Moodle 1.8.11 release notes: Difference between revisions
From MoodleDocs
Helen Foster (talk | contribs) (MDL-20838, MDL-18807) |
David Mudrak (talk | contribs) m (Reverted edits by Mudrd8mz (talk) to last revision by Michael de Raadt) Tag: Rollback |
||
| (16 intermediate revisions by 5 users not shown) | |||
| Line 1: | Line 1: | ||
Release date: | Release date: 25th November 2009 | ||
'''Important''': Upgrading is very highly recommended! | |||
Here is [http://tracker.moodle.org/browse/MDL/fixforversion/10383 the full list of fixed issues in 1.8.11]. | |||
===Functional changes=== | |||
'' | * After upgrading, admins will be asked to change their passwords next time they log in (manual or email based self-registration accounts only). | ||
* To reduce the risk of password theft, a [[:en:Password salting|password salt]] is set in ''config.php'' in new installs and for upgrades, admins are sent an email recommending that they do so. | |||
* Teachers lose permission to include ANY user data in a course backup or restore a course including user data due to new capabilities [[:en:Capabilities/moodle/backup:userinfo|moodle/backup:userinfo]] and [[:en:Capabilities/moodle/restore:userinfo|moodle/restore:userinfo]] which are not set for the default role of teacher. Sites with custom roles should check permissions carefully. | |||
* Hashed user passwords are no longer saved in backup files containing user data. If a backup is restored to a new site, users will be asked to go through the "forgot my password" routine the first time they log in. | |||
* In Moodle 1.8.11+ weekly from 23/12/09 onwards: Moodle will no longer serve any uploaded Flash files to browsers with old Flash plugins. Admins can set the minimum required Flash player version in ''Site Administration > Security > HTTP Security''. | |||
===Security issues=== | |||
* [http://moodle.org/mod/forum/discuss.php?d=139100 MSA-09-0022] - Multiple CSRF problems fixed | |||
* [http://moodle.org/mod/forum/discuss.php?d=139102 MSA-09-0023] - Fixed user account disclosure in [[:en:LAMS module|LAMS module]] | |||
* [http://moodle.org/mod/forum/discuss.php?d=139103 MSA-09-0024] - Fixed insufficient access control in [[:en:Glossary module|Glossary module]] | |||
* [http://moodle.org/mod/forum/discuss.php?d=139105 MSA-09-0025] - Unneeded MD5 hashes removed from user table | |||
* [http://moodle.org/mod/forum/discuss.php?d=139106 MSA-09-0026] - Fixed invalid application access control in MNET interface | |||
* [http://moodle.org/mod/forum/discuss.php?d=139107 MSA-09-0027] - Ensured login information is always sent secured when using SSL for logins | |||
* [http://moodle.org/mod/forum/discuss.php?d=139110 MSA-09-0028] - Passwords and secrets are no longer ever saved in backups, new backup capabilities [[:en:Capabilities/moodle/backup:userinfo|moodle/backup:userinfo]] and [[:en:Capabilities/moodle/restore:userinfo|moodle/restore:userinfo]] for controlling who can backup/restore user data | |||
* [http://moodle.org/mod/forum/discuss.php?d=139111 MSA-09-0029] - Enabling a [[:en:Password salting|password salt]] in encouraged in ''config.php'' and admins are forced to change password after the upgrade | |||
* [http://moodle.org/mod/forum/discuss.php?d=139120 MSA-09-0031] - Fixed SQL injection in [[:en:SCORM module|SCORM module]] | |||
* In Moodle 1.8.11+ weekly from 23/12/09 onwards: [http://moodle.org/mod/forum/discuss.php?d=139119 MSA-09-0030] - New detection of insecure Flash player plugins, Moodle won't serve Flash to insecure plugins | |||
<noinclude> | <noinclude> | ||
| Line 17: | Line 31: | ||
[[fr:Notes de mise à jour de Moodle 1.8.11]] | [[fr:Notes de mise à jour de Moodle 1.8.11]] | ||
[[es:Notas de Moodle 1.8.11]] | |||
[[de:Moodle 1.8.11 Versionsinformationen]] | |||
</noinclude> | </noinclude> | ||
Revision as of 13:11, 9 August 2021
Release date: 25th November 2009
Important: Upgrading is very highly recommended!
Here is the full list of fixed issues in 1.8.11.
Functional changes
- After upgrading, admins will be asked to change their passwords next time they log in (manual or email based self-registration accounts only).
- To reduce the risk of password theft, a password salt is set in config.php in new installs and for upgrades, admins are sent an email recommending that they do so.
- Teachers lose permission to include ANY user data in a course backup or restore a course including user data due to new capabilities moodle/backup:userinfo and moodle/restore:userinfo which are not set for the default role of teacher. Sites with custom roles should check permissions carefully.
- Hashed user passwords are no longer saved in backup files containing user data. If a backup is restored to a new site, users will be asked to go through the "forgot my password" routine the first time they log in.
- In Moodle 1.8.11+ weekly from 23/12/09 onwards: Moodle will no longer serve any uploaded Flash files to browsers with old Flash plugins. Admins can set the minimum required Flash player version in Site Administration > Security > HTTP Security.
Security issues
- MSA-09-0022 - Multiple CSRF problems fixed
- MSA-09-0023 - Fixed user account disclosure in LAMS module
- MSA-09-0024 - Fixed insufficient access control in Glossary module
- MSA-09-0025 - Unneeded MD5 hashes removed from user table
- MSA-09-0026 - Fixed invalid application access control in MNET interface
- MSA-09-0027 - Ensured login information is always sent secured when using SSL for logins
- MSA-09-0028 - Passwords and secrets are no longer ever saved in backups, new backup capabilities moodle/backup:userinfo and moodle/restore:userinfo for controlling who can backup/restore user data
- MSA-09-0029 - Enabling a password salt in encouraged in config.php and admins are forced to change password after the upgrade
- MSA-09-0031 - Fixed SQL injection in SCORM module
- In Moodle 1.8.11+ weekly from 23/12/09 onwards: MSA-09-0030 - New detection of insecure Flash player plugins, Moodle won't serve Flash to insecure plugins
