Time again for a new release!
Serendipity 1.0.2 mainly features a XSS injection attack on the admin backend which could happen if registered authors can be tricked into following a specially crafted URL. This bug was detected by the ever-restless Stefan Esser, many thanks for notifying us. Users of previous version of Serendipity are urged to upgrade to be secure. Note though that this bug requires your own interaction and thus exploits of this depend on how well you can stay away from clicking links that you do not know what they do exactly. ;-)
Serendipity 1.1-beta5 features the following new changes since 1.1-beta1:
- Prevent XSS backend injection attack (see above)
- Themes can now support custom amounts and positions of any number of sidebars (top, bottom, left, right etc.) (more)
- Usergroups can now configure which plugins/events a group is allowed to execute (more)
- Added the options to use HTTP-Authentication for your login, which enables you to use secured RSS-Feeds with login credentials
- Some permalinks oddities when using % in URLs and some other minor fixes
Serendipity 1.1 is getting very close to getting finalized (targets mid-December). New major features will be added to a 1.2 version branch, so expect no more major changes here. Please help us by trying out the latest version and report bugs/issues!