New security/bugfix release: Serendipity 0.8.3 is out

There's good and bad news.

The bad news are:

  • A possible Cross-Site Scripting injection has been reported by Ilia Alshanetsky (thank you!), that allows commenting users to inject special markup into your entry.
  • Another bug has been found in the handling of received comments. It was possible to receive comments for non-existing entries and thus allowed for mails being sent to the owner of the blog and injecting headers to that E-Mail. Ultimately this could lead to your server being used for sending specially crafted emails.

The good news are:

  • Serendipity 0.8.3 has been released, which fixes this bug.
  • The upgrade once again is very easy: Download the release, unpack the files to your webspace (overwriting old files, but keeping your personal plugins/templates/media files), open your blog administration and click on "Perform update". Always be sure to make a backup of your old files and database tables first and make sure that the files serendipity_config_local.inc.php and .htaccess are writable for your PHP/webserver user. If you have made manual changes to any of the bundled files, we suggest you to connect to our CVS or SVN repositories and make a diff of your changes.
  • The XSS only allows for a reduced set of malicious exploits to occur. And as most of you authors possibly check the comments of your users on your blog, you would spot easily if a user is posting you "bad code".
  • The current generation of "advanced web scanners", which scan HTML pages for XSS attacks does not find any more XSS loopholes on the pages produced by Serendipity.

The even better news are that also new features are introduced:

  • We used this opportunity of a new release to backport some more (minor) bugfixes of the upcoming 0.9 release and updated our bundled libraries.
  • Full korean language support with translation of almost all plugins, thanks to Wesley Hwang-Chung.
  • New template hooks to allow plugins (serendipity_event_pagenugget) to output header/footer HTML nuggets.
  • New configuration directive to configure the used Blog e-mail address for sending comments.

We are very sorry for the inconvenience this may cause to you. We are desperately trying to deliver all of our users a blog application as secure and feature-loaded as possible, but since we all are failing humans there are always errors that slip through. In every project, be it OpenSource or Commercial. We take it as a chance and opportunity, to fix bugs and issues reported to us and improve Serendipity to be the most stable blogging system available. This year has brought many XSS vulnerabilities and has raised the overall attention of code quality, which we feel is a good thing for every project.

Please also note that we are working hard on the current 0.9 version of Serendipity. This introdudes flexible and granular privilege control, custom permalinks, per-category templating, UTF-8 languages and much much more. Read our ChangeLog for more information and check out the nightly snapshot in our download area. Feedback, as always, is appreciated.

In the end, have fun with Serendipity! :-)

Download link: Serendipity 0.8.3

On behalf of the Serendipity Team,
Garvin

Trackbacks

Trackback-URL für diesen Eintrag

Kommentare

Ansicht der Kommentare: (Linear | Verschachtelt)

Boris am um :

First of all, thanks for the new release!

UTF-8 languages

I'm looking forward to that features, so there will be no need for converting the files manually for me.

Sander am um :

Thx for this! I appriciate the work u guys do, keep it up!

MySchizoBuddy am um :

Does the current 0.9 alpha 4 have the Cross-Site Scripting injection fixed.

Wesley am um :

IIRC, any fix applied to the 0.8 branch is applied to the latest SVN of 0.9 as well.

Garvin am um :

Boris, right - for people like you we invented this. g

And Wesley is right about the bugs - all bugs and issues fixed are always fixed in the latest development release and backported to branches after that.

atlanticus am um :

Thanks a lot.

Is it likely that 0.9 will be released within the next two months?

I am asking, because I can't do the updating alone and wonder whether I should ask a friend to help me now or rather wait for the 0.9 version. (Currently I am using 0.72)

Keilaron am um :

Speaking of inconveniences... I thought there was no news! But it turns out the feed no longer validates, so my RSS/Atom reader gets confused and calls it an invalid feed.

I tried in Firefox, and it says: XML Parsing Error: mismatched tag. Expected: . Location: http://blog.s9y.org/feeds/atom.xml Line Number 278, Column 68.

Keilaron am um :

Oops. That should be: Expected: /P tag.

Garvin am um :

Atlanticus: 0.9 may be out in 2 months, I certainly hope so.

You should never theless upgrade to 0.8.3 ASAP! There are serious XML-RPC bugs on versions prior to 0.8.2, and you should be aware that versions prior to 0.8.3 are vulnerable to XSS attacks. If you moderate every comment, this is not the most serious issue, but XML-RPC is.

Keilaron: You should always use the RSS2.0 feeds; Atom feeds are often likely to break because of its stright XHTML compliance! I fixed the error now, but others might always happen...

Regards, Garvin

Kommentar schreiben

Die angegebene E-Mail-Adresse wird nicht dargestellt, sondern nur für eventuelle Benachrichtigungen verwendet.

Um maschinelle und automatische Übertragung von Spamkommentaren zu verhindern, bitte die Zeichenfolge im dargestellten Bild in der Eingabemaske eintragen. Nur wenn die Zeichenfolge richtig eingegeben wurde, kann der Kommentar angenommen werden. Bitte beachten Sie, dass Ihr Browser Cookies unterstützen muss, um dieses Verfahren anzuwenden.
CAPTCHA

BBCode-Formatierung erlaubt
Markdown-Formatierung erlaubt