We are very happy to announce the availability of the final release for Serendipity 2.6.0, our new stable version! 2.6.0 contains the changes that were part of 2.6-beta1, plus significant additional changes.
Especially when compared to the last stable version, 2.6.0 has many fixes and some new features. To highlight some:
- Logins are now better protected against brute force attacks and can be further secured with an email login code (2FA). The option to enable this second login factor is in the personal settings.
- The included gravatar plugin works again properly, so received comments will often look a lot better.
- Timeouts in the backend are now mostly a thing of the past when using the "Remember me" login option. The CSRF security protection that before caused timeouts when the PHP session ended moved from internal tokens (valid for a limited time) to browser headers, unaffected of the PHP session. In our testing this change removed those timeouts completely.
- The internal cache got a big performance boost, it was completely reworked. The option is available under Configuration -> General Settings
- Serendipity can now receive webmentions in addition to Pingbacks and Trackbacks, it will show them as one of these linkback types depending on the data provided by the webmention.
Like the last stable release, 2.6.0 includes support for newer PHP versions. Serendipity now officially supports PHP 8.4, with lots of testing and updates done to achieve that support. Accordingly, the bundled libs have been updated to their current version (at time of development).
The release also contains other internal modernizations and improvements, like an upgrade of the provided jQuery version and a re-implementation of the tabs used in the backend with a CSS approach, fixes for errors linked to MySQL and PostgreSQL, and mail header separators that are better compatible. And there are multiple user facing changes, like a more useful ordering of unreleased entries in the dashboard, compatibility for media library images in WEBP and AVIF format as well as better settings for JPEG thumbnails, and a hint for visitors of the RSS feed on how to subscribe via a feed reader.
Additionally, 2.6.0 is also a security release. We got reports by Marcelo Barbosa (@mabjr33) about two possible host header attacks, one targeting cookies and the other possibly influencing notification mail headers. Only Serendipity installations reachable under arbitrary host headers are affected, which according to our testing means blogs on regular hosters like uberspace and manitu are safe. Regardless, a timely upgrade to 2.6.0 is highly recommended, especially when running Serendipity on a custom server.
These reports will be published soon.
Finally, a big thank you to all contributors. 2.5.0 was released over 2 years ago, this new release has been very necessary. We hope all Serendipity bloggers enjoy the new version as much as we enjoyed building it.
New Contributors (according to Github)
- @mmitch made their first contribution in #823
- @GuillaumeValadas made their first contribution in #846
- @PhoneDroid made their first contribution in #917
Full Changelog: 2.5.0...2.6.0
(MD5: f3726c0227a01e19154763844231a091)