Announcements - 17 – Serendipity

For those of you who haven't seen the s9y.org main site since yesterday, we had a hardware failure in the server that was running the s9y.org wiki. Most likely the power adapter stopped working, a new one is on the way and will hopefully be installed tomorrow. If it doesn't, I will start setting up a "read only" interim site with backup data, because it's not very likely that Santa is going to install a new power adapter, so it could take a while until the original server is back in place. But don't forget, it's "only" the Wiki and the board that are down. The other parts of the s9y.org run on different servers, so you can still use:

• Sourceforge (Project downloads)
• Spartacus (Plugin repository)

Thanks go out to these people, who have offered to donate server power to the s9y.org project (If you're one of them and haven't heard from me: Don't hate, I have happily read your email and will reply as soon as I can):

• Jan Albrecht
• Frédéric Huet
• Robert Hayes
• Andrew Kroenert
• Zac Garret

I'll keep you up to date, sorry for everything.

UPDATE: It turned out the defective part was the CPU fan, a new one is on it's way and will be installed tomorrow, Friday 22nd 2006 - what a nice birthday present for me ;-)  Also, I have received a lot of emails of people/companies offering backup server sponsorships, I'll let you know when the talks have finished and a deciscion has been made.

This new Serendipity release addresses a local file inclusion security issue discovered yesterday. It was possible to give a special parameter to a serendipity file to include a file on your own web-tree (or other files the webserver has read access to). If used on clear-text files, this could be used to disclose information like the apache logfiles on your website.

This error can only happen in a scenario with two prerequisites: Register_Globals needs to be turned on in your PHP configuration AND your webserver must ignore the default Serendipity .htaccess file. This .htaccess file usually prevents to directly call Serendipity's include files via HTTP. Thus we feel that only a very low percentage of installations should be affected by this bug.

However, Serendipity 1.0.4 is a recommended upgrade for everyone taking security responsibly, like we do. We are thankful to the community for inspecting Serendipity, searching for bugs and security issues and reporting them to us. In this case, many thanks to Majestic from the forums for notifying us.

Most of the plugins (both bundled and available via spartacus) were upgraded to also circumvent that bug, so you should upgrade all of your active plugins to the recent versions as well.

The Serendipity 1.1 release tree was also modified with a patch for this issue. It will be contained in todays snapshot, and the 1.1-beta6 release file. The easy steps to perform an upgrade are documented in our FAQ on http://www.s9y.org/.

Because of the issue with PHP 5.2.0 mentioned before, and the 1.1 release not hastily being pushed out the barnyard, the Serendipity Team has decided to release a 1.0.3 version that fixes the mentioned problem.

We have also decided to backport some other bugfixes from the 1.1 release tree:

1. Fix a problem where spartacus did not properly assign configured permissions to downloaded directories, thanks to danilo from the forums!
2. Fix possible integer wraparound in comment count leading to a gazillion counter state. Also now show links to the entries within the administration comment panel. Thanks to Julian Finn!
3. Fix bug with using %username% in author permalinks, thanks to oeli from the forums!
4. Move trackback sending logic to the end when saving an entry. Should get rid of event plugins not operating when trackbacks painfully fail. Thanks to isotopp.
5. Fixed bug that prevented native imports from other blog system to recode ISO-charsets into UTF-8. Major thanks to Jan of blog.salid.de.

If you are affected by any of those fixed bugs and/or running PHP 5.2.0, we suggest you to update. Else, you are not required to upgrade your Serendipity 1.0.2 installations and can wait happily ever after until we get the 1.1 release polished for release (hopefully in December). If you are a foreign language speaker and want to contribute to Serendipity, please drop us a line in the Serendipity forums to help us in getting all translations up to date.

Download the new release here

Serendipity 1.0.x an PHP 5.2.0 currently do not go well together because of the new PHP ext/filter extension. In the early PHP 5.2.0 cycles this provided a function 'input_name_to_filter' which was later dropped, but not removed from Serendipity 1.0

Serendipity 1.1 beta versions already use a function_exists() check to prevent this, but it had not made it into the 1.0 release cycle.

Thus, to make s9y work with PHP 5.2.0, you have three options:

1. Disable the ext/filter extension in your php.ini configuration,
2. Upgrade to Serendipity 1.1-beta versions or
3. edit your serendipity include/compat.inc.php file and replace the string "extension_loaded('filter')" with "extension_loaded('xfilter')", which will effectively disable the follow-up code to take effect

The upcoming Serendipity 1.1 final version will of course integrate a more thorough fix. The serendipity Team is sorry for this confusion it may cause for PHP 5.2.0 users.

Time again for a new release!

Serendipity 1.0.2 mainly features a XSS injection attack on the admin backend which could happen if registered authors can be tricked into following a specially crafted URL. This bug was detected by the ever-restless Stefan Esser, many thanks for notifying us. Users of previous version of Serendipity are urged to upgrade to be secure. Note though that this bug requires your own interaction and thus exploits of this depend on how well you can stay away from clicking links that you do not know what they do exactly. ;-)

Serendipity 1.1-beta5 features the following new changes since 1.1-beta1:

1. Prevent XSS backend injection attack (see above)
2. Themes can now support custom amounts and positions of any number of sidebars (top, bottom, left, right etc.) (more)
3. Usergroups can now configure which plugins/events a group is allowed to execute (more)
4. Added the options to use HTTP-Authentication for your login, which enables you to use secured RSS-Feeds with login credentials
5. Some permalinks oddities when using % in URLs and some other minor fixes

Serendipity 1.1 is getting very close to getting finalized (targets mid-December). New major features will be added to a 1.2 version branch, so expect no more major changes here. Please help us by trying out the latest version and report bugs/issues!

Upgrading is easy as ever: Download, unpack, go to your Admin panel, done. Read more here: Serendipity FAQ. The download is available here: Serendipity Download Page

Have fun!

The Serendipity Team is proud to offer two new releases:

Serendipity 1.0.1 addresses a few minor bugfixes in the otherwise very well-received 1.0 stable release. Those are related to utf8-iconv conversion on older PHP setups, sending comment mails to users without an email address and a WYSIWYG image insertion issue.

The most important fix and reasing for the 1.0.1 release is a security issue that has been reported by Sebastian Nohn using the cool new Security-Scanner Chorizo. The only reported issue by Chorizo was the possibility of Users who could add plugins to the installation (usually only Administrators) to insert file references to other arbitrary PHP files that are then included. We feel this is a minor impact, because usually all administrators already would have full access to the PHP filebase and could include remote files with different means. Also note that users with safemode/open_basedir restrictions would not be affected by this.

Users with multi-users installations, giving plugin access to untrusted users are urged to upgrade to the latest release!

Serendipity 1.1-beta1 brings the long awaited new features to a first public release. The 1.1-alpha versions have been tested in the past quite well and are thought to run quite stable.

The 1.1 version brings those major new features (also see an earlier blog entry for details):