Thanks to Erich Schubert, we were made aware of a bug and security
issue in the Plugin "Extended properties for entries". Since this
plugin is delivered with the core release, we have created a new
Serendipity release for both the current stable 1.1 version tree,
as well as a new 1.2 beta version.
Serendipity Users that are using the mentioned plugin do not need
to upgrade the full release, they can just fetch the updated version
of the plugin through this link:
Put that updated file into your plugins/serendipity_event_entryproperties/serendipity_event_entryproperties.php file.
The actual bug was, that people were able to deliver custom
entryproperties settings to the Serendipity Frontend via a
HTTP-Request, which made them able to bypass a possibly used password
protection. Any other restriction of viewability of entries done via
category read-privileges were not affected, though.
Bottom line is: If you are using password protection for entries,
this security update is mandatory for you. Also if you were generally
using the entryproperties plugin (which is not installed by default
in Serendipity), you are urged to update your plugin. Only people not
using this plugin need not care about this issue.
You can download the new full releases as always on http://www.s9y.org/12.html.