Serendipity 2.1.1 released

Sadly a regression slipped into our Serendipity 2.1.0 release, which made it impossible to reset a plugin configuration variable to a FALSE/empty state and indicate the proper state in the plugin configuration. We have fixed this in 2.1.1 and changed the release announcement to point directly to 2.1.1.

Serendipity 2.1.0 released

We are happy to announce the availability of the final release for Serendipity 2.1.1.

Serendipity 2.1.1 focusses on:

  • Rewrites in some older legacy parts of the core (URL routing, template fallback chain, experimental internal caching) as well as PHP 7 compatibility.
  • New bundled responsive themes "Timeline" and "Clean-Blog"
  • Improved usability of plugin upgrades by combining sidebar and event plugins and upgrading multiple plugins at once
  • Permission checks for the dashboard output and comments
  • Usability improvements to the media library, bulk moving support
  • New API wrapper for URL downloads that plugins can use (serendipity_request_url)
  • New Theme "Skeleton" (responsive, mobile first)
  • Improved preview iframe handling
  • Changes (simplifications) in template file routing for backend/frontend views, new smarty {getFile} function for theme authors
  • (new for rc1) Ability to set a default posting category for an author
  • (new for rc1) Improved security checks against CSRF attacks (comment moderation, comment toggling
  • (new for rc1) Improved security for referrer redirection
  • (new for rc1) Improved security for local file hotlinking
  • (new for rc1) Fixed sorting media database by filename
  • (new for final release) Addressed some more PHP 7.1 issues, fixed bugs with missing token for installing plugins and deleting comments. We mainly tested PHP 7.0 compatibility, but PHP 7.1 should work too.
  • (2.1.1) Fixed displaying the proper plugin configuration value when set to false/empty.

Many thanks at this point (in no specific order) for Lee Sheldon Victor, cdxy, Edric Teo and Xu Yue for helping a lot in improving on security aspects of Serendipity.

The next version of Serendipity will focus on supporting UTF8MB4 (for full emoji compatibiliy), responsive image insertion, consolidating our plugins. Our github issue tracker now also holds a new label "easyfix" which could be a great way of interested developers to get started with Serendipity and help us with development.

You can download the release file and unzip it to your installation as usual.

Serendipity 2.1 - First Release Candidate

We are happy to announce the availability of the first (and hopefully last) Release Candidate for Serendipity 2.1.

We feel comfortable with suggesting you to try out this release in productive environments (of course always make a backup of your database and files first).

Serendipity 2.1 focusses on:

  • Rewrites in some older legacy parts of the core (URL routing, template fallback chain, experimental internal caching) as well as PHP7 compatibility.
  • New bundled responsive themes "Timeline" and "Clean-Blog"
  • Improved usability of plugin upgrades by combining sidebar and event plugins and upgrading multiple plugins at once
  • Permission checks for the dashboard output and comments
  • Usability improvements to the media library, bulk moving support
  • New API wrapper for URL downloads that plugins can use (serendipity_request_url)
  • New Theme "Skeleton" (responsive, mobile first)
  • Improved preview iframe handling
  • Changes (simplifications) in template file routing for backend/frontend views, new smarty {getFile} function for theme authors
  • (new for rc1) Ability to set a default posting category for an author
  • (new for rc1) Improved security checks against CSRF attacks (comment moderation, comment toggling
  • (new for rc1) Improved security for referrer redirection
  • (new for rc1) Improved security for local file hotlinking
  • (new for rc1) Fixed sorting media database by filename

Many thanks at this point (in no specific order) to Lee Sheldon Victor, cdxy, Edric Teo and Xu Yue for helping a lot in improving on security aspects of Serendipity.

You can download the release file and unzip it to your installation as usual on our Github release tracker.

Serendipity 2.0.3 released

Happy new Year! Serendipity 2.0.3 has just been released to address a XSS security issue found and reported by Onur Yilmaz and Robert Abela from Netsparker.com. Thanks a lot for contacting us and working with us to address the issue.

The issue only affects logged-in authors, where HTML can be inserted into the comment editing form when they click specially crafted links. Due to the required authentification we consider the issue of medium impact, but suggest everyone to perform the update.

We are currently still working on an improved s9y.org presentation page and its documentation, as well as on the 2.1 branch of Serendipity - check out our current 2.1 changelog, if you are interested and willing to help testing!

Serendipity 2.0.2 Security Fix Release

Thanks to the report of Tim Coen (of Curesec GmbH) we were able to adress three security issues in the Serendipity Code.

The first issue was found because authenticed authors are allowed to upload files with extension .pht(ml), that can be executed for PHP code on Apache webserver configurations that use this suffix. If your blog allows upload access for untrusted authors, you should regard this issue as a critical risk.

The second issue is a missing escaping of comment approval tokens, when enabled in your blog which allows for possible SQL injection for data leak and DOS, and also an authenticated user must be tricked into clicking a specifically crafted URL to exploit this (medium risk).

The third issue is missing escaping of a commenting user's name by a javascript of the 2k11 theme (used by default) which is triggered when a user clicks on the "Reply" link (medium risk).

We have prepared two new releases for each of our currently maintained Serendipity version branches and suggest to update your Serendipity version:

  • 2.0.2 is the recommended release
  • 1.7.9 is the hotfix release for everyone not yet running Serendipity 2.x (you should!)

Check out the download locations for the release files.

Of course, everyone who is using our Github repository to checkout the Serendipity files will get the patches by pulling our 2.0 branch or the master (2.1.x) for our current development version.

Updating Serendipity is painless; upload/checkout the release files and go to the Administration suite where you can confirm the upgrade. Also, by using the auto-update plugin you can install the blog from within your administration suite once we are able to upload the release to our SourceForge repository (which is down right now).

We are happy to be able to coordinate this release with Tim and provide improved security for our users.

Serendipity 2.0.1 released

Serendipity 2.0.1 has just been released. This is the first maintenance release which fixes a couple of minor issues, and one security-related issue where improper escaping of category names can lead to a possible XSS attack. This atnly be performed by authenticated editors, so we consider it medium-impact. If you run a multi-user blog with untrusted authors, you are urged to upgrade to the new release. Many thanks to Edric Teo for reporting this issue to us, which could then be fixed within the same day.

Some other notable bug fixes are:

  • Report errors, if inclusion of JavaScript files may throw PHP errors to help in diagnosing an installation
  • Support for user.css backend CSS additions, without needing to edit the 2k11 backend theme.
  • Some JavaScript fixes for the backend, better theme fallback methods.

As usual the complete list of changes can be see in our docs/NEWS-file. Upgrading is simple as always: Download the release, unpack, upload, say hi to our upgrader, done.