Serendipity - Announcements

Serendipity 1.7 released

nospam@example.com (Garvin Hicking) — Sat, 11 May 2013 16:28:00 +0200

The Serendipity Team is proud to present the final release of Serendipity 1.7, also known as Rolling Thunder for certain people. This will be the last release before the larger rewrite of 2.0, where many people poured their effort into restructurizing and templating the backend.

Thus, Serendipity 1.7 mainly focusses on stability and compatibility with new PHP 5.3/5.4 versions. In our 1.7 release process we have received feedback from many people to help us improve that Serendipity 1.7 works properly on all PHP setups with at least PHP 5.2. Older PHP versions no longer work with Serendipity 1.7, but are definitely not recommended due to security issues, so please ask your webhoster to upgrade PHP if you are running a lower version (as long as that happens you can stick to older Serendipity versions like 1.6.2).

Other minor bug-fixes and improvements have been implemented in a lot of small places, which you can see in the docs/NEWS file of the release.

Smaller new features are that you can now define defaults for custom entryproperties, the RSS sidebarplugin now also supports Atom-feeds (thanks to the now-bundled Simplepie), Spartacus can now fetch the plugin files also from github and we now use the latest and greatest version of Smarty3.

BEFORE installing the new release, you should upgrade all external (Spartacus) plugins to their latest versions, to ensure that they will operate properly with the latest Serendipity version - if you forgot that, you can also upgrade the files after the upgrade, but it might be that you receive certain PHP error notices.
The current release can be easily installed on any previous Serendipity installation. Just unpack, upload and visit your admin panel to perform possible database upgrades. Please be sure to make a backup of your Database prior to upgrading, and read the upgrade pointers on Upgrading Serendipity. Also make sure that your server is running at least PHP 5.2, otherwise Serendipity would no longer run after the upgrade.

A note for developers: If you have created your own, custom event plugins you might see PHP notices when your method variable signature of i.e. the "event_hook" or "introspect_config_item" methods mismatches the one that is defined in the Serendipity Plugin API. Make sure that the list of parameters for i.e. the event_hook() method matches:
function event_hook($event, &$bag, &$eventData, $addData = null) {

Have fun using Serendipity, and let us know on the Forums if you have any issues!

Download here!

Serendpity 1.7 Release Candidate 3

nospam@example.com (Garvin Hicking) — Thu, 07 Feb 2013 13:25:54 +0100

A Release Candidate 3 has just been released (see s9y.org - Downloads, that fixes a couple of reported PHP error notices (in Spartacus, for template configurations). Also the error reporting itself has been reworked a bit to be less verbose. This version also addresses enhanced escaping for stored cookie values of the media database, which we have received a (not very clear) report of. This only affected logged-in users of the backend, so the impact should be minimal.

Please report any issues you find with RC3 as usual on the s9y forums; if you want to address any security issues, please contact security (at) s9y . org. We take all reports seriously, and are very thankful for anyone reporting issues to us. We are a small team, so any help from the outside is really appreciated (and needed) by us. Thanks!

Serendipity 1.7 release candidate 2

nospam@example.com (Garvin Hicking) — Tue, 22 Jan 2013 10:20:00 +0100

The Serendipity Team is happy to announce the second Release Candidate for Serendipity 1.7.

The first RC1 that was online for only a couple of hours had two issues that made us pull this release candidate. One bug affected people with older plugin versions, that could throw PHP notices and prevent Serendipity from executing properly. The other bug affected that certain variables for Smarty templates were not existing due to missing variable transporting. Both issues have been fixed in this second release candidate.

While we are still working hard to rebuilding the backend (for future HTML5 possibilities, better maintenance and in the end, a better design/UI) we have tried to make Serendipity 1.7 to be the final "pre 2.0" release that deals with a couple of problems with older Serendipity versions.

First and foremost, this release addresses several PHP 5.4 compatibility issues. Serendipity 1.7 now at least requires PHP 5.2 to operate (due to Smarty3). If you have a lower PHP version than 5.2, you can run Serendipity 1.6.x properly, but of course should better ensure that your webserver will be upgraded to a more recent PHP release version.

Serendipity 1.7 comes with Smarty3, a larger rewrite of the Smarty Templating Engine. To make proper use of Smarty3, several core mechanisms have been updated. Other features include better nl2br/nobr plugin handling, Updated 2k11 theme, RSS sidebarplugin can now handle Atom feeds, entryproperties plugin can now define defaults for custom fields. See the contained NEWS release file on github for a list of all changes.

In our alpha development process, many kinks should have been ironed out, so that at this point we feel confident to let YOU try out this new version without facing issues. Now we need you to make sure that there are no quirky webservers or installations out there, that would report any PHP5 notices/errors. Testing the release is quite easy; first you should backup your current installation (download all files via FTP/SSH/RSYNC/whatever, make a database dump) and then simply upload all new files to your webserver; then you're ready to go.

Please report all issues and bugs on the Serendipity Forums (specifically, this thread). If all goes well, we can then soon release the 1.7 final version, so that our developers can fully concentrate on finishing our 2.0 development. On this matter: A huge thanks to developers who made the recent new features, (re)built templates and fixed plugins. This specifically applies to ophian, yellowled, onli, mattsches, Don - your continued work and help is invaluable to me (=Garvin).

Now, go, grab that release: s9y.org Download section

On behalf of the team,
Garvin

Serendipity 1.7-rc2

nospam@example.com (Garvin Hicking) — Tue, 22 Jan 2013 10:10:04 +0100

The problematic 1.7-rc1 has now been superseded with a new 1.7-rc2 release candidate. The original announcement has been updated to reflect the changes.

Serendipity 1.7-rc1

nospam@example.com (Garvin Hicking) — Sat, 19 Jan 2013 14:30:05 +0100

The 1.7-rc1 that has been published today has an issue with older Serendipity plugins existing on prior installations, preventing Serendipity 1.7 to operate properly. While we fix this issue for an upcoming rc2, this problematic rc1 has been removed at this point.

Serendipity 1.6.2 released

nospam@example.com (Garvin Hicking) — Wed, 16 May 2012 11:45:47 +0200

UPDATED: 2012-05-22 12:00 to clarify impact.

Good and bad things come in doubles, it seems. We are sorry to inform you that another security issue in Serendipity has been found by the High-Tech Bridge SA Security Research Lab (Advisory HTB23092). This issue has been reported today at 11:27 and we're happy to provide a quick fix for that.

You can either download the full 1.6.2 release, or apply this simple fix to the file include/functions_trackbacks.inc.php: diff on github.

The error here is that input is not properly validated and can be used (when magic_quotes_gpc is off) to inject SQL code to a SQL query; since our DB layer does not execute multiple statements, and the involved SQL query is not used to produce output code. Thanks to Pawel Golen it was made clear to us that this issue can in fact be used to remotely access the database through blind sql injection attacks (this method however is really slow and creates a lot of traffic, since only using 0/1 as a result of the exploit will mean a lot of queries to deduce the content). Thus you should definitely upgrade your installation.

Serendipity is an open-source based product with no specific funding, so we depend on nice people like High-Tech Bridge, Stefan Schurtz, Hanno Böck and all the others of the past to report issues to us. In turn we promise to fix them as quickly and transparently as possible.

Serendipity 1.6.1 released

nospam@example.com (Garvin Hicking) — Tue, 08 May 2012 09:46:00 +0200

Serendipity 1.6.1 has just been released. As usual you can simply download from s9y.org, extract the archive, upload it to your webspace and accept the upgrader when visiting your blog.

This release mainly addresses two security issues found by Stefan Schurtz (thanks a lot, again!). One is a XSS issue in the media database panel, the other an SQL injection in the media database section. Both issues can only be exploited if you are logged in to your blog and you click a specially crafted link. The SQL injection cannot be used to extract sensitive information from the database or delete data.

Either way you are urged to upgrade your Blog to the latest version. Development versions of 2.0 and 1.7 on github have these bugs fixed as well.

Other bugfixes in this version include:

Updated spamblock plugin for better wordfiltering on specific scenarios
Fixed draft/future entries preview links in backend
Fixed an issue where template-specific configuration options were not overwritten by the new global ones

You might also want to check out our quite stable 1.7 development version which uses Smarty3, or even our 2.0 development version which contains major rewrites so that Smarty is used in the backend!

Das Serendipity Handbuch / The Serendipity Manual

nospam@example.com (Garvin Hicking) — Sun, 22 Apr 2012 20:09:00 +0200

German version

Das deutsche "Serendipity Handbuch" OpenSourcePress wurde vor einiger Zeit veröffentlicht, und der Verlag war so nett, die Rechte an den Buchinhalten zurückzuerhalten (auch dank des tatkräftigen Engagements von Dirk Deimeke und natürlich unserer tollen Community).

Das bedeutet, die Inhalte wurden nun unter einer CC-BY-NC-SA Lizenz veröffentlicht und können von der Community (also: EUCH!) frei gelesen, erweitert und möglicherweise auch übersetzt werden. Die meisten Dinge des Handbuchs finden auch heute noch Anwendung, aber es gibt genügend Spielraum für Verbesserungen.

Schaut euch das ganze hier an: Das Serendipity Handbuch. Die Dateien liegen im LaTeX format vor, ihr benötigt daher eine funktionierende LaTeX-Umgebung, um die Dateien kompilieren zu können. Die .tex-Dateien sind jedoch im Klartextformat, also keine fremde Scheu. :-)

Derzeit überlegen wir, in welchem Format das ganze endgültig und sinnvoll für die Benutzer und Mithelfer hinterlegt werden wird. Gerne diskutieren wir hierüber mit euch im Forum.

English version

The german "Serendipity Manual" was published by OpenSourcePress some time ago. They were so kind to revert the publishing license back to our project (thanks to the great work of Dirk Deimeke and kind people like you), so that we can now publish it under a CC-BY-NC-SA license, and let the community (read: YOU!) be able to read the documentation for free, contribute to it, and hopefully even translate it to other languages. Many aspects of the book are still up to date, but surely many improvements can now be made.

Check it out here: The Serendipity Book. The files are written in LaTeX format, so you need a working LaTeX environment to compile it as PDF or other variants, if you like. We are currently working out the best format to use in the future; if you want, you can help us discuss this on the forums.

Spartacus infrastructure change, Developers please read

nospam@example.com (Garvin Hicking) — Tue, 13 Dec 2011 14:06:21 +0100

Since the core Serendipity project is now maintained on github.com and every developer is quite happy about that, we decided to go the jquery-plugins route and delete all Serendipity plugins.

No, just kidding. We actually imported all data from the SourceForge.net CVS servers into the github infrastructure. The short version for normal end-users: Nothing should change for you!

https://github.com/s9y/additional_plugins

https://github.com/s9y/additional_themes

All current Serendipity developers also have access to those repositories to contribute code. Developers now no longer should commit code to CVS (actually, they can't, because I took all their committing karma *eg*).

The harder task for the Spartacus infrastructure service is the actual publishing of data. The Spartacus plugin operates on a PEAR-like XML format for each plugin, which luckily is automatically generated by a small shellscript which runs once daily on one of our webservers (emerge.sh). That script iterates on a checkout of all plugins and templates, creates the XML and uploads it to all mirror servers (currently netmirror.org, s9y.org and now also github.com).

Downloading the files also either works via the files that are uploaded daily to netmirror.org and s9y.org, or you always could use the SourceForge.net server, that published the file via a nasty ViewVC oddity. The spartacus plugin of the current github core code (version 2.25) now can also retrieve those files from the Github.com servers.

For all users that currently use the Spartacus plugin with the SourceForge.Net mirror, our daily script now pushes all changes in the GitHub tree also to CVS, so that both repositories *should* be kept in sync. This is done via the gitclone.sh and gitclone.php scripts in the additional_plugins repository, for anyone that's interested.

Most likely, something in this script won't work properly, so in the next days it might be that some glitches in the matrix can occur. In that case, please report issues and remain seated. Or buy christmas presents for your beloved. Or your beloved developers.

Serendipity 1.6 released

nospam@example.com (Garvin Hicking) — Thu, 27 Oct 2011 13:21:00 +0200

The Serendipity Team is proud to present the final release of Serendipity 1.6. We are steadily walking towards a Serendipity 2.0 release and would be happy about any developer who may want to join our cause. The list of things is available on http://www.s9y.org/238.html and open for discussion on the Serendipity Forums.

This new version mainly covers:

Bundle jQuery by default to enable plugin and template authors to easier provide extended functionality to the frontend
Support for templates, so that they can also use config-groups like plugins already have (added to bulletproof template)
Templates can now enable core-provided options like a global navigation setup
Fixed a bug in the automatic media database synchronization that did not properly add new files with the same basename but different file extensions
Added a .htaccess parameter to prevent IE9 CSS-trouble
API changes: Added "shortcuts" to commonly used constructs (language loading, hack protection)
Several minor feature additions in plugins (Karma, Akismet, Mailer) and the core (comment subscriptions, multiple comment moderation)
Fulltextsearch improvements with "*" expansion
Added a "hidden" option for specific author groups, so that their members are not revealed on usual author listings by plugins etc.
Fixes a backend XSS issue in the karma plugin and media database filtering, thanks to Stefan Schurtz!

The current release can be easily installed on any previous Serendipity installation. Just unpack, upload and visit your admin panel to perform possible database upgrades. Upon first login with an old password, Serendipity will store your old password in the new format - please be sure to make a backup of your Database prior to upgrading, and read the upgrade pointers on Upgrading Serendipity.

Also, this release marks our move from the closing BerliOS service (thanks for the great service during those years) on to our new GitHub repository. Contributions are welcome of course!

Have fun using Serendipity, and let us know on the Forums if you have any issues!

Details about the GitHub migration process, developers please read!

nospam@example.com (Garvin Hicking) — Wed, 05 Oct 2011 17:28:51 +0200

This is just a reference posting to indicate something important going on. Please read here on the process of the Serendipity source code repository being about to move to GitHub

Read the posting on the s9y forums

BerliOS closing down, Serendipity moving

nospam@example.com (Garvin Hicking) — Sun, 02 Oct 2011 22:22:21 +0200

Serendipity's code repository is being hosted on BerliOS for several years. Their free service is now closing down, which means that Serendipity will move its versioning control to a new provider.

The current idea is to migrate SVN over to GitHub.com. This might even motivate some new contributors to get accustomed with the Serendipity core code and make contributing patches easier.

We are planning to move the code repository at the end of October and will keep you posted here. If there are people reading this who are well familiar with Git and especially SVN migration, please step up here or in the forums to help us in the process.

Asides from the SVN service, Serendipity is currently using this infrastructure:

A self-hosted webserver providing a phpBB board on http://board.s9y.org. This is quite active and will stay in the future.
A self-hosted wiki software on http://www.s9y.org/ that allows for a custom navigation and wiki documentation by users. We might switch this to another software, but are not happy with the way MediaWiki handles navigation. We'll see if GitHub is an option to power this.
A self-hosted Serendipity installation on http://blog.s9y.org/
The http://spartacus.s9y.org/ plugin and theme repository, hosted on SourceForge.Net
The code repository for plugins and themes, also hosted on SourceForge.Net and maintained through CVS. Depending on the usage license of GitHub, we are looking into if we can merge plugins/templates and the Core code on GitHub.
A issue tracker, hosted on SourceForge.net. We might utilize the GitHub-Tracker for this in the future.
A mailinglist, that is not very active anymore, also hosted on SourceForge.Net. Since we favor the s9y forums, we might not further spend time on changing this mailinglist.

Spartacus plugin: Change in download Mirrors

nospam@example.com (Garvin Hicking) — Mon, 27 Jun 2011 11:42:14 +0200

Christian Boltz notified us and provided a patch to fix the spartacus plugin properly being able to retrieve remote files. This became necessary when SourceForge.net changed their underlying structure.

If you are using Spartacus, you have several possibilities to fix this issue for you:

1: Manually download the updated plugin file plugins/ serendipity_event_spartacus/ serendipity_event_spartacus.php from here: serendipity_event_spartacus.php for Serendipity 1.6 / Development, serendipity_event_spartacus.php for Serendipity 1.5.

2: You can also simply configure your spartacus plugin and enable the use of Netmirror.org, or you can enter a custom mirror: http://php-blog.cvs.sourceforge.net/viewvc/php-blog/|http://netmirror.org/mirror/serendipity/

3: You can also simply edit your serendipity_event_spartacus.php file and replace all 2 occurences of the string *checkout* with viewvc.

Thanks to Christian for notifying us!

serendipity_event_freetag: Plugin update, XSS bug

nospam@example.com (Garvin Hicking) — Tue, 31 May 2011 12:00:00 +0200

Thanks to Stefan Schurtz, who reported a XSS issue in the serendipity_event_freetag plugin (SSCHADV2011-004). The issue was fixed in version 3.22 of the plugin, you can fetch the update through Spartacus or download via Spartacus.s9y.org.

The bug was introduced in version 3.20 of the plugin. Users of the plugin should upgrade, as it allows malicious users to trick people into visiting a specially crafted link on your blog to steal cookie login information for example, if you click on such a link.

IE9 has trouble with CSS Content-Types

nospam@example.com (Garvin Hicking) — Thu, 17 Mar 2011 14:19:48 +0100

The Internet Explorer 9 has been released a few days ago. It's a great improvement over old versions, despite of one mayor breakage.

Usually, a web-browser requests a CSS URL with a variety of HTTP-headers. The "Accept" HTTP-Header instructs the remote server, which valid content-types it can handle. In the past, most web-browsers sent a "Accept: text/css; */*" header, which means they prefer "text/css", but would also interpret any other file types as CSS.

Now, the IE9 does no longer send */* as an accepted content-Type, thus it will now ONLY render stylesheets if they have the Content-Type "text/css". If that does not happen, IE9 complains with a "HTTP 406" error and refuses to parse/render the stylesheet.

That does not sound so bad yet, but many web-applications (including Serendipity) provide dynamic CSS stylesheets that hide behind a PHP file. Serendipity compiles this PHP through a file called "serendipity.css.php". If URL rewriting is enabled, to mask that PHP file, a RewriteRule is added that will accept "serendipity.css" and send it to the main serendipity index.php file, which in turn will include serendipity.css.php and deliver the appropriate output.

Now certain Apache setups use a module mod_negotiation that will detect "Hey- there's a file serendipity.css.php, but the browser requested serendipity.css. He surely must be mistaken, I better serve up this serendipity.css.php file instead". Sadly, it does so, BEFORE executung mod_rewrite that would "fix" this behaviour.

Finally - mod_negotiate would basically properly execute the PHP file and return valid CSS. But it does that by returning a Content-Type that matches the original negotiated request, which is "application/x-httpd-php". IE9 will receive this, and refuse to render the proper CSS, because it does not accept */*.

IMHO this is a very bad mixture of several components acting weird altogether. But the easiest place to fix this is inside IE9, to restore the "Accept" behaviour of all other major browsers, so that mod_negotiated sites will not break.

I have posted on a IE9 Team blog since it seems, Microsoft does not accept bug reports anywhere. If anybody knows of a proper place to get a hold of their team, please let us know.

FINALLY - WHAT YOU CAN DO IF THIS AFFECTS YOUR SERENDIPITY BLOG:

Edit your .htaccess file, and add the directive Options -Multiviews at the top of the file. As long as your server has the AllowOveride ability enabled for you (that's mostly the case, as soon as you are allowed to use mod_rewrite) you can remove the negotiation feature of Apache.

This change in the default .htaccess will also be part of upcoming Serendipity versions.

Clarification: This is not only IE9's fault, but rather a bad combination of multiple factors: One being that s9y has a .php file called the same way like a rewritten URL. One being that mod_negotiate does not pass a request through to mod_rewrite and fatally catches it before other means are not used up. And the last being that IE9 does not accept a fallback contenttype for CSS.

The reason why I think this should be considered a IE9 bug, is because the restrictive parsing stats against current plans to make the web as accessible as possible. XHTML actually failed in its restrictive, XML-based parsing (google mime-type application/x-html+xml) was stomped down in favor of a lax HTML5 parsing. Users should never be locked out of content, and that's why I think a fallback */* should not hurt. This allows for applications to overcome mod_negotiate and allows the browser to evaluate the final Content-Type, and not an intermediate negotiated one.