Moodle 1.9.7 release notes: Difference between revisions
From MoodleDocs
Helen Foster (talk | contribs) (→Security issues: MDL-20853 rewording) |
Helen Foster (talk | contribs) (MDL-20834 rewording) |
||
| Line 4: | Line 4: | ||
* MDL-20591 - [[IMS Common Cartridge import]] (requires enabling in ''Site Administration > Miscellaneous > [[Experimental]]'') | * MDL-20591 - [[IMS Common Cartridge import]] (requires enabling in ''Site Administration > Miscellaneous > [[Experimental]]'') | ||
* MDL-13049 [[Workshop module]] finally pushes grades into Gradebook during [[grade/edit/simple_tree/index#Synchronize_legacy_grades|Synchronize legacy grades]] procedure | * MDL-13049 - [[Workshop module]] finally pushes grades into Gradebook during [[grade/edit/simple_tree/index#Synchronize_legacy_grades|Synchronize legacy grades]] procedure | ||
* Miscellaneous Workshop module fixes (MDL-20668, MDL-7218, MDL-20827) | * Miscellaneous Workshop module fixes (MDL-20668, MDL-7218, MDL-20827) | ||
| Line 11: | Line 11: | ||
This release contains a lot of security and privacy fixes related to the handling of user data and passwords in Moodle backups, MDL-20851. (Note that MDL-20851 and all the following security issues currently have a security level setting which restricts access). | This release contains a lot of security and privacy fixes related to the handling of user data and passwords in Moodle backups, MDL-20851. (Note that MDL-20851 and all the following security issues currently have a security level setting which restricts access). | ||
* MDL-20838 Hashed user passwords are no longer saved in backup files containing user data. | * MDL-20838 - Hashed user passwords are no longer saved in backup files containing user data. | ||
:If anyone really needs passwords to be saved (in rare case of restoring a backup with user data to a different site) <code>$CFG->includeuserpasswordsinbackups</code> may be added to ''config.php''. | :If anyone really needs passwords to be saved (in rare case of restoring a backup with user data to a different site) <code>$CFG->includeuserpasswordsinbackups</code> may be added to ''config.php''. | ||
* MDL-20846 Restore has been fixed to cope with missing user password hashes in backups containing new user data. It will set the password to a special value that prevents login. The next time that user tries to log in with their username on this new site they get an explanation and are led through the standard password recovery process. | * MDL-20846 - Restore has been fixed to cope with missing user password hashes in backups containing new user data. It will set the password to a special value that prevents login. The next time that user tries to log in with their username on this new site they get an explanation and are led through the standard password recovery process. | ||
* MDL-20844 We no longer include course+group enrolment keys in backups, unless 'includecoursepasswordsinbackup' is set. Instead, put in a marker to show that there was a key at some point. | * MDL-20844 - We no longer include course+group enrolment keys in backups, unless 'includecoursepasswordsinbackup' is set. Instead, put in a marker to show that there was a key at some point. | ||
* MDL-20866 Restore is fixed to cope with missing course+group enrolment keys. The restore routine will now inform the user about it and ask them to type in new keys. | * MDL-20866 - Restore is fixed to cope with missing course+group enrolment keys. The restore routine will now inform the user about it and ask them to type in new keys. | ||
* MDL-18807 To greatly reduce the risk of password theft, a [[Password salting|password salt]] is set in ''config.php'' when installing 1.9.7 and for upgrades, a notification message strongly recommends admins to set a password salt. In addition, the [[Security overview|security overview report]] gives a warning if no password salt has been set. | * MDL-18807 - To greatly reduce the risk of password theft, a [[Password salting|password salt]] is set in ''config.php'' when installing 1.9.7 and for upgrades, a notification message strongly recommends admins to set a password salt. In addition, the [[Security overview|security overview report]] gives a warning if no password salt has been set. | ||
* MDL-20834 | * MDL-20834 - A new capability [[Capabilities/moodle/backup:userinfo|moodle/backup:userinfo]] allows admins to choose whether teachers can include user data in a course backup. The capability is allowed for the default admin role only. The [[Security overview|security overview report]] warns of roles with the capability allowed. | ||
* MDL-20849 We have implemented a new capability to allow teachers to restore user data (including creation of new users if required), called moodle/restore:userinfo. Not allowed by default, as above. | * MDL-20849 - We have implemented a new capability to allow teachers to restore user data (including creation of new users if required), called moodle/restore:userinfo. Not allowed by default, as above. | ||
* MDL-20854 To remove possible passwords hidden in existing backups, we have implemented a cleanup script to process existing backup files in moodledata and delete all password hashes from them. | * MDL-20854 - To remove possible passwords hidden in existing backups, we have implemented a cleanup script to process existing backup files in moodledata and delete all password hashes from them. | ||
* MDL-18006 To improve password quality and reduce the chance of md5 lookup attack, the [[Password policy|password policy]] is enabled by default in new installs, and switched on during upgrade to 1.9.7. | * MDL-18006 - To improve password quality and reduce the chance of md5 lookup attack, the [[Password policy|password policy]] is enabled by default in new installs, and switched on during upgrade to 1.9.7. | ||
* MDL-20853 To protect sites from old backups that are not accessible to Moodle, after upgrading to 1.9.7, admins are prompted to change their password on next login. | * MDL-20853 - To protect sites from old backups that are not accessible to Moodle, after upgrading to 1.9.7, admins are prompted to change their password on next login. | ||
* MDL-19608 To assist admins who might want to force their users to reset their passwords, a force password change option is available in [[Bulk user actions]] | * MDL-19608 - To assist admins who might want to force their users to reset their passwords, a force password change option is available in [[Bulk user actions]] | ||
===New language pack=== | ===New language pack=== | ||
Revision as of 15:35, 19 November 2009
Release date: Not yet released
Highlights
- MDL-20591 - IMS Common Cartridge import (requires enabling in Site Administration > Miscellaneous > Experimental)
- MDL-13049 - Workshop module finally pushes grades into Gradebook during Synchronize legacy grades procedure
- Miscellaneous Workshop module fixes (MDL-20668, MDL-7218, MDL-20827)
Security issues
This release contains a lot of security and privacy fixes related to the handling of user data and passwords in Moodle backups, MDL-20851. (Note that MDL-20851 and all the following security issues currently have a security level setting which restricts access).
- MDL-20838 - Hashed user passwords are no longer saved in backup files containing user data.
- If anyone really needs passwords to be saved (in rare case of restoring a backup with user data to a different site)
$CFG->includeuserpasswordsinbackupsmay be added to config.php.
- MDL-20846 - Restore has been fixed to cope with missing user password hashes in backups containing new user data. It will set the password to a special value that prevents login. The next time that user tries to log in with their username on this new site they get an explanation and are led through the standard password recovery process.
- MDL-20844 - We no longer include course+group enrolment keys in backups, unless 'includecoursepasswordsinbackup' is set. Instead, put in a marker to show that there was a key at some point.
- MDL-20866 - Restore is fixed to cope with missing course+group enrolment keys. The restore routine will now inform the user about it and ask them to type in new keys.
- MDL-18807 - To greatly reduce the risk of password theft, a password salt is set in config.php when installing 1.9.7 and for upgrades, a notification message strongly recommends admins to set a password salt. In addition, the security overview report gives a warning if no password salt has been set.
- MDL-20834 - A new capability moodle/backup:userinfo allows admins to choose whether teachers can include user data in a course backup. The capability is allowed for the default admin role only. The security overview report warns of roles with the capability allowed.
- MDL-20849 - We have implemented a new capability to allow teachers to restore user data (including creation of new users if required), called moodle/restore:userinfo. Not allowed by default, as above.
- MDL-20854 - To remove possible passwords hidden in existing backups, we have implemented a cleanup script to process existing backup files in moodledata and delete all password hashes from them.
- MDL-18006 - To improve password quality and reduce the chance of md5 lookup attack, the password policy is enabled by default in new installs, and switched on during upgrade to 1.9.7.
- MDL-20853 - To protect sites from old backups that are not accessible to Moodle, after upgrading to 1.9.7, admins are prompted to change their password on next login.
- MDL-19608 - To assist admins who might want to force their users to reset their passwords, a force password change option is available in Bulk user actions
New language pack
- Dhivehi - Ahmed Shareef, Moosa Ali, Amir Hussein
(See Translation credits for additional details.)
