Announcements - 6 – Serendipity

An issue has been reported to the CMS/Blog systems Drupal and Wordpress which allows for a Denial of Service (DOS) through invalid XML injection to the XML-RPC service.

Serendipity has uncoupled the XML-RPC possibilities into an external plugin a long time ago, so an update of the core Serendipity version is luckily not available. Only users who have installed serendipity_event_xmlrpc (through Spartacus, for example) are are actually also affected by this issue, since it uses default PHP XML parsing facilities.

We have applied the same patch to the parsing routines to detect this invalid XML (see Drupal commit) to version 1.53 of the mentioned plugin. Users who have enabled this plugins should either update or remove this plugin to prevent possible DOS attacks to their servers. This version will be available in Spartacus within 24 hours, or can be downloaded manually through github: Source Link.

If the update generates problems with your valid XML-RPC calls, please report them either on our forums or in the Serendipity issue tracker on GitHub. Thanks a lot also to Ian for bringing this issue to our attention, so that we were able to provide a quick fix as well.

The Serendipity Team has made good progress on the road to the 2.0 final release. We have tackled issues reported on our Github Issue-Tracker. There are still a few ones left open, especially still dealing with the CKEditor and plugins being adapted to the new look and feel of Serendipity 2.0's default theme. But we feel confident to have reached a stage where the current work is much more usable than beta2, so we urge users of that release to upgrade to beta3.

The main changes of beta3 are:

• Create a distinction of backend and frontend themes. They can now be chosen independently, and we have introduced theme compatibility to make it easy for developers to create their own backend theme by falling back on the default template files the new 2.0 theme provides.
  
  
• The syndication plugin has been upgraded to provider clearer options, and moves several configuration items into the global serendipity configuration (like custom feed URL forwarding).
  
  
• fixes bugs in thumbnail creation.
  
  
  
• added optional toggle for users to either pick modal layers (i.e. for the media database) or popup windows
  
  
• Use browser cache to store blog entries, so a browser crash lets you restore those. Replaces the now incompatible autosave plugin.
  
  
• other issues that are mostly interesting to developers or interested people are listed in the docs/NEWS file of this release.
  
  

Please give us feedback on this new beta which can be downloaded at the Download-section. We will address the outstanding issues and put up a final release candidate before the actual 2.0 release.

Have fun and a nice summer :-)

Dear Serendipity users. I'm terribly sorry to inform you that all bad things come in triples and we have to put out yet another release, Serendipity 1.7.8 to fix another regression bug that was caused by the prior 1.7.6/1.7.7 release. By fixing the security issue, I introduced a bug that prevents saving entries, if you preview them before saving.

Thanks to the bug reports on the forum and the quick response of Timbalu, we were able to quickly supply a fix for this, contained in this new 1.7.8 release. At least, upgrading is still easy, right? ;-)

I'm awfully sorry for this messup,
Garvin

Thanks (again!) to Stefan Schurtz for bringing three security issues to our attention, which are fixed with Serendipity 1.7.7:

• An XSS by using a specially crafted username can happen when viewing the "Manage users" screen
• An XSS when creating an entry with specially crafted id/timestamp values
• SQL injection when installing a plugin with a specially crafted name

Now, all these issues can only be exploited in the backend, so it means someone would need to send you a maliciously crafted link which you click on (or your own blog editors, if you have them, want to target you). Since today, people can be easily tricked into "clicking" crafted links (by using URL shorteners like bit.ly), we regard this issue as critical, and you should upgrade as soon as you can. Remember you can always improve the chances of not being affected by XSS attacks like these by logging out of Serendipity when you are no longer working in it; then XSS attacks through those links will not be executed, since you would first need to login to your backend. This also applies to any web application, so make use of this Logout-Button. ;-)

This release also addresses an issue with the nl2br plugin in conjunction with the WYISWYG editor. The plugin will show you some useful information in its configuration screen on how to use it, if you also use WYSIWYG editors or other markup plugins. Also, the templatechooser plugin will now work properly again with some older templates. The PHP < 5.3 fix for the textile plugin not properly working has also been adressed (again).

Upgrading Serendipity is simple as usual: Ideally make a backup first, and then just upload the new release files to your blog.

UPDATE: The release 1.7.6 had a typo in one PHP file, so 1.7.7 has been released immediately after this.

As promised, we just released a minor maintenance release 1.7.5 that addresses a singular bug with the textile plugin preventing some plugin operations, but only on PHP < 5.3 servers. So if you are running a recent PHP version (like you should...) you will be unaffected by this issue and don't need to upgrade.

The only other change to the previous release is that the spamblock plugin will now add required fields to comments (the comment and the comment's author) when installed for the first time.

Have a nice weekend and greetings from our team :)

Serendipity 1.7.4 has just been released, addressing a few PHP 5.3+ compatibility issues for plugins and libraries, the most relevant changes are::

• Updated textile plugin for PHP 5.3+ compatibility
• Updated spamblock captcha creation for PHP 5.3+
• Updated Smarty library
• Improved .htaccess "deny" method for the Spamblock plugin

You can upgrade as usual by downloading the release files and uploading them to your webspace.

PLEASE NOTE - Due to a bug in the textile plugin, it currently requires PHP 5.3 to operate. Also, loading the list of plugins in environments with PHP < 5.3 can fail. We are working on an update and will release this fix in 1.7.5.

Have fun using Serendipity, and thanks to users who report issues like these to the forums, and of course to our hardworking developers like Yellowled, mattsches, onli and Ian who quickly address these issues (says Garvin, who was on winter vacation *g*).