Serendipity 2.6.0

We are very happy to announce the availability of the final release for Serendipity 2.6.0, our new stable version! 2.6.0 contains the changes that were part of 2.6-beta1, plus significant additional changes.

Especially when compared to the last stable version, 2.6.0 has many fixes and some new features. To highlight some:

• Logins are now better protected against brute force attacks and can be further secured with an email login code (2FA). The option to enable this second login factor is in the personal settings.
• The included gravatar plugin works again properly, so received comments will often look a lot better.
• Timeouts in the backend are now mostly a thing of the past when using the "Remember me" login option. The CSRF security protection that before caused timeouts when the PHP session ended moved from internal tokens (valid for a limited time) to browser headers, unaffected of the PHP session. In our testing this change removed those timeouts completely.
• The internal cache got a big performance boost, it was completely reworked. The option is available under Configuration -> General Settings
• Serendipity can now receive webmentions in addition to Pingbacks and Trackbacks, it will show them as one of these linkback types depending on the data provided by the webmention.

Like the last stable release, 2.6.0 includes support for newer PHP versions. Serendipity now officially supports PHP 8.4, with lots of testing and updates done to achieve that support. Accordingly, the bundled libs have been updated to their current version (at time of development).

The release also contains other internal modernizations and improvements, like an upgrade of the provided jQuery version and a re-implementation of the tabs used in the backend with a CSS approach, fixes for errors linked to MySQL and PostgreSQL, and mail header separators that are better compatible. And there are multiple user facing changes, like a more useful ordering of unreleased entries in the dashboard, compatibility for media library images in WEBP and AVIF format as well as better settings for JPEG thumbnails, and a hint for visitors of the RSS feed on how to subscribe via a feed reader.

Additionally, 2.6.0 is also a security release. We got reports by Marcelo Barbosa (@mabjr33) about two possible host header attacks, one targeting cookies and the other possibly influencing notification mail headers. Only Serendipity installations reachable under arbitrary host headers are affected, which according to our testing means blogs on regular hosters like uberspace and manitu are safe. Regardless, a timely upgrade to 2.6.0 is highly recommended, especially when running Serendipity on a custom server.
These reports will be published soon.

Finally, a big thank you to all contributors. 2.5.0 was released over 2 years ago, this new release has been very necessary. We hope all Serendipity bloggers enjoy the new version as much as we enjoyed building it.

New Contributors (according to Github)

• @mmitch made their first contribution in #823
• @GuillaumeValadas made their first contribution in #846
• @PhoneDroid made their first contribution in #917

Contributor list (from 2.5.0 to 2.6.0):

• @fasterit
• @garvinhicking
• @GuillaumeValadas
• @HQJaTu
• @mattsches
• @mariohommel
• @mmitch
• @onli
• @PhoneDroid
• @surrim
• @th-h
• @yellowled

Full Changelog: 2.5.0...2.6.0

(MD5: f3726c0227a01e19154763844231a091)

Serendipity 2.6-beta1

This release of Serendipity contains a couple of bug fixes, some new features and many necessary modernizations. Some highlighted changes:

• The core was tested to work with PHP 8.4.
• Also many spartacus plugins were updated for compatibility with PHP 8.4
• We updated the bundled libraries, especially Smarty to new mayor version 5
• The core now uses a current version of jQuery, jumping forward a few versions and many years
• The gravatar mode of the gravatar plugin works again
• Serendipity blogs can now receive webmentions. They will be presented as pingbacks or trackbacks, depending on their type
• The search avoids errors when encountering some special characters
• The integrated cache caches at an earlier time of the execution pipeline, which greatly improved its performance in our tests
• Better compatibility for sent emails through CRLF terminated email headers
• The /comments archive pages now work again beyond the first page, the pagination is fixed

The full changes contain other improvements, like optimized thumbnail settings for .webp and .avif and an updated textile parser for the plugin. Please help us test them, and let us know if everything works for you.

New Contributors

• @mmitch made their first contribution in #823, setting up the test pipeline
• @GuillaumeValadas made their first contribution in #846, fixing the search for some problematic search terms

Full Changelog: 2.5.0...2.6-beta1

(MD5: 74f87e7d1c397ed50004aa4e9fb451cd)

Serendipity 2.5.0

We are very happy to announce the availability of the final release for Serendipity 2.5.0, our new stable version! 2.5.0 contains the changes that were part of the 2.5-beta1, plus some additional changes.

With this version 2.5.0, Serendipity works with PHP 7.4 up to and including PHP 8.2. We also got positive reports about the compatibility with PHP 8.3, but this newest PHP version is not yet officially supported by us. The compatibility with PHP 8.2 is the main purpose of this release.

In this version, we further worked on how the bundled dependencies are managed. They got updated for PHP 8.x support, including some legacy dependencies where it was missed before, and more of them are now managed by the dependency management system composer. For those changes the file placement under bundled_libs/ has changed a bit, with wrappers added for compatibility. Despite those wrappers for backwards compatibility, authors of custom plugins that relied manually on files under bundled_libs/ are advised to check that their plugins still work.

The release contains some additional changes to 2.4.0, like bundling the webfonts used by the default theme 2k11, to avoid legal issues in Germany, fixes for an incompatibility with MySQL 5.7, fixes for the usergroup permission display and an improved russian translation.

It also fixes a potential security issue discovered for this project by @hannob, by removing the prior included composer.phar. That file was only useful for developers, but could be misused in some specific server environments. Though the necessary conditions for the attack are not a given, since this is a security fix a timely upgrade to 2.5.0 is highly recommended to all existing serendipity installations. As another possible mitigation, you can safely delete the file "composer.phar" in your root directory.

Upgrade hints: If you see errors when extracting this release archive that mention bundled_libs/, delete said folder in your old installation and extract the archive again. If you run an older version of serendipity than 2.4.0 and/or if you are not using PHP 8.x yet, please have a look at the PHP 8 upgrade guide.

If you encounter bugs, please report an issue here at Github or open a thread in our forum. The forum is also the right place for general questions and support.

The project thanks all contributors to the release, including the testers and issue reporters.

(MD5: 1dfb1f34483038179ac511666de60b8f)

Serendipity 2.5-beta1

We release this beta primarily to give those of you an upgrade path that need support for PHP 8.2 now.

For this release, we:

• Made code changes to be compatible with PHP 8.2, including a polyfill for strftime, see #784.
• Fixed a bug where the usergroup permissions were displayed incorrectly. Please ensure after upgrading that any possible custom usergroup configurations have the wanted permission settings. If you have never saved a permission group setting, you will not be impacted.
• Let the theme 2k11 use local font files, avoiding privacy risks (and a legal risk in Germany).
• Improved the russian translation.
• Moved several bundled libs to composer, which will make future upgrades easier.
• Updated smarty, HTTP_Request2, Net/DNS2 and Onyx/RSS.
• Added several other changes.

This release contains commits from @garvinhicking, @surrim, @stephanbrunker, @varakh, @hannob, @mariohommel and @onli.

(MD5: 9b4d17075ea43425312707f0b8ddc8ba)

Serendipity 2.4.0

We are very happy to announce the availability of the final release for Serendipity 2.4, our new stable version, after more than two years of work (right, same as the last full release :) )!

Serendipity 2.4 focuses on

• PHP 8.0 (fully) and 8.1 support (partly), with PHP 8.0 being the recommended version to run Serendipity with
• Update of bundled libs, improving the way we use composer
• Fixes and extensions to the multi language system
• Use of full UTF8 in MySQL/MariaDB by default

Additional changes include:

• Plugin update notifications in the dashboard
• Fixes to the .htaccess-blocking SQL statement
• Changes to the responsive images srcset, improving edge cases where unexpected image sizes leading lead to blurry thumbnails
• Rework of the error handler, resulting in this behaviour: Warnings will not be shown in production blogs, but will be properly shown in alpha versions (this was important for PHP 8 compatibility)
• A cleanup of the WYSIWYG configuration options, as shown in the personal settings
• A plethora of changes related to PHP 8 support

An update to this version is highly recommended, as hosters start to shutdown their PHP 7.4 support. Please be aware that full PHP 8 support does not include all plugins, though many plugins have been made compatible. If you encounter further incompatibilities, please let us know. Fixes to plugins would be even better, sent as pull request to https://github.com/s9y/additional_plugins.

You can download the release file and unzip it to your installation as usual, or update from within Serendipity using the Serendipity Autoupdate Plugin (serendipity_event_autoupdate).

The s9y team wants to thank all contributors to this release, in no particular order: Hanno Böck, Mario Hommel, Stephan Brunker, Garvin Hicking, Malte Paskuda, Matthias Gutjahr, Markus Birth, surrim, Uwe Krause, Soatok Dreamseeker, Thomas Hochstein, and Eike Rathke.

Upgrade hint 1: We missed a bug in the sidebar comments plugin (serendipity_plugin_comments), it will break the frontend under PHP 8.x when showing long comments. Please disable the plugin for now or fix the code manually.

Upgrade hint 2: Be careful with your PHP version, the new minimum requirement is PHP 7.3.

(MD5: 8b80df37f4640486419227882d071730)

Serendipity 2.4-beta1

This is a beta release with a couple bigger changes and many small fixes, but most notably support for PHP 8. Some changes are:

• Support for PHP 8 in the core, as well as core plugins and themes
• When using MySQL or MariaDB serendipity will try to use the utf8mb4 charset, instead of the incomplete utf8 charset implementation.
• Split date and time input in editor into two input fields with browser supported input types
• Update buttons in dashboard and plugin section will show a notification about available plugin updates
• Multiple fixes to the multilanguage system
• Improved logic for which thumbnails should be used with responsively scaled images

We would love to get feedback from our users. This release was tested thoroughly, but it is still a first beta and with the bigger code changes than usual it might also contain more bugs than usual. Please do test it even in production environments if you need PHP 8, but have a current backup - including the database - before installing it.

(MD5: 3eabb22b14e868aca9a3bb4c7824e2f7)

Serendipity 2.3.5

This is a bugfix release with some fixes backported from our master branch:

• Fix: Truncate extension of media items to 5 chars which ist the max length of the corresponding database field (#609). Thanks to @mmitch!
• Fix: Unconditionally keep upgraded_version in plugin cache (64b5d56).
• Fix: Entry title in backend list of entries was double escaped (c66451e).
• Fix: serendipity_plugin_history would error out (and prevent display of the sidebar) since 2.3.3 (#694).
• Fix: Don't delete extend properties from the entryproperties plugin when publishing from dashboard or sending delayed trackbacks (#695).
• Fix: CKE: Don't remove <details> and <summary> elements from WYSIWYG editor (6c15c80).
• Fix: Don't strip HTML from comments body in serendipity_plugin_comments before serendipity_event_unstrip_tags can convert the HTML tags (#702).

You can download the release file and unzip it to your installation as usual, or update from within Serendipity using the Serendipity Autoupdate Plugin (serendipity_event_autoupdate).

(MD5: e9d6937ffb06533de9566d600e1ffdc2)

Serendipity 2.3.4

This bugfix and security release Serendipity 2.3.4 fixes a potential remote code execution exploit for users with upload rights (on Windows systems only), some bugs in the Media Library renaming code and adds some other small fixes and enhancements backported from our master branch:

• Add plugin source (Spartacus, bundled or local) to list of installable plugins and show plugin author(s) on plugin managament page.

• Fix: Add "more info" link to Spartacus for all plugins there (was missing for already installed plugins).

• Fix: [SECURITY]: Media Library: The file name of renamed files may not end with one or more dot(s). This is not problematic on Linux, but on Windows file names ending with a dot will lose this dot on disk, making it possible to rename a file without extension ("file") to "file.php." which morphes to "file.php" on Windows, creating an executable PHP file in a remotely accessable directory and a possible remote code execution vulnerability. Thanks to Junyu Zhang for spotting this!

• Fix: Media Library: Renaming files without extension caused a discrepancy between the file name on disk and in the media library database so the database entry was deleted, making the file disappear from the Media library (while it was still in disk).

• Fix: Media Library: Add some more checking and proper error messages.

• Fix: Wrap comments with very long words on the backend dashboard.

You can download the release file and unzip it to your installation as usual, or update from within Serendipity using the Serendipity Autoupdate Plugin (serendipity_event_autoupdate).

(MD5: 0b203494571997a3ac5093a21c3d855e)

Serendipity 2.3.3

This bugfix release Serendipity 2.3.3 will bring you quite some smaller and larger fixes and minor enhancements backported from our master branch:

• Update bundled event_mailer plugin to support forcibly sending mails on published blog entries and add the ability to prepend a mail body. Also fixes missing "keep strip tags" configuration option.

• Media Library: Checkboxes allow you to insert multiple media files in a kind of gallery. Fall back to single-asset view when just one file has been selected. Let checkboxes be selected when clicking on the asset title, and hide the the 'Insert all' button when no assets are selected.

• Media Library: Use the <video> tag for videos in the library and for inserting them into an entry.

• Media Library: Allow plugins to skip HTML block insertion to use their own markup.

• Fix: Media Library: Items that are not images now get the correct link.

• Fix: Media Library: Prevent renaming an asset into an existing file, resulting in deletion of both from disk and database.

• Fix: Media Library: Remember directory from last upload.

• Fix: Media Library: Missing variable initialisation when removing empty folders.

• Fix: Stop generation of default page every time when serving JS (functions_routing.php).

• Fix: Don't allow requesting an archive page that doesn't exist.
  Thanks to @lotharsm!

• Fix: Add valid HTTP referrer when trying to delete a trackback from the frontend.

• Fix: Update bundled plugin plugin_comments to wrap text at word boundaries only, removing spurious whitespace in comment output.

• Fix: Update bundled plugin event_bbcode to get roman numerals working.
  Thanks to Fabien Chabreuil!

• Fix: Force positive limits for number of entries shown on title page and in RSS feed and fix potential SQL error with limit set to 0 in serendipity_fetchEntries().

• Fix: Escape version string in update notifier to avoid potential for XSS.

You can download the release file and unzip it to your installation as usual, or update from within Serendipity using the Serendipity Autoupdate Plugin (serendipity_event_autoupdate).

(MD5: a25fa2d0484538fb2c07ea2e670787b9)

Serendipity 2.3.2

This bugfix release Serendipity 2.3.2 contains some bug fixes backported from our master branch:

• Fix: [SECURITY] Only allow .txt and .log files for spamblock logging.
  Thanks to Gary O'Leary-Steele!
• Fix: [SECURITY] Escape category images to avoid backend XSS (#639).
  Thanks to @hannob!
• Fix: Pagination should now really be fixed for the new default "stable archives" sorting order.
• Fix: Fix autologin when using MySQL (#632).
  Thanks to @erAck!
• Fix: Properly display plugin save errors after validation.
• Fix: The WYSIWYG editor stripped the figcaption element used for image captions.
• Fix: Rotating an image did not rotate all responsive thumbnails.
• Fix: Auto-generated mails where mangled by wrong linebreaks on some MTA (#644).
• Fix: Prevent PHP warnings (#638, #642).
  Thanks to @hannob!

You can download the release file and unzip it to your installation as usual, or update from within Serendipity using the Serendipity Autoupdate Plugin (serendipity_event_autoupdate).

(MD5: b81c97851afdb9c9fe3b7bd5b6765d29)