Announcement: Seroius Serendipity 0.8.2 update
Posted: Wed Jun 29, 2005 4:14 pm
Hi!
A serious security issue has been discovered in our bundled library XML-RPC. This issue allows for possible remote code execution.
We have upgraded the XML-RPC component to the fixed version and released Serendipity 0.8.2. The old SourceForge CVS HEAD branch now contains 0.8.2, and the SVN branches 0.8 and trunk also contain the changes.
The files can be found here:
http://www.s9y.org/12.html
or
http://sourceforge.net/project/showfile ... p_id=75065
Every user is urged to upgrade. As a temporary hotfix you can delete your
serendipity_xmlrpc.php file so that your blog will not easily allow execution of maliclius XML-RPC method calls.
We are very sorry for this inconvenience and need to point out that many PHP applications using this common XML-RPC PEAR class are affected by this bug. Please check your webspace for any outdated versions of that PEAR class and upgrade other related applications as soon as possible. Also read http://secunia.com/advisories/15852/.
Regards,
Garvin
A serious security issue has been discovered in our bundled library XML-RPC. This issue allows for possible remote code execution.
We have upgraded the XML-RPC component to the fixed version and released Serendipity 0.8.2. The old SourceForge CVS HEAD branch now contains 0.8.2, and the SVN branches 0.8 and trunk also contain the changes.
The files can be found here:
http://www.s9y.org/12.html
or
http://sourceforge.net/project/showfile ... p_id=75065
Every user is urged to upgrade. As a temporary hotfix you can delete your
serendipity_xmlrpc.php file so that your blog will not easily allow execution of maliclius XML-RPC method calls.
We are very sorry for this inconvenience and need to point out that many PHP applications using this common XML-RPC PEAR class are affected by this bug. Please check your webspace for any outdated versions of that PEAR class and upgrade other related applications as soon as possible. Also read http://secunia.com/advisories/15852/.
Regards,
Garvin