Serendipity 1.0.4 released!

This new Serendipity release addresses a local file inclusion security issue discovered yesterday. It was possible to give a special parameter to a serendipity file to include a file on your own web-tree (or other files the webserver has read access to). If used on clear-text files, this could be used to disclose information like the apache logfiles on your website.

This error can only happen in a scenario with two prerequisites: Register_Globals needs to be turned on in your PHP configuration AND your webserver must ignore the default Serendipity .htaccess file. This .htaccess file usually prevents to directly call Serendipity's include files via HTTP. Thus we feel that only a very low percentage of installations should be affected by this bug.

However, Serendipity 1.0.4 is a recommended upgrade for everyone taking security responsibly, like we do. We are thankful to the community for inspecting Serendipity, searching for bugs and security issues and reporting them to us. In this case, many thanks to Majestic from the forums for notifying us.

Most of the plugins (both bundled and available via spartacus) were upgraded to also circumvent that bug, so you should upgrade all of your active plugins to the recent versions as well.

The Serendipity 1.1 release tree was also modified with a patch for this issue. It will be contained in todays snapshot, and the 1.1-beta6 release file. The easy steps to perform an upgrade are documented in our FAQ on http://www.s9y.org/.

Trackbacks

Trackback-URL für diesen Eintrag

superBlog am Freitag, 1. Dezember 2006: Serendipity 1.0.4
Aufrechte Neuigkeitenverbreitung Vauzwei am Freitag, 1. Dezember 2006: Kleinkram: Shopping, Serendipity 1.0.4
ridcully.info am Freitag, 1. Dezember 2006: Serendipity Update
Bloganbieter.de am Freitag, 1. Dezember 2006: Serendipity in Version 1.0.4 released
Nur ein Blog am Samstag, 2. Dezember 2006: Serendipity 1.0.4. downloadbar
Dirks Logbuch am Samstag, 2. Dezember 2006: Serendipity 1.0.4a ...
laemmys blog am Samstag, 2. Dezember 2006: s9y update
Doomshammer's Weblog am Samstag, 2. Dezember 2006: S9Y updated
Der Freizeitblogger am Samstag, 2. Dezember 2006: Auch ich hab upgedatet
Raimondo Fanale am Sonntag, 3. Dezember 2006: aggiornato serendipity ed il template

Kommentare

Ansicht der Kommentare: (Linear | Verschachtelt)

Manuel Charisius am Freitag, 1. Dezember 2006 um 12:10:

That's what I call a fast response to a security issue! Thanks a lot, Garvin!

BTW, the links to 1.1-beta6 on the download page haven't been updated yet (they're still pointing to Beta 5).

Best regards, -Manuel

moo am Sonntag, 3. Dezember 2006 um 09:29:

Excellent. This kind of responsible, proactive, approach to security is why I plan to be a long-term serendipity user. Thanks!!

z am Donnerstag, 21. Dezember 2006 um 13:53:

Where is the documentation for the installation? It would be good if it was on the zip itself, not on the webpage! Now where can I find it!?

Garvin am Donnerstag, 21. Dezember 2006 um 13:57:

Hi!

Documentation always changes and is enlarged, so packing it offline in a ZIP is not clever.

Our documentation is on www.s9y.org, you sadly have to wait until our server is restored.

Regards, Garvin

Kommentar schreiben

Name

E-Mail

Homepage

Kommentar

Antwort zu

Phone*

Was ist Neun minus Fünf?

Die angegebene E-Mail-Adresse wird nicht dargestellt, sondern nur für eventuelle Benachrichtigungen verwendet.

Um maschinelle und automatische Übertragung von Spamkommentaren zu verhindern, bitte die Zeichenfolge im dargestellten Bild in der Eingabemaske eintragen. Nur wenn die Zeichenfolge richtig eingegeben wurde, kann der Kommentar angenommen werden. Bitte beachten Sie, dass Ihr Browser Cookies unterstützen muss, um dieses Verfahren anzuwenden.
CAPTCHA

Hier die Zeichenfolge der Spamschutz-Grafik eintragen:

BBCode-Formatierung erlaubt

Markdown-Formatierung erlaubt

I agree that my data will be stored. Please review the terms of usage / legal notice for further details.

Daten merken?

Bei Aktualisierung dieser Kommentare benachrichtigen