards. It makes minor modifications trivial, but provides the power to unleash your creativity and completely customize your site! Serendipity's outstanding support gives you the confidence to be adventurous, too.

Programmers and other technical users commend Serendipity for its fast, stable, clean PHP code. While beginners can learn from Serendipity, advanced programmers can easily make complex modifications. Serendipity is programmed in PHP, long recognized for its ideal blend of power, simplicity, and speed. Serendipity's BSD licensing ensures that programmers around the world can learn from it and improve it.

Users of other blogging/CMS applications are already switching to Serendipity, thanks to its easy customization and outstanding support. Corporate users are taking advantage of Serendipity's unparalleled flexibility to set up fast, simple CMS sites.

Serendipity's basic features include something for everybody, from the personal blogger to the professional corporate web designer:

• WYSIWYG and HTML editing
• Built-in, powerful media database
• Multiple authors, configurable permission/usergroup system
• Threaded comments, nested categories, post to multiple categories
• Multiple languages (internationalization)
• Online plugin and template repository for easy plug-and-play installation
• Cool plugins: category-based sub-blogs, podcasting, RSS planet/aggregator, static pages
• Robust spam blocking
• One-click upgrading from any version
• Can be embedded into your existing web pages
• Standards-compliant templating through Smarty, remote blogging via XML-RPC
• BSD-style licensing
• Multiple Database support (SQLite, PostgreSQL, MySQL, MySQLi)
• Shared installations can power multiple blogs from just one codebase
• Native import from earlier blog applications (WordPress, Textpattern, MoveableType, bblog, ...)

Of course, Serendipity has far too many other features to list!

NEW FEATURES / FIXES

The Serendipity team has been working hard to produce what we think is the best blog in the world. Since our most recent prerelease, we've updated the installation screens, added new languages (Polish, Turkish, and Tamil), made our RSS feeds templatized, improved the spam filters with Akismet support, and fixed every known bug.

But there's even more to like about Serendipity! Here are a few other recent improvements:

• Completely new, fresh default template from the contest winner, Carl Galloway!
• Fixed all known bugs, making the 1.0 release of Serendipity the most stable version ever
• MORE Spamblock improvements (Blacklists, stronger Captchas, Akismet, improved ruleset filtering, bypass captchas for registered users)
• Improved language handling facilities for better co-operation with multilingual entries
• Enhanced templating (hiding sidebars, including extra entries anywhere in template)
• One-click editing of static sidebar HTML
• Full phpDoc code documentation for all Serendipity functions
• New Pivot Blog importer
• Bugfix: UTF-8 in permalink and markup
• Bugfix: Correct comment counts
• Bugfix: Recode UTF-8 trackbacks to mismatching blogs
• Bugfix: Better XHTML and CSS output for internal plugins

And those are only the highlights! See the docs/NEWS file in the release file for the full list of changes.

UPGRADING

Upgrading from any version (even previous beta or alpha versions) to Serendipity 1.0 is startlingly easy: just unpack the release files to your existing Serendipity directory, go to your admin panel, and confirm the upgrade process. Serendipity automatically upgrades your database and informs you of important changes. If you are upgrading from a version prior to Serendipity 0.8, be sure to read this upgrade pointer: http://www.s9y.org/index.php?node=63

THE FUTURE

Just because we've completed the stable 1.0 release version, don't think we're out of ideas! The Serendipity Team has already been working hard on version 1.1. This huge effort has already provided a vastly improved media database, supporting ID3/EXIF evaluation, on-the-fly synchronization with the filesystem, annotations (all customizable through templates) and a new explorer-like interface to the media files. Also, all media directories can now have individual permissions.

We've also enhanced usability, so you can temporarily disable event plugins, customize theme options, like colorsets and menus, and enable or disable specific markup plugins for each entry! As well as constantly improving the user interface and adding drag'n'drop support for arranging plugin items easily.

To participate in the future of Serendipity, try out the latest Serendipity 1.1 snapshots, and visit us on the forums.

THANKS

Serendipity 1.0 marks the end of a very long development cycle that started in 2002. Many beta-releases have been issued since, keeping us closely in touch with the community, fixing bugs and offering features our users really wanted.

The team would like to thank everyone for reporting the issues they found and telling us developers what you really want form your blog. Visitors to the forums will see how much of their feedback was implemented into Serendipity 1.0!

Refining Serendipity's documentation and appearance was critical to the release of Serendipity 1.0. Thanks to the great help of Carl Galloway, David Cummins, Judebert, ceejay and Martin Jacobsen, Serendipity not only has a new default theme, but a new logo and website. We couldn't have done it without their help, or the help of the community that participated in that public process. In recognition of that outstanding community, the new logo includes multiple individual circles, grouped as a platform. From that platform, you can create anything.

Our small "1.0 Release Team" is proud with what we have achieved in our little spare time, and even though it was difficult at times, we believe that with this new logo, look, and functionality, Serendipity will continue to be the best blog engine, and grow into the most popular.

RESOURCES

The Serendipity home page: http://www.s9y.org/

The Serendipity forums: http://www.s9y.org/forums

Serendipity news from the Serendipity Blog: http://blog.s9y.org/

Serendipity plugins: http://spartacus.s9y.org/

Serendipity themes: http://themes.s9y.org/

Try Serendipity online: http://supersized.org/

DOWNLOAD

Now what are you waiting for? Download the Serendipity 1.0 release! http://www.s9y.org/12.html

On behalf of the s9y-Team,
Garvin

The Serendipity Team is still working hard on finding the time to not only work on new features of the 1.1 version of Serendipity (like a new per-template configuration options, a completely redone media gallery and media permissions), but also to finalize the long overdue 1.0 release. We are getting close on settling up the design debate, so stay tuned for an update on this.

It's our goal to have the 1.0 release finally be done this month; the codebase is rock-solid, and the 1.0-beta3 version should be ready for showtime for everyone; there are no open bugs or issues known to us, and this version is to prefer over the old 0.9.1 version currently.

If you are already using 1.0-beta2, there is little reason for you to upgrade. beta3 mainly includes some minor bugfixes as well as some last-minute features to force FeedBurner feed redirection, the most recent updates to the Spamblock plugin, a Pivot importer, missing UTF-8 encoding for Windows-Server date responses. Also two minor security issues were addressed. One being an (hard to do) XSRF-attack on the entry manager page, the other one being able to save PHP code in the serendipity_config_local.inc.php file. Only an Admin can do that, and usually and Admin has other means to save PHP code on your server ;-).

Since those changes remedy a new release candidate before the final 1.0 release, we would be happy for anyone trying out this version and report us possible new issues. beta2 has been very well received so far, and our top priority for the 1.0 release is to have a rock-solid release. Without you fellow users, we can't find all bugs, so it's also up to you to help us. Drop by on the forums to report bugs you found!

Download the release here. To upgrade, please read our FAQ - it's easy and fast. :-)

There has been a security advisory for TinyMCE which urges you to upgrade your TinyMCE WYSIWYG Editor, in case you are using it.

Serendipity offers a TinyMCE plugin so that you can use the TinyMCE editor. The users who have installed that plugin should remember, that they needed to manually download the TinyMCE package and upload it to their Serendipity plugin directory. This means that the Serendipity project does not bundle and/or have control over the actual TinyMCE editor files and you need to maintain this package manually, by uploading a new TinyMCE editor version.

This might sound a bit complicated, but we do not bundle the TinyMCE plugin because of it's large filebase and possible licensing issues. The good side-effect of this is that if you did not already manually take the route to install and use the TinyMCE plugin, you must not be afraid of any security harms to your Serendipity installation. Other (blog-)applications are now forced to issue a complete new release because of this. ;-)

Thanks to Nenad Jovanovic (a pleasure to have worked with), we were notified of a serious problem with hijacking Serendipity functionality under certain circumstances when users are tricked on foreign malicious websites.

The effects of that issue resulted in the possibility that when people know the URL to your Backend, they were able to change your user password and lock you out of the system. However you were required to do two things for this to work: First you'd need to be logged in to your Serendipity backend via a session or permanent cookie, and second you would need to visit the webpage of a malicious user.

As a follow-up to this problem, it came to our attention that Serendipity (like many other web applications - watch the next releases of your favourite software in the next days) can be subject to XSRF ("Cross Site Request Forgery") attacks. All web applications that depend on session cookies and have their backend URL known to the public can be tricked into those XSRF attacks when not verifying the origin of a submitted HTML form.

Serendipity 0.8.5 addresses this problem by introducing HTML-form tokens. Only if they are set, the administrative tasks requested will be carried out - and foreign websites can not get that token under usual circumstances.

It is strongly suggested to upgrade to Serendipity 0.8.5! The development versions of 0.9 also fixed this bug, please read the separate 0.9-beta1 announcement for more information.

Updating from any Serendipity version is easy: Backup first, then extract the release files over your old installation, make sure the files .htaccess/serendipity_config_local.inc.php are writable, login to Serendipity and be guided through the automatic upgrade process.

Download the release here

Serendipity 0.8.4 has been released today. As mentioned in this blog post, this release addresses the security issues with the PEAR:XML_RPC library.

If you already deleted your serendipity_xmlrpc.php file, an upgrade is not required. If you do not want to upgrade, just delete your current serendipity_xmlrpc.php file and you will not be affected by security issues.

Anyone who wants to use XML-RPC posting to Serendipity will now need to install the XML-RPC posting plugin, as discussed in the blog entry mentioned above.

This release also addresses a few other minor issues:

• Fix the problem that sometimes calendar images are displayed too large in the Internet Explorer
• Hide title of an entry when an entry is a draft (Bug #1260667)
• Allow Serendipity to use an existing PEAR installation on the server. Set "$serendipity['use_PEAR'] = true;" in your serendipity_config_local.inc.php or serendipity_config.inc.php file. The required packages can be found in the bundled-libs/.current_version file.
• Append the comment id to the mail that is sent to subscribers of an entry, so that they can jump to the submitted comment immediately.

You can download the release here: Download. SVN (tags/0.8.4) and CVS (HEAD) repositories have also been updated.

Have fun with Serendipity!