Serendipity 2.1.1 released

Sadly a regression slipped into our Serendipity 2.1.0 release, which made it impossible to reset a plugin configuration variable to a FALSE/empty state and indicate the proper state in the plugin configuration. We have fixed this in 2.1.1 and changed the release announcement to point directly to 2.1.1.

Serendipity 2.1.0 released

We are happy to announce the availability of the final release for Serendipity 2.1.1.

Serendipity 2.1.1 focusses on:

  • Rewrites in some older legacy parts of the core (URL routing, template fallback chain, experimental internal caching) as well as PHP 7 compatibility.
  • New bundled responsive themes "Timeline" and "Clean-Blog"
  • Improved usability of plugin upgrades by combining sidebar and event plugins and upgrading multiple plugins at once
  • Permission checks for the dashboard output and comments
  • Usability improvements to the media library, bulk moving support
  • New API wrapper for URL downloads that plugins can use (serendipity_request_url)
  • New Theme "Skeleton" (responsive, mobile first)
  • Improved preview iframe handling
  • Changes (simplifications) in template file routing for backend/frontend views, new smarty {getFile} function for theme authors
  • (new for rc1) Ability to set a default posting category for an author
  • (new for rc1) Improved security checks against CSRF attacks (comment moderation, comment toggling
  • (new for rc1) Improved security for referrer redirection
  • (new for rc1) Improved security for local file hotlinking
  • (new for rc1) Fixed sorting media database by filename
  • (new for final release) Addressed some more PHP 7.1 issues, fixed bugs with missing token for installing plugins and deleting comments. We mainly tested PHP 7.0 compatibility, but PHP 7.1 should work too.
  • (2.1.1) Fixed displaying the proper plugin configuration value when set to false/empty.
  • Many thanks at this point (in no specific order) for Lee Sheldon Victor, cdxy, Edric Teo and Xu Yue for helping a lot in improving on security aspects of Serendipity.

    The next version of Serendipity will focus on supporting UTF8MB4 (for full emoji compatibiliy), responsive image insertion, consolidating our plugins. Our github issue tracker now also holds a new label "easyfix" which could be a great way of interested developers to get started with Serendipity and help us with development.

    You can download the release file and unzip it to your installation as usual.

    Serendipity 2.1 - First Release Candidate

    We are happy to announce the availibility of the first (and hopefully last) Release Candidate for Serendipity 2.1.

    We feel comfortable with suggesting you to try out this release in productive environments (of course always make a backup of your database and files first).

    Serendipity 2.1 focusses on:

    • Rewrites in some older legacy parts of the core (URL routing, template fallback chain, experimental internal caching) as well as PHP7 compatibility.
    • New bundled responsive themes "Timeline" and "Clean-Blog"
    • Improved usability of plugin upgrades by combining sidebar and event plugins and upgrading multiple plugins at once
    • Permission checks for the dashboard output and comments
    • Usability improvements to the media library, bulk moving support
    • New API wrapper for URL downloads that plugins can use (serendipity_request_url)
    • New Theme "Skeleton" (responsive, mobile first)
    • Improved preview iframe handling
    • Changes (simplifications) in template file routing for backend/frontend views, new smarty {getFile} function for theme authors
    • (new for rc1) Ability to set a default posting category for an author
    • (new for rc1) Improved security checks against CSRF attacks (comment moderation, comment toggling
    • (new for rc1) Improved security for referrer redirection
    • (new for rc1) Improved security for local file hotlinking
    • (new for rc1) Fixed sorting media database by filename

    Many thanks at this point (in no specific order) for Lee Sheldon Victor, cdxy, Edric Teo and Xu Yue for helping a lot in improving on security aspects of Serendipity.

    You can download the release file and unzip it to your installation as usual on our Github release tracker.

    Serendipity 2.0.5 and 2.1-beta3 released

    Serendipity 2.0.5 is a maintenance security release which addresses these issues:

    • [Security] Improve preventing fetching local files, thanks to Xu Yue.
    • [Security] Prevent XSS in adding category and directory names, thanks to Edric Teo @smarterbitbybit, CVE-2016-9681.

    Alongside a new Serendipity 2.1-beta3 version has been released, with the same fixes plus some more progress on the road to the 2.1 release.

    Simply upgrade by unpacking and uploading the release file and confirming our web-based upgrader.

    New Serendipity homepage online

    In the past few months we have also worked a lot on rebuilding the presentation page of www.s9y.org. We have moved our infrastructure for this over to Github Pages in the s9y.github.io repository, and reworked a lot of our documentation to streamline and better structurize.

    Additionally, this documentation repository is now open for any kind of pull requests and contributions, and will be easier to maintain. Our devs onli and yellowled worked hard on bringing the visual side of things up to par, as well as MarioH for moving a lot of text files, and we hope you like our efforts!

    Serendipity 2.0.4 and 2.1-beta2 released

    Serendipity 2.0.4 is a maintenance security release which addresses these issues:

    • [Security] Prevent moving files by using their directory name.
      [Security] Possible SQL injection for entry category assignment
      [Security] Possible SQL injection for removing&adding a plugin

      All issues require a valid backend login.
      Thanks to Hendrik Buchwald for finding this via their
      RIPS source code analyzer (www.ripstech.com)
    • [Security] Add new configuration option to enable fetching local files for the media uploader. By default this is now disabled to prevent Server Side Request Forgery (SSRF). Thanks to Xu Yue for pointing this out!

    Alongside a new Serendipity 2.1-beta2 version has been released, with the same fixes plus some more progress on the road to the 2.1 release. Features like these have been added:

    • New API wrapper for URL downloads that plugins can use (serendipity_request_url)
    • Added new Theme "Skeleton" (responsive, mobile first)
    • Improved preview iframe handling
    • Changes (simplifications) in template file routing for backend/frontend views, new smarty {getFile} function for theme authors

    Simply upgrade by unpacking and uploading the release file and confirming our web-based upgrader.