Ellen and Prabath from the OpenUsability.org project are conducting a User survey on how our users are working with Serendipity. The results of this survey will have a huge impact on Prabhath's student work as a Usability Engineer - he will try to make suggestions to enhance the user experience of the Serendipity Entry-editing interface, and maybe more.
Please participate, everyone. You will benefit by making Serendipity more user-friendly to fulfill your very own needs!
This evening we were notified by fellow co-developer Sebastian Nohn about a full-disclosure posting about a Serendipity SQL injection matter. We have investigated this reported 0day issue, and can tell you that it is not a SQL injection,but instead "only"an SQL error display.
No SQL can be injected using the described method. Because of an invalid category ID, serendipity tries to show entries for that category, but the resulting SQL string contains an emtpy "(())" statement which makes the MySQL parser fail, and report the error on-screen. The SQL queries that Serendipity uses are not secret, and could be looked up in the sourcecode as well.
Even though we consider this issue to be fairly low-impact, Serendipity 1.1.2 has been released because of this, mainly to assure the public that we have addressed the issue. It is not critical that you upgrade to that release. If you do, it is sufficient to update the include/functions_entries.inc.php file. The only change made to that function is documented here
We would also like to express, that we kindly appreciate all bug and security reports about Serendipity, and take them and our responsibility very seriously. Also rest assured that if you contact us developer first before publishing security advisories, we always cooperate, pay credit and fix issues immediately, as we have done in the past. So we look forward to working together with SaMuschie in the future, who seems to taking some serious work in checking security issues - good work on that! :-)
The latest release can be downloaded here. This fix has also been committed to the daily snapshots.
After the well-received Serendipity 1.1 release, we put our ears to the community and searched for any bugs left. Luckily, those were very few (like the IIS server cookie bug) - we didn't at first believe it, so we let some time go by to be absolutely sure there were no other things to fix before issuing a maintenance release.
And here it is now: Serendipity 1.1.1 is a bugfix-only release to fix these reported issues:
This is not a security-related upgrade. You only need to apply it if you think you are affected by any of the bugs listed.
Meanwhile, we continue to work on Serendipity 1.2 for feature improvements. Together with helpful users of the forum we are currently working on improving the authentication/plugin API sequence to better support future plugins like OpenID. Any help is appreciated, have a look at the forum thread. Also we are working on improving the Spartacus API, PDO::PostgreSQL support has been added, spamblock plugin improvements and some tweaks to the permalink system.
You can download the new version (or a recent snapshot of Serendipity 1.2) as always on our Download page. Detailed upgrade steps are explained in our FAQ, but it's as simply as: Download, extract, go to the Admin panel. :-)
Have fun!
The Serendipity Team is proud to release the Serendipity Weblog version 1.1 to the public.
This new version is aimed for feature enhancement and stability consolidation. The most important change is the overhaul of the media database, which vastly enhances the already obvious superiority of Serendipity's Media management. In depth this means that you can now store and customize meta properties easily - store descriptions, EXIF-Tags and keywords which you can later see and search in your database. You can also now assign detailed privileges for each directory of the media database, and the output is now completely templated. Yes, that means you can customize and style your very own media database, both effective in the backend and the frontend.
The other important change is more granular plugin permission management. You can enable/disable certain markup-plugins on a per-entry basis, and allow/forbid specific usergroups to access certain plugins.
Another visual apparent change is the overhaul of the plugin manager. You can now drag'n'drop order and move your plugins around. Together with the ability of templates to specific the amount and names of sidebars, you have virtually unlimited flexibility for plugin management!
Templating has also intensively been upgraded in the respect of themes being able to specify custom "options". A theme could allow you to choose navigation links, colorsets and much more. Explore the possibilites! Many themes by Carl Galloway and other great designers from our forums have already used that feature to provide you with many cool options!
For the developers among us, it might be of interest to note that Serendipity now also supports easy custom template-engine support. Tired of Smarty? You can also use a plain old PHP template emulation or even a XSLT-transformation layer (read more on this topic here).
Of course we have not only focussed on injecting features, but also fixed some minor bugs, a huge-impact central SQL query optimization and glitches and smaller improvements. In total we have 29 feature improvements, 24 bugfixes and 21 usability/technical improvements. For intense reports on this either read our NEWS-file or past 1.1-beta announcements here and there.
Upgrading is easy as always: Download, unpack, go to your Admin panel, done. Read more here: Serendipity FAQ. The download is available here: Serendipity Download Page.
We hope you'll have fun with this new release and continue to make Serendipity an ever-improving system. Let's have a great 2007!
As you might have noticed, our server went away this week, but is now up and running again. This had effects on our Serendipity 1.1 release cycle. 1.1 was scheduled for this week, but could not be released. Now I'm out of time because of upcoming christmas, so expect the new Serendipity version in the last week of this year. :-)