Moodle 1.8.11 release notes
From MoodleDocs
Release date: Not yet released
Security issues
This release contains a lot of security and privacy fixes related to the handling of user data and passwords in Moodle backups, MDL-20851. (Note that MDL-20851 and all the following security issues currently have a security level setting which restricts access).
- MDL-20838 Hashed user passwords are no longer saved in backup files containing user data.
- If anyone really needs passwords to be saved (in rare case of restoring a backup with user data to a different site)
$CFG->includeuserpasswordsinbackups
may be added to config.php.
- MDL-18807 To greatly reduce the risk of password theft, a password salt is set in config.php when installing 1.8.11 and for upgrades, a notification message strongly recommends admins to set a password salt. In addition, the security overview report gives a warning if no password salt has been set.
More issues to be listed soon...