A serious security issue has been discovered in our bundled library XML-RPC. This issue allows for possible remote code execution.

We have upgraded the XML-RPC component to the fixed version and released Serendipity 0.8.2. The old SourceForge CVS HEAD branch now contains 0.8.2, and the SVN branches 0.8 and trunk also contain the changes.

The files can be found here:

Every user is urged to upgrade. As a temporary hotfix you can delete your serendipity_xmlrpc.php file so that your blog will not easily allow execution of maliclius XML-RPC method calls.

We are very sorry for this inconvenience and need to point out that many PHP applications using this common XML-RPC PEAR class are affected by this bug. Please check your webspace for any outdated versions of that PEAR class and upgrade other related applications as soon as possible. Also read this advisory.


Version 0.8.2 (June 29th, 2005)

    * fixed remote code execution vulnerability. Thanks to Gulftech
      Research for pointing out that bug and Stefan Esser for helping
      fix it (nohn)

    * Updated Spartacus to most recent version (nohn)

    * fixed serendipity_traversePath() -  PHP5 issue with array_merge()
      Thanks to jdhawk for the fix (flotsam)

    * CSS does no longer emit cache-restricting headers, so that the
      stylesheets can be cached by the browser for followup-requests
      Thanks to Sencer for pointing this out! (garvinhicking)
    * Patch/Bug #1209410 by swiesinger: When using shortcut admin URL,
      use https:// when specified by user

    * Fix deleting categories when having privileges but not being
      administrator (Patch #1205347, many thanks to Penny Leach)

    * Increased level of output message from the Spartacus plugin

    * Patched XML-RPC functions, thanks to Tim Putnam. This should enable
      XML-RPC services to properly fetch existing articles and edit them.

    * Fix Plugin API call performing too many unneeded SQL queries

    * Fix missing authorname when previewing entry. Thanks to winkiller,
      aquatic, thomas, wurstprinz and hansi for fixing this!


Trackback-URL für diesen Eintrag


Ansicht der Kommentare: (Linear | Verschachtelt)

cottonwood am um :

Is it sufficient to replace that serendipity_xmlrpc.php file with the new one from the 0.8.2 tarball?

Sebastian Nohn am um :

No. It is not. You need to replace bundled-libs/XML/RPC.php and bundled-libs/XML/RPC/Server.php

Mandrake am um :

Is there no other changes on this upgrade???

winkiller am um :

There are several other fixes over the last weeks, you can get detailed info via docs/NEWS.

csloh am um :

FLICKR posting by way of XML_RPC has been affected, any one know how to fix that?

csloh am um :

Solution found for Flickr & Serendipity 8.02. Note to self: don't be too hasty to post anything, there may be an easy answer if I am to look first. :-)

Matt am um :

I have just copied the newer files across and I get:

Unknown column 'a.realname' in 'field list'

and an sql error. I am guessing it hasn't upgraded the old database format, and of course the script is broken. Is there any WORKING documentation on how to perform this db upgrade?

Matt am um :

Okay so it turns out that to upgrade to v0.8x you need to be running newer than php 4.2. Which I wasn't (debian woody). Anybody having the same problem might want to look at upgrading php first.

This is something that REALLY should be in the upgrade instructions file.

Robin am um :

So what do we need to replace if we want all the fixes, but also want to keep our previous installation - I like my templates, the way my plugins are set up, my file path locations etc. The upgrade document helps not at all and neither does the rest of the documentation. I can't see how I can get around doing a fresh install, and redoing all the changes I did then :(

LH am um :

Your templates, plugins, config stays where they are through an upgrade. You don't need a fresh install and re-do all the changes and configurations.

Jon am um :

I cannot seem to find where to get the latest snapshot to upgrade the beta version. The CVS doesn't work at all for some reason. Is there a different location for it? Does it need to be fixed?

Kommentar schreiben

Die angegebene E-Mail-Adresse wird nicht dargestellt, sondern nur für eventuelle Benachrichtigungen verwendet.

Um maschinelle und automatische Übertragung von Spamkommentaren zu verhindern, bitte die Zeichenfolge im dargestellten Bild in der Eingabemaske eintragen. Nur wenn die Zeichenfolge richtig eingegeben wurde, kann der Kommentar angenommen werden. Bitte beachten Sie, dass Ihr Browser Cookies unterstützen muss, um dieses Verfahren anzuwenden.

BBCode-Formatierung erlaubt
Markdown-Formatierung erlaubt