The 1.7-rc1 that has been published today has an issue with older Serendipity plugins existing on prior installations, preventing Serendipity 1.7 to operate properly. While we fix this issue for an upcoming rc2, this problematic rc1 has been removed at this point.
UPDATED: 2012-05-22 12:00 to clarify impact.
Good and bad things come in doubles, it seems. We are sorry to inform you that another security issue in Serendipity has been found by the High-Tech Bridge SA Security Research Lab (Advisory HTB23092). This issue has been reported today at 11:27 and we're happy to provide a quick fix for that.
You can either download the full 1.6.2 release, or apply this simple fix to the file include/functions_trackbacks.inc.php: diff on github.
The error here is that input is not properly validated and can be used (when magic_quotes_gpc is off) to inject SQL code to a SQL query; since our DB layer does not execute multiple statements, and the involved SQL query is not used to produce output code. Thanks to Pawel Golen it was made clear to us that this issue can in fact be used to remotely access the database through blind sql injection attacks (this method however is really slow and creates a lot of traffic, since only using 0/1 as a result of the exploit will mean a lot of queries to deduce the content). Thus you should definitely upgrade your installation.
Serendipity is an open-source based product with no specific funding, so we depend on nice people like High-Tech Bridge, Stefan Schurtz, Hanno Böck and all the others of the past to report issues to us. In turn we promise to fix them as quickly and transparently as possible.
Serendipity 1.6.1 has just been released. As usual you can simply download from s9y.org, extract the archive, upload it to your webspace and accept the upgrader when visiting your blog.
This release mainly addresses two security issues found by Stefan Schurtz (thanks a lot, again!). One is a XSS issue in the media database panel, the other an SQL injection in the media database section. Both issues can only be exploited if you are logged in to your blog and you click a specially crafted link. The SQL injection cannot be used to extract sensitive information from the database or delete data.
Either way you are urged to upgrade your Blog to the latest version. Development versions of 2.0 and 1.7 on github have these bugs fixed as well.
Other bugfixes in this version include:
You might also want to check out our quite stable 1.7 development version which uses Smarty3, or even our 2.0 development version which contains major rewrites so that Smarty is used in the backend!
Das deutsche "Serendipity Handbuch" OpenSourcePress wurde vor einiger Zeit veröffentlicht, und der Verlag war so nett, die Rechte an den Buchinhalten zurückzuerhalten (auch dank des tatkräftigen Engagements von Dirk Deimeke und natürlich unserer tollen Community).
Das bedeutet, die Inhalte wurden nun unter einer CC-BY-NC-SA Lizenz veröffentlicht und können von der Community (also: EUCH!) frei gelesen, erweitert und möglicherweise auch übersetzt werden. Die meisten Dinge des Handbuchs finden auch heute noch Anwendung, aber es gibt genügend Spielraum für Verbesserungen.
Schaut euch das ganze hier an: Das Serendipity Handbuch. Die Dateien liegen im LaTeX format vor, ihr benötigt daher eine funktionierende LaTeX-Umgebung, um die Dateien kompilieren zu können. Die .tex-Dateien sind jedoch im Klartextformat, also keine fremde Scheu. :-)
Derzeit überlegen wir, in welchem Format das ganze endgültig und sinnvoll für die Benutzer und Mithelfer hinterlegt werden wird. Gerne diskutieren wir hierüber mit euch im Forum.
The german "Serendipity Manual" was published by OpenSourcePress some time ago. They were so kind to revert the publishing license back to our project (thanks to the great work of Dirk Deimeke and kind people like you), so that we can now publish it under a CC-BY-NC-SA license, and let the community (read: YOU!) be able to read the documentation for free, contribute to it, and hopefully even translate it to other languages. Many aspects of the book are still up to date, but surely many improvements can now be made.
Check it out here: The Serendipity Book. The files are written in LaTeX format, so you need a working LaTeX environment to compile it as PDF or other variants, if you like. We are currently working out the best format to use in the future; if you want, you can help us discuss this on the forums.
Since the core Serendipity project is now maintained on github.com and every developer is quite happy about that, we decided to go the jquery-plugins route and delete all Serendipity plugins.
No, just kidding. We actually imported all data from the SourceForge.net CVS servers into the github infrastructure. The short version for normal end-users: Nothing should change for you!
https://github.com/s9y/additional_plugins
https://github.com/s9y/additional_themes
All current Serendipity developers also have access to those repositories to contribute code. Developers now no longer should commit code to CVS (actually, they can't, because I took all their committing karma *eg*).
The harder task for the Spartacus infrastructure service is the actual publishing of data. The Spartacus plugin operates on a PEAR-like XML format for each plugin, which luckily is automatically generated by a small shellscript which runs once daily on one of our webservers (emerge.sh). That script iterates on a checkout of all plugins and templates, creates the XML and uploads it to all mirror servers (currently netmirror.org, s9y.org and now also github.com).
Downloading the files also either works via the files that are uploaded daily to netmirror.org and s9y.org, or you always could use the SourceForge.net server, that published the file via a nasty ViewVC oddity. The spartacus plugin of the current github core code (version 2.25) now can also retrieve those files from the Github.com servers.
For all users that currently use the Spartacus plugin with the SourceForge.Net mirror, our daily script now pushes all changes in the GitHub tree also to CVS, so that both repositories *should* be kept in sync. This is done via the gitclone.sh and gitclone.php scripts in the additional_plugins repository, for anyone that's interested.
Most likely, something in this script won't work properly, so in the next days it might be that some glitches in the matrix can occur. In that case, please report issues and remain seated. Or buy christmas presents for your beloved. Or your beloved developers.
The Serendipity Team is proud to present the final release of Serendipity 1.6. We are steadily walking towards a Serendipity 2.0 release and would be happy about any developer who may want to join our cause. The list of things is available on http://www.s9y.org/238.html and open for discussion on the Serendipity Forums.
This new version mainly covers:
The current release can be easily installed on any previous Serendipity installation. Just unpack, upload and visit your admin panel to perform possible database upgrades. Upon first login with an old password, Serendipity will store your old password in the new format - please be sure to make a backup of your Database prior to upgrading, and read the upgrade pointers on Upgrading Serendipity.
Also, this release marks our move from the closing BerliOS service (thanks for the great service during those years) on to our new GitHub repository. Contributions are welcome of course!
Have fun using Serendipity, and let us know on the Forums if you have any issues!