Serendipity Camp 2015 and the near future of Serendipity

This weekend marked the first time a couple of developers and users finally shared a room and their faces with each other. We hope this was only be the first time, and will be repeated at least annually.

Our goal for this weekend was to connect names to faces, get to know each other and discuss the past and future of Serendipity. Seen from both viewpoints, users and developers.

Luckily, the kind people of the Linuxhotel in Essen (Germany) have a great offer for OpenSource projects like us: comfortable rooms, food, wifi and a special ambience for a price that is hard to beat. Thanks so much for having us!

Also, the city of Essen was a good middle ground for most of our people to meetup (from left to right):


Continue reading "Serendipity Camp 2015 and the near future of Serendipity"

Update for the XML-RPC Plugin

An issue has been reported to the CMS/Blog systems Drupal and Wordpress which allows for a Denial of Service (DOS) through invalid XML injection to the XML-RPC service.

Serendipity has uncoupled the XML-RPC possibilities into an external plugin a long time ago, so an update of the core Serendipity version is luckily not available. Only users who have installed serendipity_event_xmlrpc (through Spartacus, for example) are are actually also affected by this issue, since it uses default PHP XML parsing facilities.

We have applied the same patch to the parsing routines to detect this invalid XML (see Drupal commit) to version 1.53 of the mentioned plugin. Users who have enabled this plugins should either update or remove this plugin to prevent possible DOS attacks to their servers. This version will be available in Spartacus within 24 hours, or can be downloaded manually through github: Source Link.

If the update generates problems with your valid XML-RPC calls, please report them either on our forums or in the Serendipity issue tracker on GitHub. Thanks a lot also to Ian for bringing this issue to our attention, so that we were able to provide a quick fix as well.

Spartacus infrastructure change, Developers please read

Since the core Serendipity project is now maintained on github.com and every developer is quite happy about that, we decided to go the jquery-plugins route and delete all Serendipity plugins.

No, just kidding. We actually imported all data from the SourceForge.net CVS servers into the github infrastructure. The short version for normal end-users: Nothing should change for you!

https://github.com/s9y/additional_plugins

https://github.com/s9y/additional_themes

All current Serendipity developers also have access to those repositories to contribute code. Developers now no longer should commit code to CVS (actually, they can't, because I took all their committing karma *eg*).

The harder task for the Spartacus infrastructure service is the actual publishing of data. The Spartacus plugin operates on a PEAR-like XML format for each plugin, which luckily is automatically generated by a small shellscript which runs once daily on one of our webservers (emerge.sh). That script iterates on a checkout of all plugins and templates, creates the XML and uploads it to all mirror servers (currently netmirror.org, s9y.org and now also github.com).

Downloading the files also either works via the files that are uploaded daily to netmirror.org and s9y.org, or you always could use the SourceForge.net server, that published the file via a nasty ViewVC oddity. The spartacus plugin of the current github core code (version 2.25) now can also retrieve those files from the Github.com servers.

For all users that currently use the Spartacus plugin with the SourceForge.Net mirror, our daily script now pushes all changes in the GitHub tree also to CVS, so that both repositories *should* be kept in sync. This is done via the gitclone.sh and gitclone.php scripts in the additional_plugins repository, for anyone that's interested.

Most likely, something in this script won't work properly, so in the next days it might be that some glitches in the matrix can occur. In that case, please report issues and remain seated. Or buy christmas presents for your beloved. Or your beloved developers.

Security fix for flash-based cloud in Freetag plugin

MustLive discovered a HTML-injection vulnerability in the tagcloud.swf Flashfile that the Freetag-Plugin bundles and makes optionally available.

The issue is fixed in version 1.23 of the flashfile, which has now been committed to the Serendipity plugin (in version 3.30).

Since the swf-File is always bundled with the update, it is recommended to update to the latest version of the plugin for all users, or to delete that specific .swf file.

Thanks to MustLive for sharing the information with us.

Spartacus plugin: Change in download Mirrors

Christian Boltz notified us and provided a patch to fix the spartacus plugin properly being able to retrieve remote files. This became necessary when SourceForge.net changed their underlying structure.

If you are using Spartacus, you have several possibilities to fix this issue for you:

1: Manually download the updated plugin file plugins/ serendipity_event_spartacus/ serendipity_event_spartacus.php from here: serendipity_event_spartacus.php for Serendipity 1.6 / Development, serendipity_event_spartacus.php for Serendipity 1.5.

2: You can also simply configure your spartacus plugin and enable the use of Netmirror.org, or you can enter a custom mirror: http://php-blog.cvs.sourceforge.net/viewvc/php-blog/|http://netmirror.org/mirror/serendipity/

3: You can also simply edit your serendipity_event_spartacus.php file and replace all 2 occurences of the string *checkout* with viewvc.

Thanks to Christian for notifying us!

serendipity_event_freetag: Plugin update, XSS bug

Thanks to Stefan Schurtz, who reported a XSS issue in the serendipity_event_freetag plugin (SSCHADV2011-004). The issue was fixed in version 3.22 of the plugin, you can fetch the update through Spartacus or download via Spartacus.s9y.org.

The bug was introduced in version 3.20 of the plugin. Users of the plugin should upgrade, as it allows malicious users to trick people into visiting a specially crafted link on your blog to steal cookie login information for example, if you click on such a link.