Serendipity 1.0.2 mainly features a XSS injection attack on the admin
backend which could happen if registered authors can be tricked into
following a specially crafted URL. This bug was detected by the ever-
restless Stefan Esser, many thanks for notifying us. Users of previous
version of Serendipity are urged to upgrade to be secure. Note though
that this bug requires your own interaction and thus exploits of this
depend on how well you can stay away from clicking links that you do
not know what they do exactly.
Serendipity 1.1-beta5 features the following new changes since 1.1-
beta1 [1]:
* Prevent XSS backend injection attack (see above)
* Themes can now support custom amounts and positions of any number
of sidebars (top, bottom, left, right etc.) [2]
* Usergroups can now configure which plugins/events a group is allowed
to execute [3]
* Added the options to use HTTP-Authentication for your login, which
enables you to use secured RSS-Feeds with login credentials
* Some permalinks oddities when using % in URLs and some other minor
fixes
Serendipity 1.1 is getting very close to getting finalized (targets
mid-December). New major features will be added to a 1.2 version
branch, so expect no more major changes here. Please help us by trying
out the latest version and report bugs/issues!
Upgrading is easy as ever: Download, unpack, go to your Admin panel,
done. Read more here: Serendipity FAQ [4]. The download is available
here: Serendipity Download Page [5]
Have fun!
[1] http://blog.s9y.org/archives/139-New-Se ... beta1.html
[2] http://blog.s9y.org/archives/142-Custom ... tions.html
[3] http://blog.s9y.org/archives/141-Plugin ... sions.html
[4] http://www.s9y.org/11.html#A19
[5] http://www.s9y.org/12.html