Upcoming 0.8.4 release: XML-RPC and using local PEAR

As you might have heard already, the XML-RPC Package by PEAR has received a major update that deals with another possible security issues in the execution of remote procedure calls.

Serendipity bundles this XML-RPC class to allow posting entries via GUI editors like ecto, marsEdit and so on. Because of the reasons mentioned in a seperate posting, Serendipity no longer bundles this library and instead offers this functionality as a plugin.

Thus, a new release with the unbundled XML-RPC libraries will be made. On top of that, Serendipity has now been changed to be (optionally) able to use a local server installation of the PEAR repository. This way, if you want to maintain PEAR packages (plus Smarty and Onyx) independently of Serendipity, and without needing to upgrade packages twice, you can now use Serendipity in that unbundled environment. You can then basically delete the whole bundled-libs directory, if you've made sure that PEAR/Smarty/Onyx is installed in a directory that is available to all applications (something like /usr/local/lib).

You will then also have to set a variable $serendipity['use_PEAR'] = true; in your serendipity_config_local.inc.php or serendipity_config.inc.php file.

The XMLRPC posting plugin (link) has been upgraded to use PEAR:XMLRPC 1.4.0.

We now need to perform some more testing and QA if all of our patches work smoothly together, which is the reason why a 0.8.4 release has not yet been made. There currently is no known exploit to the inherent security issues of the PEAR-XMLRPC package that is bundled with Serendipity 0.8.3.

The easiest way for you to stay secure is to delete your serendipity_xmlrpc.php file until 0.8.4 is released. If you delete that file, you also do not need to upgrade to 0.8.4.

If you require the XML-RPC posting functionality, you can easily upgrade by doing those steps:

  1. Fetch the file serendipity_xmlrpc.php from our current sourcecode, or if you are running from SVN upgrade your 0.8 branch checkout. Save the file in your Serendipity directory.
  2. Download and install the plugin "Post via XML-RPC". Either fetch it via SF.Net CVS (use a CVS utility to checkout all files) or install the plugin via Spartacus. Make sure you are downloading version 1.1 of the plugin with all its files -- as SourceForge lags about 24 hours, and the patch has just been committed, it might take one more day until the version is available. A zip file of the plugin can be found here
  3. Now you can continue to use your XML-RPC posting utility, the API-endpoint URL has not changed

Stay tuned for an update on this issue. Thanks to Stefan Esser of the Hardened PHP project, who tried to give a helping hand with the latest XML-RPC issues - this is much appreciated!

Serendipity 0.8.4 will be announced here when our tests are finished. Until then, removing your serendipity_xmlrpc.php file is the recommended way to deal with the issue. People using trunk checkouts or nightlies after 2005-08-10 are not affected by this issue, as it has already been fixed there.

Trackbacks

Trackback specific URI for this entry

Comments

Display comments as (Linear | Threaded)

dcatdemon on at :

FYI, seems that I can't download and install the pluging "Post via XML-RPC" unless I had serendipity 0.9 and above. I had to download the zip file, go to the plugin source and change the line in serendipity_event_xmlrpc.php that refer to the requirements to serendipity' => '0.8. :).

Garvin on at :

You are right, thanks a lot for noticing. I adjusted those requirements and re-uploaded the .tgz file and committed it to our additional plugins repository.

Add Comment

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

BBCode format allowed
Markdown format allowed