Moodle 1.8.11 release notes: Difference between revisions
From MoodleDocs
mNo edit summary |
Helen Foster (talk | contribs) (updated functional changes and security issues) |
||
Line 6: | Line 6: | ||
* To force users to use stronger passwords that are less susceptible to being cracked the [[Password policy|password policy]] is enabled by default in new installs, and switched on when upgrading. | * To force users to use stronger passwords that are less susceptible to being cracked the [[Password policy|password policy]] is enabled by default in new installs, and switched on when upgrading. | ||
:Admins can review their password policy in ''Administration > Security > [[Site policies]]''. The default policy requires passwords of at least 8 characters long and containing at least 1 digit, 1 lower case letter, 1 upper case letter and 1 non-alphanumeric character. | :Admins can review their password policy in ''Site Administration > Security > [[Site policies]]''. The default policy requires passwords of at least 8 characters long and containing at least 1 digit, 1 lower case letter, 1 upper case letter and 1 non-alphanumeric character. | ||
* After upgrading, admins will be asked to change their passwords next time they log in (manual or email based self-registration accounts only). | * After upgrading, admins will be asked to change their passwords next time they log in (manual or email based self-registration accounts only). | ||
* To reduce the risk of password theft, a [[Password salting|password salt]] is set in ''config.php'' in new installs and for upgrades, admins are sent an email recommending that they do so. | * To reduce the risk of password theft, a [[Password salting|password salt]] is set in ''config.php'' in new installs and for upgrades, admins are sent an email recommending that they do so. | ||
* Teachers lose permission to include ANY user data in a course backup or restore a course including user data due to new capabilities [[Capabilities/moodle/backup:userinfo|moodle/backup:userinfo]] and [[Capabilities/moodle/restore:userinfo|moodle/restore:userinfo]] which are not set for the default role of teacher. Sites with custom roles should check permissions carefully. | |||
* Teachers lose | |||
* Hashed user passwords are no longer saved in backup files containing user data. If a backup is restored to a new site, users will be asked to go through the "forgot my password" routine the first time they log in. | * Hashed user passwords are no longer saved in backup files containing user data. If a backup is restored to a new site, users will be asked to go through the "forgot my password" routine the first time they log in. | ||
===Security issues=== | ===Security issues=== | ||
IMPORTANT! Upgrading is very highly recommended. | |||
'' | * Passwords and secrets are no longer ever saved in backups | ||
* New backup capabilities [[Capabilities/moodle/backup:userinfo|moodle/backup:userinfo]] and [[Capabilities/moodle/restore:userinfo|moodle/restore:userinfo]] for controlling who can backup/restore user data | |||
* A strong [[Password policy|password policy]] is now enabled by default | |||
* Enabling [[Password salting|password salt]] in encouraged in ''config.php'' | |||
* Admins are forced to change password after the upgrade | |||
* Unneeded MD5 hashes removed from user table | |||
* Fixed invalid application access control in MNET interface | |||
* Multiple CSRF problems fixed | |||
* Fixed user account disclosure in [[LAMS module]] | |||
* Fixed insufficient access control in glossary | |||
* Ensured login information is always sent secured when using SSL for logins | |||
* Fixed SQL injection in SCORM module | |||
<noinclude> | <noinclude> |
Revision as of 08:53, 26 November 2009
Release date: 25th November 2009
Here is the full list of fixed issues in 1.8.11.
Functional changes
- To force users to use stronger passwords that are less susceptible to being cracked the password policy is enabled by default in new installs, and switched on when upgrading.
- Admins can review their password policy in Site Administration > Security > Site policies. The default policy requires passwords of at least 8 characters long and containing at least 1 digit, 1 lower case letter, 1 upper case letter and 1 non-alphanumeric character.
- After upgrading, admins will be asked to change their passwords next time they log in (manual or email based self-registration accounts only).
- To reduce the risk of password theft, a password salt is set in config.php in new installs and for upgrades, admins are sent an email recommending that they do so.
- Teachers lose permission to include ANY user data in a course backup or restore a course including user data due to new capabilities moodle/backup:userinfo and moodle/restore:userinfo which are not set for the default role of teacher. Sites with custom roles should check permissions carefully.
- Hashed user passwords are no longer saved in backup files containing user data. If a backup is restored to a new site, users will be asked to go through the "forgot my password" routine the first time they log in.
Security issues
IMPORTANT! Upgrading is very highly recommended.
- Passwords and secrets are no longer ever saved in backups
- New backup capabilities moodle/backup:userinfo and moodle/restore:userinfo for controlling who can backup/restore user data
- A strong password policy is now enabled by default
- Enabling password salt in encouraged in config.php
- Admins are forced to change password after the upgrade
- Unneeded MD5 hashes removed from user table
- Fixed invalid application access control in MNET interface
- Multiple CSRF problems fixed
- Fixed user account disclosure in LAMS module
- Fixed insufficient access control in glossary
- Ensured login information is always sent secured when using SSL for logins
- Fixed SQL injection in SCORM module