Moodle 1.8.11 release notes: Difference between revisions
From MoodleDocs
Helen Foster (talk | contribs) (→Security issues: MDL-20853) |
Helen Foster (talk | contribs) (MDL-20834) |
||
Line 8: | Line 8: | ||
:If anyone really needs passwords to be saved (in rare case of restoring a backup with user data to a different site) <code>$CFG->includeuserpasswordsinbackups</code> may be added to ''config.php''. | :If anyone really needs passwords to be saved (in rare case of restoring a backup with user data to a different site) <code>$CFG->includeuserpasswordsinbackups</code> may be added to ''config.php''. | ||
* MDL-18807 To greatly reduce the risk of password theft, a [[Password salting|password salt]] is set in ''config.php'' when installing 1.8.11 and for upgrades, a notification message strongly recommends admins to set a password salt. In addition, the [[Security overview|security overview report]] gives a warning if no password salt has been set. | * MDL-18807 To greatly reduce the risk of password theft, a [[Password salting|password salt]] is set in ''config.php'' when installing 1.8.11 and for upgrades, a notification message strongly recommends admins to set a password salt. In addition, the [[Security overview|security overview report]] gives a warning if no password salt has been set. | ||
* MDL-20834 - A new capability [[Capabilities/moodle/backup:userinfo|moodle/backup:userinfo]] allows admins to choose whether teachers can include user data in a course backup. The capability is allowed for the default admin role only. The [[Security overview|security overview report]] warns of roles with the capability allowed. | |||
* MDL-20853 To protect sites from old backups that are not accessible to Moodle, after upgrading to 1.9.7, admins are prompted to change their password on next login. | * MDL-20853 To protect sites from old backups that are not accessible to Moodle, after upgrading to 1.9.7, admins are prompted to change their password on next login. | ||
Revision as of 15:36, 19 November 2009
Release date: Not yet released
Security issues
This release contains a lot of security and privacy fixes related to the handling of user data and passwords in Moodle backups, MDL-20851. (Note that MDL-20851 and all the following security issues currently have a security level setting which restricts access).
- MDL-20838 Hashed user passwords are no longer saved in backup files containing user data.
- If anyone really needs passwords to be saved (in rare case of restoring a backup with user data to a different site)
$CFG->includeuserpasswordsinbackups
may be added to config.php.
- MDL-18807 To greatly reduce the risk of password theft, a password salt is set in config.php when installing 1.8.11 and for upgrades, a notification message strongly recommends admins to set a password salt. In addition, the security overview report gives a warning if no password salt has been set.
- MDL-20834 - A new capability moodle/backup:userinfo allows admins to choose whether teachers can include user data in a course backup. The capability is allowed for the default admin role only. The security overview report warns of roles with the capability allowed.
- MDL-20853 To protect sites from old backups that are not accessible to Moodle, after upgrading to 1.9.7, admins are prompted to change their password on next login.
More issues to be listed soon...