Serendipity 1.6.1 released
Serendipity 1.6.1 has just been released. As usual you can simply download from s9y.org, extract the archive, upload it to your webspace and accept the upgrader when visiting your blog.
This release mainly addresses two security issues found by Stefan Schurtz (thanks a lot, again!). One is a XSS issue in the media database panel, the other an SQL injection in the media database section. Both issues can only be exploited if you are logged in to your blog and you click a specially crafted link. The SQL injection cannot be used to extract sensitive information from the database or delete data.
Either way you are urged to upgrade your Blog to the latest version. Development versions of 2.0 and 1.7 on github have these bugs fixed as well.
Other bugfixes in this version include:
- Updated spamblock plugin for better wordfiltering on specific scenarios
- Fixed draft/future entries preview links in backend
- Fixed an issue where template-specific configuration options were not overwritten by the new global ones
You might also want to check out our quite stable 1.7 development version which uses Smarty3, or even our 2.0 development version which contains major rewrites so that Smarty is used in the backend!
Trackbacks
Trackback-URL für diesen Eintrag
- Dirks Logbuch am : Serendipity 1.6.1 ...
- YellowLeds Weblog v2 am : s9y 1.6.1 oder: 2k11 wird stable
- www.cms-content-migration.de am : PingBack
- Anonym am : KORAMISADV2012-001 - Serendipity 1.6 Backend Cross-Site Scripting and SQL-Injection vulnerability
- Nur ein Blog am : Serendipity 1.6.1 veröffentlicht
- www.cms-content-migration.de am : PingBack
Kommentare
Ansicht der Kommentare: (Linear | Verschachtelt)
Christian Wenz am um :
auf der Download-Seite steht noch Oktober 2011 ... :)