New security/bugfix release: Serendipity 0.8.3 is out

There's good and bad news.

The bad news are:

  • A possible Cross-Site Scripting injection has been reported by Ilia Alshanetsky (thank you!), that allows commenting users to inject special markup into your entry.
  • Another bug has been found in the handling of received comments. It was possible to receive comments for non-existing entries and thus allowed for mails being sent to the owner of the blog and injecting headers to that E-Mail. Ultimately this could lead to your server being used for sending specially crafted emails.

The good news are:

  • Serendipity 0.8.3 has been released, which fixes this bug.
  • The upgrade once again is very easy: Download the release, unpack the files to your webspace (overwriting old files, but keeping your personal plugins/templates/media files), open your blog administration and click on "Perform update". Always be sure to make a backup of your old files and database tables first and make sure that the files serendipity_config_local.inc.php and .htaccess are writable for your PHP/webserver user. If you have made manual changes to any of the bundled files, we suggest you to connect to our CVS or SVN repositories and make a diff of your changes.
  • The XSS only allows for a reduced set of malicious exploits to occur. And as most of you authors possibly check the comments of your users on your blog, you would spot easily if a user is posting you "bad code".
  • The current generation of "advanced web scanners", which scan HTML pages for XSS attacks does not find any more XSS loopholes on the pages produced by Serendipity.

The even better news are that also new features are introduced:

  • We used this opportunity of a new release to backport some more (minor) bugfixes of the upcoming 0.9 release and updated our bundled libraries.
  • Full korean language support with translation of almost all plugins, thanks to Wesley Hwang-Chung.
  • New template hooks to allow plugins (serendipity_event_pagenugget) to output header/footer HTML nuggets.
  • New configuration directive to configure the used Blog e-mail address for sending comments.

We are very sorry for the inconvenience this may cause to you. We are desperately trying to deliver all of our users a blog application as secure and feature-loaded as possible, but since we all are failing humans there are always errors that slip through. In every project, be it OpenSource or Commercial. We take it as a chance and opportunity, to fix bugs and issues reported to us and improve Serendipity to be the most stable blogging system available. This year has brought many XSS vulnerabilities and has raised the overall attention of code quality, which we feel is a good thing for every project.

Please also note that we are working hard on the current 0.9 version of Serendipity. This introdudes flexible and granular privilege control, custom permalinks, per-category templating, UTF-8 languages and much much more. Read our ChangeLog for more information and check out the nightly snapshot in our download area. Feedback, as always, is appreciated.

In the end, have fun with Serendipity! :-)

Download link: Serendipity 0.8.3

On behalf of the Serendipity Team,
Garvin

Back to normal?

After our server hardware went done some weeks ago, we had to put s9y.org onto a very tiny backup server in order to resume "normal" operations. Now, the new server is all set, and s9y.org has been moved over to it's new home today. The nameservers have been upgraded as well, but it can take "up to a few days" until your nameserver recognizes this change. If you enter "www.s9y.org" and are taken to "s9y.jayniz.de", it means your nameserver has not yet updated, but you can access all contents via s9y.jayniz.de as well.

Please tell me if you note any oddities with the new setups. For example, coWiki is using another url-scheme, but all old links should still be accessible.

Testwinnaar

Screenshot of a page from the June 05 edition of the dutch Chip magazine
Somebody who calls himself NN sent this in - I don't understand each word and unfortunately babelfish can't do OCR on images, but I still think the overall message is clear (at least after you clicked on the screenshot).

This goes out to the devs: Thanks, guys! :-)

Backup

After the DNS trouble we had last week, it seemed to be time for the hardware to take a break. The original s9y.org and supersized.org server melted last night. It's down: hardware failure.
Luckily, absynth of de-punkt webhosting, our provider, had a spare machine handy. I spent today migrating the nightly backups to this new server and setting it up.
So remember, that we're on a backup machine right now, some minor things might not work as expected. We'll have a brand new server by next week, and hopefully more hardware luck this time ;-)

Back, sweet blogs

Most of you have noticed the slight unavailibility of s9y.org between June 3rd and today. This was due to the fact that my old provider, the one where I registered s9y.org, stopped his business but at the same time did not stop being the admin-c of s9y.org. On June 3rd s9y.org expired, and the expiration-notice, warnings and reminders were sent into the great nowhere, as there was no provider responsible for s9y.org. All apologies to you guys, who couldn't download fresh s9y snapshots.

Thanks to a lot of Vitamin-B and efforts from the cool guys of InterNetX and De-Punkt, GPF and absynth, the domain s9y.org has been magically gone through an instant-recovery from it's PENDING DELETE state back to shiny availibility. Thanks, guys. As the domain is finally completely moved from the old provider everything should go much smoother now.

Blog on...