Latest release notes
Moodle 1.9.8
Release date: 25th March 2010
Here is the full list of fixed issues in 1.9.8.
Special notes
- If you are using an unusual authentication mechanism then you may experience problems with sessions, and be unable to log in. If this happens to you, add the following to your config.php to make login work:
$CFG->regenloginsession = false;
Highlights
- MDL-16658 - New capability moodle/restore:createuser to control whether a user can create users when restoring a course
- MDL-21174 - Bulk upload of user profile pictures now excludes deleted users
- MDL-20125 - New Section Links block settings
- MDL-21868 - Fix for bug affecting upgrade to 1.9.7+ on MS SQL
- MDL-21606 - Fix for Chameleon theme not working with Firefox 3.6 bug
- MDL-21343 - Fix for LDAP authentication settings not being shown
- MDL-19392 and MDL-21332 - Fixes for AICC objects
- MDL-21045 - Grade letters, outcomes, grade categories and grade items are now restored regardless of whether users are included in the course backup
- MDL-20122 - SCORM module restore now retains maxgrade, updatefreq, maxattempt, grademethod and options (popup window option checkboxes)
- MDL-20819 - Fix for statistics generation problem
- MDL-21029 - Global glossary auto linking fix
- MDL-20810 - Hotpot module import questions fix
Security issues
- MSA-10-0001 Vulnerability in KSES text cleaning
- MSA-10-0002 XSS vulnerabilty in the phpcas module
- MSA-10-0003 Disclosure of full user names
- MSA-10-0004 Improved access control in course restore
- MSA-10-0005 Incorrect validation of forms data
- MSA-10-0006 SQL injection in Wiki module
- MSA-10-0007 Reflective Cross Site Scripting (XSS) in the Moodle Global Search Engine
- MSA-10-0008 Persistent XSS when using Login-as feature
- MSA-10-0009 Session fixation prevention now turned on by default
New language packs
- Asturian - Xosé Nel Caldevilla Vega
- Zulu - iCyber E-Learning Solutions
(See Translation credits for additional details.)
Moodle 1.8.11
Release date: 25th November 2009
Important: Upgrading is very highly recommended!
Here is the full list of fixed issues in 1.8.11.
Functional changes
- After upgrading, admins will be asked to change their passwords next time they log in (manual or email based self-registration accounts only).
- To reduce the risk of password theft, a password salt is set in config.php in new installs and for upgrades, admins are sent an email recommending that they do so.
- Teachers lose permission to include ANY user data in a course backup or restore a course including user data due to new capabilities moodle/backup:userinfo and moodle/restore:userinfo which are not set for the default role of teacher. Sites with custom roles should check permissions carefully.
- Hashed user passwords are no longer saved in backup files containing user data. If a backup is restored to a new site, users will be asked to go through the "forgot my password" routine the first time they log in.
- In Moodle 1.8.11+ weekly from 23/12/09 onwards: Moodle will no longer serve any uploaded Flash files to browsers with old Flash plugins. Admins can set the minimum required Flash player version in Site Administration > Security > HTTP Security.
Security issues
- MSA-09-0022 - Multiple CSRF problems fixed
- MSA-09-0023 - Fixed user account disclosure in LAMS module
- MSA-09-0024 - Fixed insufficient access control in Glossary module
- MSA-09-0025 - Unneeded MD5 hashes removed from user table
- MSA-09-0026 - Fixed invalid application access control in MNET interface
- MSA-09-0027 - Ensured login information is always sent secured when using SSL for logins
- MSA-09-0028 - Passwords and secrets are no longer ever saved in backups, new backup capabilities moodle/backup:userinfo and moodle/restore:userinfo for controlling who can backup/restore user data
- MSA-09-0029 - Enabling a password salt in encouraged in config.php and admins are forced to change password after the upgrade
- MSA-09-0031 - Fixed SQL injection in SCORM module
- In Moodle 1.8.11+ weekly from 23/12/09 onwards: MSA-09-0030 - New detection of insecure Flash player plugins, Moodle won't serve Flash to insecure plugins
Moodle 1.7.7
Release date: 28th January 2009
Here is the full list of fixed issues in 1.7.7.
Note: This is the last formal release of the 1.7 branch. Support for this branch has been discontinued. We highly recommend you upgrade!
Moodle 1.6.9
Release date: 28th January 2009
Here is the full list of fixed issues in 1.6.9.
Note: This is the last formal release of the 1.6 branch. Support for this branch has been discontinued. We highly recommend you upgrade!
See also
- Moodle version history for dates of release and links to notes for earlier versions