Serendipity 2.1.6

This bugfix release Serendipity 2.1.6 contains some (very few) bug fixes backported from our master branch:

• Prevent error in upgrader when $sqlfiles is NULL.
• Fix preview iframe in bulletproof.

This is planned to be the last bugfix release for our 2.1 branch.

You can download the release file and unzip it to your installation as usual, or update from within Serendipity using the Serendipity Autoupdate Plugin (serendipity_event_autoupdate).

(MD5: 7b05ae263fdeeb631a815d182d0b175e)

Serendipity 2.3 - First Release Candidate

We are happy to announce the availibility of the first (and hopefully last) Release Candidate for Serendipity 2.3!

We feel comfortable with suggesting you to try out this release in a production environment. Please don't forget to make a backup of your database and files first, as you should always do!

Tests on current PHP installations (PHP 7.2 up to PHP 7.4) would be much appreciated!

Serendipity 2.3 focuses on

• PHP 7.2 and 7.3 support - minimal PHP version is now PHP 7.0
• Smarty upgrade to 3.1.33
• Updates to the media manager and some bug fixes
  • New function to add multiple images to an entry at once, creating a gallery
  • Use figure/figcaption markup for media manager images with captions
  • Ability to create responsive image thumbnails
  • Set responsiveimages as default plugin
  • Add rewrite to absolute url for srcsets to the feed generation
• Use voku/simple-cache for internal cache as bundled lib, which will allow to cache with memcached and redis instead of just on the filesystem
• Added a maintenance mode option
• Improve the nl2br plugin (thanks to Stephan Brunker!)
• Allow to receive multiple trackbacks and pingbacks (thanks to @mmitch!)
• Change (installation) defaults: disable entryproperties cache and enable internal cache, enable stable-archive option

Other changes include:

• Security fixes for XSS in Editor Preview and Media Library by interpreted EXIF tags (thanks to Hanno Boeck!)
• Fallback for $lang variable when configuration failed to load which evades some unuseful error messages (thanks @HQJaTu!)
• Drop deprecated serendipity_purgeEntry function
• Bootstrap4 adaptations
• Fixes for plugin drag'n'drop

You can download the release file and unzip it to your installation as usual, or update from within Serendipity using the Serendipity Autoupdate Plugin (serendipity_event_autoupdate).

(MD5: 45487cebd084b2f452329f0cd2303691)

Serendipity 2.1.5

This bugfix release Serendipity 2.1.5 contains fixes for security issues and some bug fixes backported from our recent 2.3-beta1 release:

• Fix XSS in Editor Preview by interpreted EXIF tags (thanks to @hannob!).
• Fix XSS in Media Library by interpreted EXIF tags (thanks to @hannob!).
• Fix mispositioned button in media db directory list.
• Change default for comment subscription to full text.
• Display errors if comment coulnd't be deleted.
• Make it easier to drag plugins to other column.
• Add fallback for broken JS in configuration screens.

You can download the release file and unzip it to your installation as usual, or update from within Serendipity using the Serendipity Autoupdate Plugin (serendipity_event_autoupdate).

(MD5: 67d55af6738137c0646268590f21397f)

Serendipity 2.3-beta1

This first beta release of our new version 2.3 has a number of changes above and beyond the last 2.2.1-alpha1 release. These are:

• PHP 7.2 and 7.3 support (with some fixes for the clean-blog and timeline themes)
• Minimal PHP version is now PHP 7.0
• Update Smarty to 3.1.33
• Use voku/simple-cache for internal cache as bundled lib, which will allow to cache with memcached and redis instead of just on the filesystem (with updates to 4.0.1, fixing opcache warning on hosted environments, thanks @voku and Hanno Boeck)
• Security fixes for XSS in Editor Preview and Media Library by interpreted EXIF tags (thanks to Hanno Boeck!)
• Improve the nl2br plugin (thanks to Stephan Brunker!)
• Allow to receive multiple trackbacks and pingbacks (thanks to @Mitch!)
• Update media manager and fix some bugs (e.g. re-add ACLS and plugin API event hook backend_media_rename, fix mispositioned button in media manager directory list)
• Use figure/figcaption markup for media manager images with captions
• Add rewrite to absolute url for srcsets to the feed generation
• Fallback for $lang variable when configuration failed to load which evades some unuseful error messages (thanks @HQJaTu!)
• Drop deprecated serendipity_purgeEntry function
• Set responsiveimages as default plugin
• Change (installation) defaults: disable entryproperties cache and enable internal cache, enable stable-archive option

We would really love to get feedback from our users. If you want to test it on production blogs, make sure to have a backup available - that's always a good idea.

(MD5: 46e662fd5c992d95d69b9479034ee9b7)

Serendipity 2.2.1-alpha1

This alpha release addresses a few larger changes in Serendipity. These are the key points of the release:

• PHP 7.2 support (including a new autologin token system and bcrypt password hashing)
• Add function to add multiple images to an enty at once, creating a gallery
• Added a maintenance mode option
• Upgrade Smarty to 3.1.32
• Bootstrap4 adaptations
• Fixes for plugin drag'n'drop
• Improvements to the p-mode of nl2br plugin
• Ability to create responsive image thumbnails
• Improvements to local caching
• Rework of moving media items (work in progress)

We would love to get feedback from our users. Be sure to try out the new release only on test/development blogs yet. If you absolutely want to test it on production blogs, make sure to have a backup available.

(MD5: 8a1b4fb7951dd1fa25edc8bfa20da80a)

Serendipity 2.1.4

This releases addresses one security issue and a few minor other issues:

• Security: Fix XSS for pagination, when multi-category selection is used. Thanks to Brian Carpenter (geeknik) and Hanno Boeck!* Minor code fixes (proper PHP escaping for 'orderkey' SQL statement
• Sekelton, Timeline and Clean Blog templates: Add theme option to disable google webfonts
• Link to https s9y.org pages

(MD5: a85dc82d58e31bb4f6192cb279a7a90a)

Serendipity 2.1.3

This release addresses several security issues that have been reported to us by Hanno Boeck, Brian Carpenter, oreamnos and Julio Cesar. Many thanks for this!

More specifcally:

• Ensure URL parameter casting for RSS and blog entry limits to prevent possible SQL injection inside the LIMIT statement part
• Prevent XSS in the "Edit entries" panel
• Prevent sending comment notifications to more than one email address
• Disable exit.php-Tracking for open URL redirection, unless the trackexits plugin is specifically configured to do so

The release also addresses a new feature for a "legal" plugin property bag attribute (usable for GDPR/DSGVO plugin information) and by default disables subToMe service to prevent GDPR issues.

(MD5: 4e0fe2a842077293f0edd8cbe3e5e8d8)

Serendipity 2.1.2

We are happy to announce the availability of the next bugfix release Serendipity 2.1.2.

We have fixed some accumulated bugs:

• Fixed a regression in Net/DNSBL regarding serendipity_event_spamblock_rbl and serendipity_event_spamblock_surbl by adding Net/DNS2 1.4.3 as a bundled library to core and patching Net/DNSBL. (#497)

• Fixed broken Akismet API calls (#507)

• Fixed comment preview for logged-in users (#503)

• Fixed message display after comment editing/deleting (#526)

You can download the release file and unzip it to your installation as usual.

(MD5: a89da2ce4c8a98973142bd6ed1613d3d)

Serendipity 2.1.1

EDIT: Sadly a regression slipped into our Serendipity 2.1.0 release, which made it impossible to reset a plugin configuration variable to a FALSE/empty state and indicate the proper state in the plugin configuration. We have fixed this in 2.1.1 and changed the release announcement to point directly to 2.1.1.

We are happy to announce the availability of the final release for Serendipity 2.1.1.

Serendipity 2.1.1 focusses on:

• Rewrites in some older legacy parts of the core (URL routing, template fallback chain, experimental internal caching) as well as PHP 7 compatibility.
• New bundled responsive themes "Timeline" and "Clean-Blog"
• Improved usability of plugin upgrades by combining sidebar and event plugins and upgrading multiple plugins at once
• Permission checks for the dashboard output and comments
• Usability improvements to the media library, bulk moving support
• New API wrapper for URL downloads that plugins can use (serendipity_request_url)
• New Theme "Skeleton" (responsive, mobile first)
• Improved preview iframe handling
• Changes (simplifications) in template file routing for backend/frontend views, new smarty {getFile} function for theme authors
• (new for rc1) Ability to set a default posting category for an author
• (new for rc1) Improved security checks against CSRF attacks (comment moderation, comment toggling
• (new for rc1) Improved security for referrer redirection
• (new for rc1) Improved security for local file hotlinking
• (new for rc1) Fixed sorting media database by filename
• (new for final release) Addressed some more PHP 7.1 issues, fixed bugs with missing token for installing plugins and deleting comments. We mainly tested PHP 7.0 compatibility, but PHP 7.1 should work too.
• (2.1.1) Fixed displaying the proper plugin configuration value when set to false/empty.

Many thanks at this point (in no specific order) for Lee Sheldon Victor, cdxy, Edric Teo and Xu Yue for helping a lot in improving on security aspects of Serendipity.

The next version of Serendipity will focus on supporting UTF8MB4 (for full emoji compatibiliy), responsive image insertion, consolidating our plugins. Our github issue tracker now also holds a new label "easyfix" which could be a great way of interested developers to get started with Serendipity and help us with development.

You can download the release file and unzip it to your installation as usual.

(MD5: a5c89080bdd2e6e359c5a0f60d92aea8)

Serendipity 2.1 - First Release Candidate

We are happy to announce the availibility of the first (and hopefully last) Release Candidate for Serendipity 2.1.

We feel comfortable with suggesting you to try out this release in productive environments (of course always make a backup of your database and files first).

Serendipity 2.1 focusses on:

• Rewrites in some older legacy parts of the core (URL routing, template fallback chain, experimental internal caching) as well as PHP7 compatibility.
• New bundled responsive themes "Timeline" and "Clean-Blog"
• Improved usability of plugin upgrades by combining sidebar and event plugins and upgrading multiple plugins at once
• Permission checks for the dashboard output and comments
• Usability improvements to the media library, bulk moving support
• New API wrapper for URL downloads that plugins can use (serendipity_request_url)
• New Theme "Skeleton" (responsive, mobile first)
• Improved preview iframe handling
• Changes (simplifications) in template file routing for backend/frontend views, new smarty {getFile} function for theme authors
• (new for rc1) Ability to set a default posting category for an author
• (new for rc1) Improved security checks against CSRF attacks (comment moderation, comment toggling
• (new for rc1) Improved security for referrer redirection
• (new for rc1) Improved security for local file hotlinking
• (new for rc1) Fixed sorting media database by filename

Many thanks at this point (in no specific order) for Lee Sheldon Victor, cdxy, Edric Teo and Xu Yue for helping a lot in improving on security aspects of Serendipity.

You can download the release file and unzip it to your installation as usual.

(MD5: c17ff26cf22a46c4c340410842bdf913)