Serendipity 2.0.4 and 2.1-beta2 released

Serendipity 2.0.4 is a maintenance security release which addresses these issues:

  • [Security] Prevent moving files by using their directory name.
    [Security] Possible SQL injection for entry category assignment
    [Security] Possible SQL injection for removing&adding a plugin

    All issues require a valid backend login.
    Thanks to Hendrik Buchwald for finding this via their
    RIPS source code analyzer (
  • [Security] Add new configuration option to enable fetching local files for the media uploader. By default this is now disabled to prevent Server Side Request Forgery (SSRF). Thanks to Xu Yue for pointing this out!

Alongside a new Serendipity 2.1-beta2 version has been released, with the same fixes plus some more progress on the road to the 2.1 release. Features like these have been added:

  • New API wrapper for URL downloads that plugins can use (serendipity_request_url)
  • Added new Theme "Skeleton" (responsive, mobile first)
  • Improved preview iframe handling
  • Changes (simplifications) in template file routing for backend/frontend views, new smarty {getFile} function for theme authors

Simply upgrade by unpacking and uploading the release file and confirming our web-based upgrader.


Trackback-URL für diesen Eintrag


Ansicht der Kommentare: (Linear | Verschachtelt)

-thh am um :

Thanks for your hard work!

Two small nitpicks:

  1. The "Development state" on the blog sidebar should be updated from "Recommendation(s): Use 2.0.3 release" to 2.0.4

  2. The relase notes on GitHub at don't have a MD5 checksum, so the auto updater will fail.

artodeto am um :

Hey s9y team,

I've scribbled a small script [0]. Just write me a mail if this is something I can polish and if you want to use it as repository in your github group [1]. I would also like to be the developer for this.



artodeto am um :

Hey s9y team,

I've polished my script [0]. I've upgrade three installations right now.



Kommentar schreiben

Die angegebene E-Mail-Adresse wird nicht dargestellt, sondern nur für eventuelle Benachrichtigungen verwendet.

Um maschinelle und automatische Übertragung von Spamkommentaren zu verhindern, bitte die Zeichenfolge im dargestellten Bild in der Eingabemaske eintragen. Nur wenn die Zeichenfolge richtig eingegeben wurde, kann der Kommentar angenommen werden. Bitte beachten Sie, dass Ihr Browser Cookies unterstützen muss, um dieses Verfahren anzuwenden.

BBCode-Formatierung erlaubt
Markdown-Formatierung erlaubt