Serendipity - Security

Serendipity Snapshot: New login hashing

mail@garv.in (Garvin Hicking) — Tue, 17 Feb 2009 14:04:00 +0100

Since quite some time, Serendipity uses old-fashioned md5 hashes to secure your passwords for logins to the backend.

Because mechanisms to crack md5 hashes with rainbow tables or even "dictionary hash"-lookups are getting more and more popular, we have decided to finally take the step to raise the serendipity hashing mechanism to something salted, and more secure (SHA1). Even though md5 hashes are still reasonably(!) safe when you use long, randomized passwords, the old-style hashing is a one-way route to hell.

Serendipity has always been had high tributes to backwards compatibility and ease-of-use and ease-of-upgrading, we have decided to take the "soft" upgrade approach. That means, new Serendipity versions will accept your old MD5 login ONCE, and then will use your user-specified password to create the safer hash and store that to the database.

This will help in hypothetical attack situations, where someone might have gotten hand on your hash values stored inside the database, because he will no longer be able to reverse-engineer your original password.

We could need help from any developer or betatester trying out the new functionality. Upgrading to the latest snapshot (get it from the s9y nightly downloads) with Serendipity 1.5-alpha2 will deploy the necessary database upgrades. Note that the one-time MD5-login is only possible in the first 6 months after you performed the installation of this serendipity version (through a saved timestamp in the database), and after that timespan, you can no longer login with the old password and must reset your password through the Administrator (or manual means, if you are the administrator).

Once you perform the update (do not try this on production blogs currently), everything should continue as usual. If it does not, please report your exact problems here or in the Forums. It is suggested that once you have the new serendipity version you change your password, so that nobody that might have already gotten your old md5 hash can use the reverse-engineered password to login again with the new hash created from the same original password.

Feedback is appreciated. The current mechanism is subject to change and currently more a proof-of-concept - feedback will most definitely lead to improvement. :-)

Serendipity 1.3.1 released

mail@garv.in (Garvin Hicking) — Tue, 22 Apr 2008 10:37:00 +0200

Serendipity 1.3.1 has been released. This is a bugfix and security related release, basically adressing a potential XSS issue within the Top Referrers plugin as well as hypothetical XSS issues with the installer.

This release also adresses some basic PostgreSQL8 related problems, because implicit type casts have been removed from this version, causing breakage with several Serendipity core features. The fix for this is only partial and will still happen in (less common) functions of Serendipity. There is no ultimate solution to this because implicit type casts are required for certain entryproperty operations. Maybe the PostgreSQL8 team will think about if implicit type casts are not also quite helpful. ;-)

The only new feature addition is the exposition of a new smarty {serendipity_getImageSize} function.

This upgrade is recommended for users that use the Top Referrers plugin and new installations of Serendipity. Many thanks to Hanno Böck, once again, for reporting (and fixing) the two XSS issues (CVE-2008-1385 and CVE-2008-1386)!

You can find the new release on the s9y.org download page. Upgrade by simply uploading the deflated archive files to your webspace.

Serendipity 1.3 released (addresses security)

mail@garv.in (Garvin Hicking) — Tue, 18 Mar 2008 10:11:50 +0100

Serendipity 1.3 has finally been released. The new release is mainly a feature consolidation release, but also contains XSS security fixes:

The karma rating plugin has been upgraded to support nice, CSS-based rating graphics (see this post) and an overall rehaul on the its coding.
Make the Spartacus plugin be able to use FTP upload, a workaround for SafeMode PHP restrictions. Also add a remote backend for plugin update checks.
An importer for phpNuke and lifetype has been added.
Support for pingbacks has been improved a lot. Trackbacks can now be blocked based on Sender IP checks.
Add better CSS styling for some internal plugins and the embedding of images. Also made the Remote-RSS plugin to be capable of Smarty-Templating.
Increased Smarty templating features for the {serendipity_fetchPrintEntries} function, to be able to check for entry properties.
Add support for SQRelay.
Minor CSS and graphic updates to the Bulletproof template.

The full list of 41 changes to this release are documented within the NEWS file.

Regarding Security, the bundled Smarty library has been updated to version 2.6.19 and adresses an issue in environments where the PHP security mode is required. Also, the new Serendipity release contains tighter backend XSS checks so that environments with untrusted authors can be more secure - many thanks to Hanno Böck for addressing this. Most importantly, an issue with XSS attacks within received trackbacks has been discovered by Peter Hüwe and was fixed.

The update is easy as usual, and recommended for Serendipity users - especially if you do not regularly moderate or check your incoming trackbacks.

Upgrade pointers can be found in the FAQ and is as easy as just to upload the new files.

Have fun!

Freetag plugin updated to prevent XSS

mail@garv.in (Garvin Hicking) — Thu, 07 Feb 2008 14:49:00 +0100

The Freetag plugin has been updated to version 2.96 to fix a possible XSS to the tagcloud output.

XSS attacks can be used by visitors to display foreign HTML or JavaScript to visitors of the blog, if they visit specially crafted URLs. This attack basically allows for cookie stealing.

Users of the freetag plugin should upgrade to the latest version; upgrading via Spartacus-Plugin or Spartacus.s9y.org is just a matter of a few minutes. Thanks to Alex from Bitsploit.de for reporting this issue to us.

Serendipity 1.2.1 released

mail@garv.in (Garvin Hicking) — Sat, 08 Dec 2007 16:33:52 +0100

Serendipity 1.2 has been well received by the community, there were only very few minor bugreports. Those have been addressed in the Serendipity 1.2.1 maintenance release, available now.

The new Serendipity version also includes some new Bulletproof Theme options (user-customized stylesheets) and addresses some very minor browser quirks. If you're using Bulletproof, it is suggested you perform the update.

Also this new version addresses a security issue in the Remote RSS sidebar plugin (reported by Hanno Böck), which did not properly treat links coming from an RSS feed, which could lead to possible XSS attack vectors, if you are showing foreign feeds that might distribute malicious content to you. If you're using this plugin with an unsafe RSS feed, you should upgrade Serendipity.

Serendipity 1.2.1 features a new WPXRSS importer and can import the new WordPress 2.3 database structure All bug fixes have also been applied to our current 1.3-release tree. This release currently features some new Smarty-Templating convenience features, a remote spartacus version information interface, full pingback support, a LifeType blog importer and support of SQLRelay.

Upgrading Serendipity is very easy, have a look at the FAQ. The new version is available on the Serendipity download page.

Enjoy Serendipity and have a nice Christmas time!

Serendipity 1.2 released

mail@garv.in (Garvin Hicking) — Sun, 26 Aug 2007 13:37:00 +0200

The Serendipity Team is proud to present the final release and immediate availability of Serendipity 1.2.

This release is a feature consolidation release and focuses on small usability improvements, a shiny new template (bulletproof) as well as backend templating and backend login mechanisms as well as some tighter security restrictions.

Some more changes in depth are:

Templates: The new bulletproof template is an awesome example to show off Serendipity's cool template options. This template allows you to easily configure the look of your Serendipity site: Place navigation links, choose sidebar layouts, indicate if you want to use/show trackbacks and comments, pick your custom header image or even custom colorsets. Don Chambers, Matthias Mees and David Cummins as well as other contributors have worked very hard on this template that provides an awesome, unified template structure. Go to their site at http://s9y-bulletproof.com to check out the details!
Templates: The admin backend (overview page and entry editor) can now be styled via Smarty and gives you the full flexibility to make a custom look of the backend. Plus, more CSS classes have been added to the default admin theme that make CSS-only changes much easier. Templates now also can have large preview images by clicking on their thumbnail.
Usability: Moved the problematic option to withdraw your own privileges from personal configuration to the user configuration panel.
Feature: Added SQLite3 and PDO:PostgreSQL support.
Feature: Allow to configure whether article overviews for a certain category should include articles of subcategories or not.
Performance: Improved SQL performance for archive overview generation and permalink lookups.
Plugins: Plugins can now hook in much earlier to make external authentication easier (like trough the OpenID plugin).
Spam: Enhanced the spamblock plugin with captcha previews, .htaccess generation and some more options.
Security: Stronger autologin cookie encryption and template option handling, thanks (once again) to Stefan Esser. Proper session fixation prevention, thanks to David Vieira-Kurz.
Bugfix: Sending pingbacks now properly works.
Bugfix: The Track-Exits plugin now properly tracks links in conjunction with the caching of the entryproperties plugin.

The full list of changes can be found in the NEWS-file of the release.

You can download the new release as always on the Serendipity homepage at http://www.s9y.org/3.html. Updating is easy: Just upload the new files, visit your Serendipity installation and let the upgrader do the rest.

After the upgrade you might want to purge your browser's cookies (due to the new authentication mechanism of Serendipity 1.2) to prevent login problems. Detailed upgrade instructions can be found in the FAQ on our website.

Enjoy Serendipity, and thanks to everyone who participated in the release process!

For the team,
Garvin.

Serendipity 1.1.4 released, security bug in entryproperties plugin

mail@garv.in (Garvin Hicking) — Wed, 08 Aug 2007 11:14:34 +0200

Thanks to Erich Schubert, we were made aware of a bug and security issue in the Plugin Extended properties for entries. Since this plugin is delivered with the core release, we have created a new Serendipity release for both the current stable 1.1 version tree, as well as a new 1.2 beta version.

Serendipity Users that are using the mentioned plugin do not need to upgrade the full release, they can just fetch the updated version of the plugin through this direct link. Put that updated file into your plugins/ serendipity_event_entryproperties/ serendipity_event_entryproperties.php file.

The actual bug was, that people were able to deliver custom entryproperties settings to the Serendipity Frontend via a HTTP-Request, which made them able to bypass a possibly used passwort protection. Any other restriction of viewability of entries done via category read-privileges were not affected, though.

Bottom line is: If you are using password protection for entries, this security update is mandatory for you. Also if you were generally using the entryproperties plugin (which is not installed by default in Serendipity), you are urged to update your plugin. Only people not using this plugin need not care about this issue.

You can download the new full releases as always on the Serendipity download page.

Serendipity 1.1.3 and 1.2-beta2 released due to SQL exploit

mail@garv.in (Garvin Hicking) — Sun, 17 Jun 2007 13:08:33 +0200

Serendipity 1.1.3 and 1.2-beta2 have been released due to a SQL injection attack reported by Dr. Neal Krawetz today. It is possible to abuse a 'commentMode' variable to inject SQL code that was targeted to the function that fetches comment information. This variable was introduced to Serendipity 1.1 - all prior versions are not affected.

Please update your blogs as soon as possible. If you are using a database backend that allows SQL union queries, the injection could probably lead to disclosure of the stored MD5 password hashes. Because of this, we also suggest to update your blog user account passwords.

It is a good idea to check your server's Access-Logs and search for the 'commentMode' variable to see, if malicious request have been issued to your blog already.

For those people that do not want to upgrade to a whole new version, you can also simply patch the file include/functions_comments.inc.php and replace the single occurence of:

$type = $serendipity['GET']['commentMode'];

$type = serendipity_db_escape_string($serendipity['GET']['commentMode']);

We are very sorry for this, but happy to provide a quick fix in short time. You can download the latest files as usual on www.s9y.org. Read the FAQ on how to perform an easy update.

Serendipity 1.1.2 released

mail@garv.in (Garvin Hicking) — Thu, 01 Mar 2007 20:57:53 +0100

This evening we were notified by fellow co-developer Sebastian Nohn about a full-disclosure posting about a Serendipity SQL injection matter. We have investigated this reported 0day issue, and can tell you that it is not a SQL injection,but instead "only"an SQL error display.

No SQL can be injected using the described method. Because of an invalid category ID, serendipity tries to show entries for that category, but the resulting SQL string contains an emtpy "(())" statement which makes the MySQL parser fail, and report the error on-screen. The SQL queries that Serendipity uses are not secret, and could be looked up in the sourcecode as well.

Even though we consider this issue to be fairly low-impact, Serendipity 1.1.2 has been released because of this, mainly to assure the public that we have addressed the issue. It is not critical that you upgrade to that release. If you do, it is sufficient to update the include/functions_entries.inc.php file. The only change made to that function is documented here

We would also like to express, that we kindly appreciate all bug and security reports about Serendipity, and take them and our responsibility very seriously. Also rest assured that if you contact us developer first before publishing security advisories, we always cooperate, pay credit and fix issues immediately, as we have done in the past. So we look forward to working together with SaMuschie in the future, who seems to taking some serious work in checking security issues - good work on that! :-)

The latest release can be downloaded here. This fix has also been committed to the daily snapshots.

Serendipity 1.1 released!

mail@garv.in (Garvin Hicking) — Thu, 28 Dec 2006 22:00:53 +0100

The Serendipity Team is proud to release the Serendipity Weblog version 1.1 to the public.

This new version is aimed for feature enhancement and stability consolidation. The most important change is the overhaul of the media database, which vastly enhances the already obvious superiority of Serendipity's Media management. In depth this means that you can now store and customize meta properties easily - store descriptions, EXIF-Tags and keywords which you can later see and search in your database. You can also now assign detailed privileges for each directory of the media database, and the output is now completely templated. Yes, that means you can customize and style your very own media database, both effective in the backend and the frontend.

The other important change is more granular plugin permission management. You can enable/disable certain markup-plugins on a per-entry basis, and allow/forbid specific usergroups to access certain plugins.

Another visual apparent change is the overhaul of the plugin manager. You can now drag'n'drop order and move your plugins around. Together with the ability of templates to specific the amount and names of sidebars, you have virtually unlimited flexibility for plugin management!

Templating has also intensively been upgraded in the respect of themes being able to specify custom "options". A theme could allow you to choose navigation links, colorsets and much more. Explore the possibilites! Many themes by Carl Galloway and other great designers from our forums have already used that feature to provide you with many cool options!

For the developers among us, it might be of interest to note that Serendipity now also supports easy custom template-engine support. Tired of Smarty? You can also use a plain old PHP template emulation or even a XSLT-transformation layer (read more on this topic here).

Of course we have not only focussed on injecting features, but also fixed some minor bugs, a huge-impact central SQL query optimization and glitches and smaller improvements. In total we have 29 feature improvements, 24 bugfixes and 21 usability/technical improvements. For intense reports on this either read our NEWS-file or past 1.1-beta announcements here and there.

Upgrading is easy as always: Download, unpack, go to your Admin panel, done. Read more here: Serendipity FAQ. The download is available here: Serendipity Download Page.

We hope you'll have fun with this new release and continue to make Serendipity an ever-improving system. Let's have a great 2007!

Serendipity 1.0.4 released!

mail@garv.in (Garvin Hicking) — Fri, 01 Dec 2006 10:37:00 +0100

This new Serendipity release addresses a local file inclusion security issue discovered yesterday. It was possible to give a special parameter to a serendipity file to include a file on your own web-tree (or other files the webserver has read access to). If used on clear-text files, this could be used to disclose information like the apache logfiles on your website.

This error can only happen in a scenario with two prerequisites: Register_Globals needs to be turned on in your PHP configuration AND your webserver must ignore the default Serendipity .htaccess file. This .htaccess file usually prevents to directly call Serendipity's include files via HTTP. Thus we feel that only a very low percentage of installations should be affected by this bug.

However, Serendipity 1.0.4 is a recommended upgrade for everyone taking security responsibly, like we do. We are thankful to the community for inspecting Serendipity, searching for bugs and security issues and reporting them to us. In this case, many thanks to Majestic from the forums for notifying us.

Most of the plugins (both bundled and available via spartacus) were upgraded to also circumvent that bug, so you should upgrade all of your active plugins to the recent versions as well.

The Serendipity 1.1 release tree was also modified with a patch for this issue. It will be contained in todays snapshot, and the 1.1-beta6 release file. The easy steps to perform an upgrade are documented in our FAQ on http://www.s9y.org/.

Serendipity 1.0 and PHP 5.2.0

mail@garv.in (Garvin Hicking) — Fri, 03 Nov 2006 16:28:14 +0100

Serendipity 1.0.x an PHP 5.2.0 currently do not go well together because of the new PHP ext/filter extension. In the early PHP 5.2.0 cycles this provided a function 'input_name_to_filter' which was later dropped, but not removed from Serendipity 1.0

Serendipity 1.1 beta versions already use a function_exists() check to prevent this, but it had not made it into the 1.0 release cycle.

Thus, to make s9y work with PHP 5.2.0, you have three options:

Disable the ext/filter extension in your php.ini configuration,
Upgrade to Serendipity 1.1-beta versions or
edit your serendipity include/compat.inc.php file and replace the string "extension_loaded('filter')" with "extension_loaded('xfilter')", which will effectively disable the follow-up code to take effect

The upcoming Serendipity 1.1 final version will of course integrate a more thorough fix. The serendipity Team is sorry for this confusion it may cause for PHP 5.2.0 users.

Serendipity 1.0.2 and 1.1-beta5 released

mail@garv.in (Garvin Hicking) — Wed, 18 Oct 2006 14:44:10 +0200

Time again for a new release!

Serendipity 1.0.2 mainly features a XSS injection attack on the admin backend which could happen if registered authors can be tricked into following a specially crafted URL. This bug was detected by the ever-restless Stefan Esser, many thanks for notifying us. Users of previous version of Serendipity are urged to upgrade to be secure. Note though that this bug requires your own interaction and thus exploits of this depend on how well you can stay away from clicking links that you do not know what they do exactly. ;-)

Serendipity 1.1-beta5 features the following new changes since 1.1-beta1:

Prevent XSS backend injection attack (see above)
Themes can now support custom amounts and positions of any number of sidebars (top, bottom, left, right etc.) (more)
Usergroups can now configure which plugins/events a group is allowed to execute (more)
Added the options to use HTTP-Authentication for your login, which enables you to use secured RSS-Feeds with login credentials
Some permalinks oddities when using % in URLs and some other minor fixes

Serendipity 1.1 is getting very close to getting finalized (targets mid-December). New major features will be added to a 1.2 version branch, so expect no more major changes here. Please help us by trying out the latest version and report bugs/issues!

Upgrading is easy as ever: Download, unpack, go to your Admin panel, done. Read more here: Serendipity FAQ. The download is available here: Serendipity Download Page

Have fun!

New Serendipity Releases: 1.0.1 and 1.1-beta1

mail@garv.in (Garvin Hicking) — Mon, 14 Aug 2006 11:25:53 +0200

The Serendipity Team is proud to offer two new releases:

Serendipity 1.0.1 addresses a few minor bugfixes in the otherwise very well-received 1.0 stable release. Those are related to utf8-iconv conversion on older PHP setups, sending comment mails to users without an email address and a WYSIWYG image insertion issue.

The most important fix and reasing for the 1.0.1 release is a security issue that has been reported by Sebastian Nohn using the cool new Security-Scanner Chorizo. The only reported issue by Chorizo was the possibility of Users who could add plugins to the installation (usually only Administrators) to insert file references to other arbitrary PHP files that are then included. We feel this is a minor impact, because usually all administrators already would have full access to the PHP filebase and could include remote files with different means. Also note that users with safemode/open_basedir restrictions would not be affected by this.

Users with multi-users installations, giving plugin access to untrusted users are urged to upgrade to the latest release!

Serendipity 1.1-beta1 brings the long awaited new features to a first public release. The 1.1-alpha versions have been tested in the past quite well and are thought to run quite stable.

The 1.1 version brings those major new features (also see an earlier blog entry for details):

Completely overhauled Media Gallery. Serendipity has always been a major player in providing easy media database access, and is now enhancing it for even more usability and flexibility. You can now assign privileges for every media directory. You can now retrieve and store meta properties like descriptions, EXIF-Data, keywords - and filter/search for them easily. Plus, the media gallery is now Smarty Template-driven, so you can customize it to your needs. You can now move images/whole directories within the filestructure, and existing entries will be edited to suit that new location. The media database can now be synchronized on-the-fly with contents on the webspace - means you can upload files via FTP and they will automagically be imported. A explorer-like view on the directories completes the featureset.
You can enable/disable certain markup plugins per-entry. Ever wanted to create a Full HTML posting, but were annoyed by automatic nl2br conversion? Now you can turn it off for specific entries.
Support for Template Options. All Themes can now offer specific configuration options for using a theme, like specifying which colorset you want to use, which navigational items you'd like to see and even fine-control banner options. See Carl Galloways Page for some sneak previews on the functionality to come!
Finally, you can now use Drag And Drop to re-order your sidebar/event plugins much more intuitively than in the past. It uses enhanced JavaScripts (from Cyberdummy.co.uk / tool-man - great script!), that works on all major browsers. For those browsers that don't offer support for that, or for users without JavaScript, the old method is still working seamlessly. This means, that Serendipity continually strifes to both deliver top-usability to our users, as well as satisfy people who are paying close attention to security issues.
You can now use an URL scheme to view comments and entries by individual users/authors (with date-filtering and pagination)
new "comments and trackbacks" RSS feed for your entries
A new LiveJournal XML importer
New plugin manager button to check for new versions of all installed plugins
Entryproperties plugin now supports setting passwords for entries
Performance improvements: Smarty API now passes more variables by references, which largely reduces the memory footprint
New Template Engines: PHP and XML/XSLT-Drivers
Make use of possible existing PEAR-Installations already existing on your server
Improved Security of the "auto-login" feature
Fix blocking site during file requests by writing session data to disk before making trackbacks etc.
New Language: Arabic
...and many more!

Both releases can be found in the Download-Section on www.s9y.org. As always, just unpack them over your current installation to upgrade. More details can be found in the FAQ on www.s9y.org.

Have fun -- and please report any bugs you find on our Forums!

Serendipity 1.0 released!

mail@garv.in (Garvin Hicking) — Thu, 15 Jun 2006 18:40:18 +0200

The Serendipity Team is proud to announce the final release version of Serendipity 1.0, an advanced and flexible blogging/cms web application. With its comprehensive feature set, including multiple authors, internationalization, templated output, and an open plugin architecture, Serendipity's stable 1.0 release is ready to become the most popular Web application in the world!

INTRODUCTION

Serendipity is a PHP-powered weblog application which gives the user an easy way to maintain an online diary, weblog or even a complete homepage. While the default package is designed for the casual blogger, Serendipity offers a flexible, expandable and easy-to-use framework with the power for professional applications.

Casual users appreciate the way Serendipity's sophisticated plugin architecture allows you to easily modify both the appearance of your blog and its features. A single click installs any of more than 120 plugins, instantly enhancing your blog's functionality. No need to edit code! Likewise, one click installs any of more than 40 official templates, so your blog looks the way you like it. And Serendipity's SPARTACUS plugin automatically checks the central repository for upgrades and new functionality whenever you check the list.

Advanced users value Serendipity's Smarty templates for combining simplicity with well-documented web standards. It makes minor modifications trivial, but provides the power to unleash your creativity and completely customize your site! Serendipity's outstanding support gives you the confidence to be adventurous, too.

Programmers and other technical users commend Serendipity for its fast, stable, clean PHP code. While beginners can learn from Serendipity, advanced programmers can easily make complex modifications. Serendipity is programmed in PHP, long recognized for its ideal blend of power, simplicity, and speed. Serendipity's BSD licensing ensures that programmers around the world can learn from it and improve it.

Users of other blogging/CMS applications are already switching to Serendipity, thanks to its easy customization and outstanding support. Corporate users are taking advantage of Serendipity's unparalleled flexibility to set up fast, simple CMS sites.

Serendipity's basic features include something for everybody, from the personal blogger to the professional corporate web designer:

WYSIWYG and HTML editing
Built-in, powerful media database
Multiple authors, configurable permission/usergroup system
Threaded comments, nested categories, post to multiple categories
Multiple languages (internationalization)
Online plugin and template repository for easy plug-and-play installation
Cool plugins: category-based sub-blogs, podcasting, RSS planet/aggregator, static pages
Robust spam blocking
One-click upgrading from any version
Can be embedded into your existing web pages
Standards-compliant templating through Smarty, remote blogging via XML-RPC
BSD-style licensing
Multiple Database support (SQLite, PostgreSQL, MySQL, MySQLi)
Shared installations can power multiple blogs from just one codebase
Native import from earlier blog applications (WordPress, Textpattern, MoveableType, bblog, ...)

Of course, Serendipity has far too many other features to list!

NEW FEATURES / FIXES

The Serendipity team has been working hard to produce what we think is the best blog in the world. Since our most recent prerelease, we've updated the installation screens, added new languages (Polish, Turkish, and Tamil), made our RSS feeds templatized, improved the spam filters with Akismet support, and fixed every known bug.

But there's even more to like about Serendipity! Here are a few other recent improvements:

Completely new, fresh default template from the contest winner, Carl Galloway!
Fixed all known bugs, making the 1.0 release of Serendipity the most stable version ever
MORE Spamblock improvements (Blacklists, stronger Captchas, Akismet, improved ruleset filtering, bypass captchas for registered users)
Improved language handling facilities for better co-operation with multilingual entries
Enhanced templating (hiding sidebars, including extra entries anywhere in template)
One-click editing of static sidebar HTML
Full phpDoc code documentation for all Serendipity functions
New Pivot Blog importer
Bugfix: UTF-8 in permalink and markup
Bugfix: Correct comment counts
Bugfix: Recode UTF-8 trackbacks to mismatching blogs
Bugfix: Better XHTML and CSS output for internal plugins

And those are only the highlights! See the docs/NEWS file in the release file for the full list of changes.

UPGRADING

Upgrading from any version (even previous beta or alpha versions) to Serendipity 1.0 is startlingly easy: just unpack the release files to your existing Serendipity directory, go to your admin panel, and confirm the upgrade process. Serendipity automatically upgrades your database and informs you of important changes. If you are upgrading from a version prior to Serendipity 0.8, be sure to read this upgrade pointer: http://www.s9y.org/index.php?node=63

THE FUTURE

Just because we've completed the stable 1.0 release version, don't think we're out of ideas! The Serendipity Team has already been working hard on version 1.1. This huge effort has already provided a vastly improved media database, supporting ID3/EXIF evaluation, on-the-fly synchronization with the filesystem, annotations (all customizable through templates) and a new explorer-like interface to the media files. Also, all media directories can now have individual permissions.

We've also enhanced usability, so you can temporarily disable event plugins, customize theme options, like colorsets and menus, and enable or disable specific markup plugins for each entry! As well as constantly improving the user interface and adding drag'n'drop support for arranging plugin items easily.

To participate in the future of Serendipity, try out the latest Serendipity 1.1 snapshots, and visit us on the forums.

THANKS

Serendipity 1.0 marks the end of a very long development cycle that started in 2002. Many beta-releases have been issued since, keeping us closely in touch with the community, fixing bugs and offering features our users really wanted.

The team would like to thank everyone for reporting the issues they found and telling us developers what you really want form your blog. Visitors to the forums will see how much of their feedback was implemented into Serendipity 1.0!

Refining Serendipity's documentation and appearance was critical to the release of Serendipity 1.0. Thanks to the great help of Carl Galloway, David Cummins, Judebert, ceejay and Martin Jacobsen, Serendipity not only has a new default theme, but a new logo and website. We couldn't have done it without their help, or the help of the community that participated in that public process. In recognition of that outstanding community, the new logo includes multiple individual circles, grouped as a platform. From that platform, you can create anything.

Our small "1.0 Release Team" is proud with what we have achieved in our little spare time, and even though it was difficult at times, we believe that with this new logo, look, and functionality, Serendipity will continue to be the best blog engine, and grow into the most popular.

RESOURCES

The Serendipity home page: http://www.s9y.org/

The Serendipity forums: http://www.s9y.org/forums

Serendipity news from the Serendipity Blog: http://blog.s9y.org/

Serendipity plugins: http://spartacus.s9y.org/

Serendipity themes: http://themes.s9y.org/

Try Serendipity online: http://supersized.org/

DOWNLOAD

Now what are you waiting for? Download the Serendipity 1.0 release! http://www.s9y.org/12.html

On behalf of the s9y-Team,
Garvin