Note:

If you want to create a new page for developers, you should create it on the Moodle Developer Resource site.

Moodle 1.8.11 release notes: Difference between revisions

From MoodleDocs
(list of fixed issues, content copied from Moodle 1.9.7 release notes)
Line 1: Line 1:
Release date: Not yet released  
Release date: Not yet released  


==Security issues==
Here is [http://tracker.moodle.org/browse/MDL/fixforversion/10383 the full list of fixed issues in 1.8.11].


This release contains a lot of security and privacy fixes related to the handling of user data and passwords in Moodle backups, MDL-20851. (Note that MDL-20851 and all the following security issues currently have a security level setting which restricts access).
===Functional changes===


* MDL-20838 Hashed user passwords are no longer saved in backup files containing user data.
* To force users to use stronger passwords that are less susceptible to being cracked the [[Password policy|password policy]] is enabled by default in new installs, and switched on when upgrading.
:If anyone really needs passwords to be saved (in rare case of restoring a backup with user data to a different site)  <code>$CFG->includeuserpasswordsinbackups</code> may be added to ''config.php''.
:Admins can review their password policy in ''Administration > Security > [[Site policies]]''. The default policy requires passwords of at least 8 characters long and containing at least 1 digit, 1 lower case letter, 1 upper case letter and 1 non-alphanumeric character.
* MDL-20846 - Restore has been fixed to cope with missing user password hashes in backups containing new user data. It will set the password to a special value that prevents login. The next time that user tries to log in with their username on this new site they get an explanation and are led through the standard password recovery process.
* MDL-18807 To greatly reduce the risk of password theft, a [[Password salting|password salt]] is set in ''config.php'' when installing 1.8.11 and for upgrades, a notification message strongly recommends admins to set a password salt. In addition, the [[Security overview|security overview report]] gives a warning if no password salt has been set.
* MDL-20834 - A new capability [[Capabilities/moodle/backup:userinfo|moodle/backup:userinfo]] allows admins to choose whether teachers can include user data in a course backup. The capability is allowed for the default admin role only. The [[Security overview|security overview report]] warns of roles with the capability allowed.
* MDL-20849 - A new capability [[Capabilities/moodle/restore:userinfo|moodle/restore:userinfo]] allows admins to choose whether teachers can restore user data from a course backup (including the possible creation of new users). The capability is allowed for the default admin role only.
* MDL-20853 To protect sites from old backups that are not accessible to Moodle, after upgrading to 1.8.11, admins are prompted to change their password on next login.
* MDL-9251 - The option to [[Course backup|backup a course]] with all users on the site is only available to users with the capability moodle/site:backup in the system context. Similarly, the option to [[Course restore|restore a course]] with all users on the site is only available to users with the capability moodle/site:restore in the system context.


''More issues to be listed soon...''
* After upgrading, admins will be asked to change their passwords next time they log in (manual or email based self-registration accounts only).
 
* To reduce the risk of password theft, a [[Password salting|password salt]] is set in ''config.php'' in new installs and for upgrades, admins are sent an email recommending that they do so.
 
* Teachers lose the ability to include user data in a course backup or restore a course including user data due to new capabilities  [[Capabilities/moodle/backup:userinfo|moodle/backup:userinfo]] and [[Capabilities/moodle/restore:userinfo|moodle/restore:userinfo]] which are not set for the default role of teacher. Sites with custom roles should check permissions carefully.
 
* Hashed user passwords are no longer saved in backup files containing user data. If a backup is restored to a new site, users will be asked to go through the "forgot my password" routine the first time they log in.
 
===Security issues===
 
* Multiple password related issues - [[Password policy|password policy]] enabled by default, [[Password salting|password salt]] in ''config.php'', forced admin password change, force password change option in [[Bulk user actions]]
* Multiple backup/restore related issues - new capabilities  [[Capabilities/moodle/backup:userinfo|moodle/backup:userinfo]] and [[Capabilities/moodle/restore:userinfo|moodle/restore:userinfo]] for controlling who can backup/restore user data, passwords no longer saved in backups
 
''Additional issues to follow.''


<noinclude>
<noinclude>

Revision as of 19:53, 24 November 2009

Release date: Not yet released

Here is the full list of fixed issues in 1.8.11.

Functional changes

  • To force users to use stronger passwords that are less susceptible to being cracked the password policy is enabled by default in new installs, and switched on when upgrading.
Admins can review their password policy in Administration > Security > Site policies. The default policy requires passwords of at least 8 characters long and containing at least 1 digit, 1 lower case letter, 1 upper case letter and 1 non-alphanumeric character.
  • After upgrading, admins will be asked to change their passwords next time they log in (manual or email based self-registration accounts only).
  • To reduce the risk of password theft, a password salt is set in config.php in new installs and for upgrades, admins are sent an email recommending that they do so.
  • Teachers lose the ability to include user data in a course backup or restore a course including user data due to new capabilities moodle/backup:userinfo and moodle/restore:userinfo which are not set for the default role of teacher. Sites with custom roles should check permissions carefully.
  • Hashed user passwords are no longer saved in backup files containing user data. If a backup is restored to a new site, users will be asked to go through the "forgot my password" routine the first time they log in.

Security issues

Additional issues to follow.

Retrieved from "https://docs.moodle.org/dev/index.php?title=Moodle_1.8.11_release_notes&oldid=25475"
Powered by MediaWiki