Note:

If you want to create a new page for developers, you should create it on the Moodle Developer Resource site.

Moodle 1.8.11 release notes: Difference between revisions

From MoodleDocs
(MDL-20834)
m (Protected "Moodle 1.8.11 release notes": Developer Docs Migration ([Edit=Allow only administrators] (indefinite)))
 
(16 intermediate revisions by 6 users not shown)
Line 1: Line 1:
Release date: Not yet released
{{Template:Migrated|newDocId=/general/releases/1.8/1.8.11}}
Release date: 25th November 2009


==Security issues==
'''Important''':  Upgrading is very highly recommended!


This release contains a lot of security and privacy fixes related to the handling of user data and passwords in Moodle backups, MDL-20851. (Note that MDL-20851 and all the following security issues currently have a security level setting which restricts access).
Here is [http://tracker.moodle.org/browse/MDL/fixforversion/10383 the full list of fixed issues in 1.8.11].  


* MDL-20838 Hashed user passwords are no longer saved in backup files containing user data.
===Functional changes===
:If anyone really needs passwords to be saved (in rare case of restoring a backup with user data to a different site)  <code>$CFG->includeuserpasswordsinbackups</code> may be added to ''config.php''.
* MDL-18807 To greatly reduce the risk of password theft, a [[Password salting|password salt]] is set in ''config.php'' when installing 1.8.11 and for upgrades, a notification message strongly recommends admins to set a password salt. In addition, the [[Security overview|security overview report]] gives a warning if no password salt has been set.
* MDL-20834 - A new capability [[Capabilities/moodle/backup:userinfo|moodle/backup:userinfo]] allows admins to choose whether teachers can include user data in a course backup. The capability is allowed for the default admin role only. The [[Security overview|security overview report]] warns of roles with the capability allowed.
* MDL-20853 To protect sites from old backups that are not accessible to Moodle, after upgrading to 1.9.7, admins are prompted to change their password on next login.


''More issues to be listed soon...''
* After upgrading, admins will be asked to change their passwords next time they log in (manual or email based self-registration accounts only).
* To reduce the risk of password theft, a [[:en:Password salting|password salt]] is set in ''config.php'' in new installs and for upgrades, admins are sent an email recommending that they do so.
* Teachers lose permission to include ANY user data in a course backup or restore a course including user data due to new capabilities  [[:en:Capabilities/moodle/backup:userinfo|moodle/backup:userinfo]] and [[:en:Capabilities/moodle/restore:userinfo|moodle/restore:userinfo]] which are not set for the default role of teacher.  Sites with custom roles should check permissions carefully.
* Hashed user passwords are no longer saved in backup files containing user data. If a backup is restored to a new site, users will be asked to go through the "forgot my password" routine the first time they log in.
* In Moodle 1.8.11+ weekly from 23/12/09 onwards: Moodle will no longer serve any uploaded Flash files to browsers with old Flash plugins. Admins can set the minimum required Flash player version in ''Site Administration > Security > HTTP Security''.


===Security issues===
* [http://moodle.org/mod/forum/discuss.php?d=139100 MSA-09-0022] - Multiple CSRF problems fixed
* [http://moodle.org/mod/forum/discuss.php?d=139102 MSA-09-0023] - Fixed user account disclosure in [[:en:LAMS module|LAMS module]]
* [http://moodle.org/mod/forum/discuss.php?d=139103 MSA-09-0024] - Fixed insufficient access control in [[:en:Glossary module|Glossary module]]
* [http://moodle.org/mod/forum/discuss.php?d=139105 MSA-09-0025] - Unneeded MD5 hashes removed from user table
* [http://moodle.org/mod/forum/discuss.php?d=139106 MSA-09-0026] - Fixed invalid application access control in MNET interface
* [http://moodle.org/mod/forum/discuss.php?d=139107 MSA-09-0027] - Ensured login information is always sent secured when using SSL for logins
* [http://moodle.org/mod/forum/discuss.php?d=139110 MSA-09-0028] - Passwords and secrets are no longer ever saved in backups, new backup capabilities [[:en:Capabilities/moodle/backup:userinfo|moodle/backup:userinfo]] and [[:en:Capabilities/moodle/restore:userinfo|moodle/restore:userinfo]] for controlling who can backup/restore user data
* [http://moodle.org/mod/forum/discuss.php?d=139111 MSA-09-0029] - Enabling a [[:en:Password salting|password salt]] in encouraged in ''config.php'' and admins are forced to change password after the upgrade
* [http://moodle.org/mod/forum/discuss.php?d=139120 MSA-09-0031] - Fixed SQL injection in [[:en:SCORM module|SCORM module]]
* In Moodle 1.8.11+ weekly from 23/12/09 onwards: [http://moodle.org/mod/forum/discuss.php?d=139119 MSA-09-0030] - New detection of insecure Flash player plugins, Moodle won't serve Flash to insecure plugins
<noinclude>
<noinclude>


Line 19: Line 32:


[[fr:Notes de mise à jour de Moodle 1.8.11]]
[[fr:Notes de mise à jour de Moodle 1.8.11]]
[[es:Notas de Moodle 1.8.11]]
[[de:Moodle 1.8.11 Versionsinformationen]]
</noinclude>
</noinclude>

Latest revision as of 09:06, 25 May 2022

Important:

This content of this page has been updated and migrated to the new Moodle Developer Resources. The information contained on the page should no longer be seen up-to-date.

Why not view this page on the new site and help us to migrate more content to the new site!

Release date: 25th November 2009

Important: Upgrading is very highly recommended!

Here is the full list of fixed issues in 1.8.11.

Functional changes

  • After upgrading, admins will be asked to change their passwords next time they log in (manual or email based self-registration accounts only).
  • To reduce the risk of password theft, a password salt is set in config.php in new installs and for upgrades, admins are sent an email recommending that they do so.
  • Teachers lose permission to include ANY user data in a course backup or restore a course including user data due to new capabilities moodle/backup:userinfo and moodle/restore:userinfo which are not set for the default role of teacher. Sites with custom roles should check permissions carefully.
  • Hashed user passwords are no longer saved in backup files containing user data. If a backup is restored to a new site, users will be asked to go through the "forgot my password" routine the first time they log in.
  • In Moodle 1.8.11+ weekly from 23/12/09 onwards: Moodle will no longer serve any uploaded Flash files to browsers with old Flash plugins. Admins can set the minimum required Flash player version in Site Administration > Security > HTTP Security.

Security issues

Retrieved from "https://docs.moodle.org/dev/index.php?title=Moodle_1.8.11_release_notes&oldid=62795"
Powered by MediaWiki