Moodle 1.9.7 release notes: Difference between revisions
From MoodleDocs
Helen Foster (talk | contribs) (→Security issues: info on saving passwords in backups moved to Configuration file) |
Helen Foster (talk | contribs) (→Security issues: security advisory links added) |
||
| (12 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
Release date: | Release date: 25th November 2009 | ||
'''Important:''' Upgrading is very highly recommended! | |||
Here is [http://tracker.moodle.org/browse/MDL/fixforversion/10360 the full list of fixed issues in 1.9.7]. | |||
===Highlights=== | ===Highlights=== | ||
| Line 7: | Line 11: | ||
* Miscellaneous Workshop module fixes (MDL-20668, MDL-7218, MDL-20827) | * Miscellaneous Workshop module fixes (MDL-20668, MDL-7218, MDL-20827) | ||
=== | ===Functional changes=== | ||
The | * To force users to use stronger passwords that are less susceptible to being cracked the [[Password policy|password policy]] is enabled by default in new installs, and switched on when upgrading to 1.9.7. | ||
:Admins can review their password policy in ''Site Administration > Security > [[Site policies]]''. The default policy requires passwords of at least 8 characters long and containing at least 1 digit, 1 lower case letter, 1 upper case letter and 1 non-alphanumeric character. | |||
* After upgrading to 1.9.7, admins will be asked to change their passwords next time they log in (manual or email based self-registration accounts only). | |||
* To reduce the risk of password theft, a [[Password salting|password salt]] is set in ''config.php'' in new installs and for upgrades, admins are sent an email recommending that they do so. | |||
* Teachers lose permission to include ANY user data in a course backup or restore a course including user data due to new capabilities [[Capabilities/moodle/backup:userinfo|moodle/backup:userinfo]] and [[Capabilities/moodle/restore:userinfo|moodle/restore:userinfo]] which are not set for the default role of teacher. Sites with custom roles should check permissions carefully. Admins can restore those permissions but are informed of the risks in doing so. | |||
* Hashed user passwords are no longer saved in backup files containing user data. If a backup is restored to a new site, users will be asked to go through the "forgot my password" routine the first time they log in. | |||
* Moodle will no longer serve any uploaded Flash files to browsers with old Flash plugins. Admins can set the minimum required Flash player version in ''Site Administration > Security > HTTP Security''. | |||
===Security issues=== | |||
* [http://moodle.org/mod/forum/discuss.php?d=139100 MSA-09-0022] - Multiple CSRF problems fixed | |||
* | * [http://moodle.org/mod/forum/discuss.php?d=139102 MSA-09-0023] - Fixed user account disclosure in [[LAMS module]] | ||
* [http://moodle.org/mod/forum/discuss.php?d=139103 MSA-09-0024] - Fixed insufficient access control in [[Glossary module]] | |||
* [http://moodle.org/mod/forum/discuss.php?d=139105 MSA-09-0025] - Unneeded MD5 hashes removed from user table | |||
* [http://moodle.org/mod/forum/discuss.php?d=139106 MSA-09-0026] - Fixed invalid application access control in MNET interface | |||
* [http://moodle.org/mod/forum/discuss.php?d=139107 MSA-09-0027] - Ensured login information is always sent secured when using SSL for logins | |||
* [http://moodle.org/mod/forum/discuss.php?d=139110 MSA-09-0028] - Passwords and secrets are no longer ever saved in backups, new backup capabilities [[Capabilities/moodle/backup:userinfo|moodle/backup:userinfo]] and [[Capabilities/moodle/restore:userinfo|moodle/restore:userinfo]] for controlling who can backup/restore user data, new checks in the [[Security overview|security overview report]] help admins identify dangerous backup permissions | |||
* [http://moodle.org/mod/forum/discuss.php?d=139111 MSA-09-0029] - A strong [[Password policy|password policy]] is now enabled by default, enabling [[Password salting|password salt]] in encouraged in ''config.php'', admins are forced to change password after the upgrade and admins can force password change on other users via [[Bulk user actions]] | |||
* [http://moodle.org/mod/forum/discuss.php?d=139119 MSA-09-0030] - New detection of insecure Flash player plugins, Moodle won't serve Flash to insecure plugins | |||
* [http://moodle.org/mod/forum/discuss.php?d=139120 MSA-09-0031] - Fixed SQL injection in [[SCORM module]] | |||
===New language pack=== | ===New language pack=== | ||
| Line 39: | Line 48: | ||
[[fr:Notes de mise à jour de Moodle 1.9.7]] | [[fr:Notes de mise à jour de Moodle 1.9.7]] | ||
[[de:Moodle 1.9.7 Versionsinformationen]] | [[de:Moodle 1.9.7 Versionsinformationen]] | ||
[[es:Notas de Moodle 1.9.7]] | |||
Latest revision as of 21:18, 1 December 2009
Release date: 25th November 2009
Important: Upgrading is very highly recommended!
Here is the full list of fixed issues in 1.9.7.
Highlights
- MDL-20591 - IMS Common Cartridge import (requires enabling in Site Administration > Miscellaneous > Experimental)
- MDL-13049 - Workshop module finally pushes grades into Gradebook during Synchronize legacy grades procedure
- Miscellaneous Workshop module fixes (MDL-20668, MDL-7218, MDL-20827)
Functional changes
- To force users to use stronger passwords that are less susceptible to being cracked the password policy is enabled by default in new installs, and switched on when upgrading to 1.9.7.
- Admins can review their password policy in Site Administration > Security > Site policies. The default policy requires passwords of at least 8 characters long and containing at least 1 digit, 1 lower case letter, 1 upper case letter and 1 non-alphanumeric character.
- After upgrading to 1.9.7, admins will be asked to change their passwords next time they log in (manual or email based self-registration accounts only).
- To reduce the risk of password theft, a password salt is set in config.php in new installs and for upgrades, admins are sent an email recommending that they do so.
- Teachers lose permission to include ANY user data in a course backup or restore a course including user data due to new capabilities moodle/backup:userinfo and moodle/restore:userinfo which are not set for the default role of teacher. Sites with custom roles should check permissions carefully. Admins can restore those permissions but are informed of the risks in doing so.
- Hashed user passwords are no longer saved in backup files containing user data. If a backup is restored to a new site, users will be asked to go through the "forgot my password" routine the first time they log in.
- Moodle will no longer serve any uploaded Flash files to browsers with old Flash plugins. Admins can set the minimum required Flash player version in Site Administration > Security > HTTP Security.
Security issues
- MSA-09-0022 - Multiple CSRF problems fixed
- MSA-09-0023 - Fixed user account disclosure in LAMS module
- MSA-09-0024 - Fixed insufficient access control in Glossary module
- MSA-09-0025 - Unneeded MD5 hashes removed from user table
- MSA-09-0026 - Fixed invalid application access control in MNET interface
- MSA-09-0027 - Ensured login information is always sent secured when using SSL for logins
- MSA-09-0028 - Passwords and secrets are no longer ever saved in backups, new backup capabilities moodle/backup:userinfo and moodle/restore:userinfo for controlling who can backup/restore user data, new checks in the security overview report help admins identify dangerous backup permissions
- MSA-09-0029 - A strong password policy is now enabled by default, enabling password salt in encouraged in config.php, admins are forced to change password after the upgrade and admins can force password change on other users via Bulk user actions
- MSA-09-0030 - New detection of insecure Flash player plugins, Moodle won't serve Flash to insecure plugins
- MSA-09-0031 - Fixed SQL injection in SCORM module
New language pack
- Dhivehi - Ahmed Shareef, Moosa Ali, Amir Hussein
(See Translation credits for additional details.)
