serendipity_event_freetag: Security update

Together with the security-release of Serendipity 2.1.3, a possible SQL injection has been reported in the serendipity_event_freetag plugin, reported by Brian Carpenter (geeknik) and Hanno Böck. Many thanks for reporting this.

The issue has been fixed in version 3.69 of the plugin which you can install through Spartacus (or manually).

Greetings from Serendipity #s9ycamp

Our group of developers says "Hi!" from the Linux-Hotel in Essen. We met up for the third time (thanks for hosting us!), and it was entertaining and productive as ever - great to have such a nice community and same-spirited people.

We mainly worked on releasing Serendipity 2.1, addressing some last-minute PHP7 things and went through our open issues.

We also talked a lot about coming features for the next Serendipity version, how we want to implement responsive images, improve on our login/hashing framework and went through all of our plugins to see how we can consolidate some of them and remove deprecated ones.

Serendipity 2.1.1 released

Sadly a regression slipped into our Serendipity 2.1.0 release, which made it impossible to reset a plugin configuration variable to a FALSE/empty state and indicate the proper state in the plugin configuration. We have fixed this in 2.1.1 and changed the release announcement to point directly to 2.1.1.

Serendipity 2.0.5 and 2.1-beta3 released

Serendipity 2.0.5 is a maintenance security release which addresses these issues:

  • [Security] Improve preventing fetching local files, thanks to Xu Yue.
  • [Security] Prevent XSS in adding category and directory names, thanks to Edric Teo @smarterbitbybit, CVE-2016-9681.

Alongside a new Serendipity 2.1-beta3 version has been released, with the same fixes plus some more progress on the road to the 2.1 release.

Simply upgrade by unpacking and uploading the release file and confirming our web-based upgrader.

New Serendipity homepage online

In the past few months we have also worked a lot on rebuilding the presentation page of www.s9y.org. We have moved our infrastructure for this over to Github Pages in the s9y.github.io repository, and reworked a lot of our documentation to streamline and better structurize.

Additionally, this documentation repository is now open for any kind of pull requests and contributions, and will be easier to maintain. Our devs onli and yellowled worked hard on bringing the visual side of things up to par, as well as MarioH for moving a lot of text files, and we hope you like our efforts!

Serendipity 2.0.4 and 2.1-beta2 released

Serendipity 2.0.4 is a maintenance security release which addresses these issues:

  • [Security] Prevent moving files by using their directory name.
    [Security] Possible SQL injection for entry category assignment
    [Security] Possible SQL injection for removing&adding a plugin

    All issues require a valid backend login.
    Thanks to Hendrik Buchwald for finding this via their
    RIPS source code analyzer (www.ripstech.com)
  • [Security] Add new configuration option to enable fetching local files for the media uploader. By default this is now disabled to prevent Server Side Request Forgery (SSRF). Thanks to Xu Yue for pointing this out!

Alongside a new Serendipity 2.1-beta2 version has been released, with the same fixes plus some more progress on the road to the 2.1 release. Features like these have been added:

  • New API wrapper for URL downloads that plugins can use (serendipity_request_url)
  • Added new Theme "Skeleton" (responsive, mobile first)
  • Improved preview iframe handling
  • Changes (simplifications) in template file routing for backend/frontend views, new smarty {getFile} function for theme authors

Simply upgrade by unpacking and uploading the release file and confirming our web-based upgrader.