Announcement: Seroius Serendipity 0.8.2 update

Post Reply
User avatar
garvinhicking
Core Developer
Posts: 30020
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Announcement: Seroius Serendipity 0.8.2 update

Post by garvinhicking » Wed Jun 29, 2005 4:14 pm

Hi!

A serious security issue has been discovered in our bundled library XML-RPC. This issue allows for possible remote code execution.

We have upgraded the XML-RPC component to the fixed version and released Serendipity 0.8.2. The old SourceForge CVS HEAD branch now contains 0.8.2, and the SVN branches 0.8 and trunk also contain the changes.

The files can be found here:

http://www.s9y.org/12.html
or
http://sourceforge.net/project/showfile ... p_id=75065

Every user is urged to upgrade. As a temporary hotfix you can delete your
serendipity_xmlrpc.php file so that your blog will not easily allow execution of maliclius XML-RPC method calls.

We are very sorry for this inconvenience and need to point out that many PHP applications using this common XML-RPC PEAR class are affected by this bug. Please check your webspace for any outdated versions of that PEAR class and upgrade other related applications as soon as possible. Also read http://secunia.com/advisories/15852/.

Regards,
Garvin
Last edited by garvinhicking on Thu Aug 04, 2005 6:21 pm, edited 1 time in total.
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/

CapriSkye
Regular
Posts: 119
Joined: Sun Oct 31, 2004 5:42 am
Location: Taiwan
Contact:

Post by CapriSkye » Wed Jun 29, 2005 6:04 pm

is 0.9 affected by this?

User avatar
winkiller
Regular
Posts: 77
Joined: Tue May 17, 2005 7:52 pm
Location: Munich, Germany
Contact:

Post by winkiller » Thu Jun 30, 2005 7:31 am

Yes, please get the latest snapshot from svn.

Post Reply