Serendipity 1.5 released

The Serendipity Team is proud to present the final release of Serendipity 1.5. While the earlier beta versions are proven to work fine for many people, it was finally time to package up a real release. ;)

This version mainly addresses login security by changing our method how passwords are stored to use salted SHA1 checksums instead of plain MD5 checksums. This makes password retrieval (rainbow attacks, see special blog posting) through the database virtually impossible. Another thing is improved PHP 5.3 compatibility.

For users of our Bundled WYSIWYG-Editor Xinha users now have the ability to easily customize the appearance of this panel through a "my_custom.js" file inside the template directory (a draft of such a file can be found as fallback default in the htmlarea/ subdirectory).

One cool new feature for developers is that now also templates can register themselves inside the plugin API hooks to execute specific things, that don't require installation of an event plugin.

Other news include:

  • new event API hooks
  • fixed PDF thumbnail generation
  • ability to auto-scroll on borders when Drag/Dropping plugins
  • UTC server time zone support
  • improvements in the Smarty functions to easier use Serendipity as a CMS for individual entry output.
  • quicksearch improvements for doing a wildcard-search when too few searchresults were found on a fixed searchterm
  • support for Typepad anti-spam server-checks, additionally to Akismet

Minor improvements since the 1.5-beta1 release:

  • more PHP 5.3.0 compatibility improvements
  • Disallow uploading any files that contain ".php." in the filename for extra security with Apache MimeMagic-Modules
  • expermiental PDO:SQlite support
  • usability improvements for the comment moderation panel (bottom-navigation, removed border increase)

The current release can be easily installed on any previous Serendipity installation. Just unpack, upload and visit your admin panel to perform possible database upgrades. Upon first login with an old password, Serendipity will store your old password in the new format - please be sure to make a backup of your Database prior to upgrading, and read the upgrade pointers on Upgrading Serendipity.

Have fun using Serendipity, and let us know on the Forums if you have any issues!

Update: Accidentaly, the 1.6-alpha release file was uploaded with the wrong file name. This has been fixed, the real files are now available -- users who had already downloaded this 1.6 release can either re-download the new release bundle, or stay at their current version. 1.6 has only 2 minor changes yet, and is 99,9% identical with 1.5 at this point. The most major difference would only be the version number. ;-)
I'm sorry for this fault, I blame it on the german weather...


Trackback-URL für diesen Eintrag


Ansicht der Kommentare: (Linear | Verschachtelt)

Hanno am um :

"Disallow uploading any files that contain ".php." in the filename for extra security with Apache MimeMagic-Modules"

Are there attack scenarios on this? Or to be more concrete, is this a security vulnerability and 1.5 considered a security update?

joschi am um :


it's more of a web server configuration problem. The AddHandler of Apache httpd's mod_mime allows the use of multiple file extensions. This means that without a proper configuration, files like foobar.php.jpg are also parsed by the PHP interpreter if no FilesMatch has been used.

S9y just tries to circumvent a errorneous web server configuration.

Garvin am um :

This is more a security issue with running Apache and mod mimemagic, than an issue of the underlying PHP application IMHO. I would much more advise to not use this mimemagic on "general population" servers.

But yes, in this regard, it can also be considered a security update. Sorry for not having been too clear on this.

Gerald am um :

Serendipity hat entdeckt, dass derzeit Version 1.5-beta2 verwendet wird. Jedoch wurde Version 1.6-alpha1 installiert, daher müssen Sie die Installation aktualisieren!

Das kommt hier, wenn wir die 1.5 final aufgespielt haben. Kann es sein, dass das Paket da noch eine falsche Versionsnummer enthält?

Garvin am um :

Nein, aber Du hast wohl mal den Snapshot von runtergeladen, da wird schon version 1.6 entwickelt. 1.5 wäre für dich da also jetzt ein Rückschritt.

(Wobei 1.5 und 1.6 derzeit noch fast identisch sind)

joschi am um :

Die Meldung kommt bei mir ebenfalls und ich hatte nie die Snapshot-Version installiert. ;)

Aus einem frisch heruntergeladenen serendipity-1.5.tar.bz2 von SourceForge:

# grep -r 1.6-alpha serendipity/ serendipity/$serendipity['version']         = '1.6-alpha1';

Gerald am um :

Ich könnte auch wetten, dass ich die final angeklickt habe. Aber am Ende werden wohl beide Installationen funktionieren ;)

Garvin am um :

Sorry vielmals. Ihr hattet natürlich recht, in der Tat habe ich aus versehen eine Datei aus dem falschen Verzeichnis hochgeladen. Bitte vielmals um Entschuldigung, aber zum Glück sind die Änderungen wie gesagt minimal. Wer auf Nummer sicher gehen will kann die aktuellen Dateien nochmal runterladen :-)

mo-cacher am um :

Da hab ich ja sozusagen Glück gehabt dass mir zwischen Download und Update ein Telefonat dazwischen kam. Gratulation zum neuen Release!

rollenc am um :

Nice, I've waited that for so long time.

rollenc am um :

Upgraded, no bug is found.

It supports Chinese search finally 'cause "quicksearch improvements for doing a wildcard-search when too few searchresults were found on a fixed searchterm"

Thanks for your hard work.

onli am um :

How does this help with chinese search? Didn't had this in mind when adding that :D

rollenc am um :

Chinese isn't supported by MySQL full-text, but supported by wildcard-search.

In the old versions, the full-text search always return empty if the search keyword, but now, widlcard-search will execute and return stuffs.

An example here:[action]=search&serendipity[searchTerm]=%E7%AE%A1%E7%90%86&serendipity[searchButton]=Quicksearch

Kommentar schreiben

Die angegebene E-Mail-Adresse wird nicht dargestellt, sondern nur für eventuelle Benachrichtigungen verwendet.

Um maschinelle und automatische Übertragung von Spamkommentaren zu verhindern, bitte die Zeichenfolge im dargestellten Bild in der Eingabemaske eintragen. Nur wenn die Zeichenfolge richtig eingegeben wurde, kann der Kommentar angenommen werden. Bitte beachten Sie, dass Ihr Browser Cookies unterstützen muss, um dieses Verfahren anzuwenden.

BBCode-Formatierung erlaubt
Markdown-Formatierung erlaubt