Announcements - 15 – Serendipity

Like announced earlier on the serendipity blog, fellow usability expert Joachim Harloff is currently trying to improve the listing of Serendipity Plugins so that they are more accessible to users.

He needs your help to fulfill them. Initially he planned to personally meet with serendipity users, but this proved more complex than initially hoped. Thus he has created a smaller, text-based version of it.

You can download the file at http://www.softuse.com/serendipity_sorting.zip. It contains detailed instructions. You can also feel free to personally contact Joachim about any questions you have.

Joachim estimates this questionnaire to take you about 1,5 hours of your time. You could greatly help to improve the serendipity usability, so please participate! Joachim wants to evaluate your responses starting on September the 8th.

It's finally happening - the first book about Serendipity is going to be published by OpenSourcePress: Serendipity - Individuelle Weblogs für Einsteiger und Profis.

As you can gather by the title of the book, it's going to be in german and will be written by yours truly, Garvin Hicking. I will put a huge effort into getting this book translated to english quickly, though.

The book is scheduled for the beginning of 2008 and will cover hopefully every aspect of Serendipity, both for newbies and developers. I'm very excited to be able to write this book and will keep you posted about the progress.

Thanks to Erich Schubert, we were made aware of a bug and security issue in the Plugin Extended properties for entries. Since this plugin is delivered with the core release, we have created a new Serendipity release for both the current stable 1.1 version tree, as well as a new 1.2 beta version.

Serendipity Users that are using the mentioned plugin do not need to upgrade the full release, they can just fetch the updated version of the plugin through this direct link. Put that updated file into your plugins/ serendipity_event_entryproperties/ serendipity_event_entryproperties.php file.

The actual bug was, that people were able to deliver custom entryproperties settings to the Serendipity Frontend via a HTTP-Request, which made them able to bypass a possibly used passwort protection. Any other restriction of viewability of entries done via category read-privileges were not affected, though.

Bottom line is: If you are using password protection for entries, this security update is mandatory for you. Also if you were generally using the entryproperties plugin (which is not installed by default in Serendipity), you are urged to update your plugin. Only people not using this plugin need not care about this issue.

You can download the new full releases as always on the Serendipity download page.

Update, July 2nd: The Server is online again!

Hey folks,

as usual when I post here, it's kinda bad news. As you may have noticed, the main server running s9y.org and board.s9y.org went down a couple of hours ago. Since engineers at the noc are expensive on weekends (200€/h), it won't come back until monday. blog.s9y.org is hosted at supersized.org and not affected (obviously). But don't worry, another server is set up and s9y.org and board.s9y.org will be transferred over to that one asap and things should run a lot smoother than in the past.

For those of you who didn't upgrade yet, here are temporary downloads for the current versions:

• s9y-1.2beta2
• s9y-1.1.3

Update: The power adapter died and has been replaced.

Serendipity 1.1.3 and 1.2-beta2 have been released due to a SQL injection attack reported by Dr. Neal Krawetz today. It is possible to abuse a 'commentMode' variable to inject SQL code that was targeted to the function that fetches comment information. This variable was introduced to Serendipity 1.1 - all prior versions are not affected.

Please update your blogs as soon as possible. If you are using a database backend that allows SQL union queries, the injection could probably lead to disclosure of the stored MD5 password hashes. Because of this, we also suggest to update your blog user account passwords.

It is a good idea to check your server's Access-Logs and search for the 'commentMode' variable to see, if malicious request have been issued to your blog already.

For those people that do not want to upgrade to a whole new version, you can also simply patch the file include/functions_comments.inc.php and replace the single occurence of:

$type = $serendipity['GET']['commentMode'];

to

$type = serendipity_db_escape_string($serendipity['GET']['commentMode']);

We are very sorry for this, but happy to provide a quick fix in short time. You can download the latest files as usual on www.s9y.org. Read the FAQ on how to perform an easy update.

After a long time of development and testing, Serendipity 1.2 is now out in its first release candidate.

There have been quite a lot of changes to the new version. Most important of them all, the authentication and session scheme has been altered to allow easier plugin interaction. Also the backend (master template and template for the entry editor) has finally ben Smartyfied so that they can be changed by template authors.

We would kindly ask all Serendipity users to test this new version to squash any possible showstoppers before the final release.

Please check especially if the login to your admin backend still works flawlessly (especially if you are using https) and if your 'Edit Entry' backend section works just like before. Please report bugs and issues on our Serendipity Forum Board.

Here's a list of other new cool enhancements since Serendipity 1.1:

• Templates for Backend (Entry Editor, Master Template) via Smarty
• New session/login system
• SQLite3, PDO::Postgresql Support
• better IPv6 support
• better HTTP headers to support Caching
• allow to define if a parent category should show entries of child categories on the frontend, or only entries of that exact category
• Bugfix: RSS fullfeed for "let user decide" now properly works
• Bugfix: Saving/sending trackbacks and tracking exit-links works in circumstances involving cached entries
• Bugfix: Place possible dangerous user preference options to group management to prevent unwanted configuration changes

A full list of changes is contained in the docs/NEWS file inside the file archive. Many changes are small bugfixes and user interaction enhancements that all speed up your Serendipity experience.

You can download the latest version on www.s9y.org. And most of all: Have fun!