Note:

If you want to create a new page for developers, you should create it on the Moodle Developer Resource site.

Moodle 1.8.11 release notes: Difference between revisions

From MoodleDocs
mNo edit summary
m (Protected "Moodle 1.8.11 release notes": Developer Docs Migration ([Edit=Allow only administrators] (indefinite)))
 
(9 intermediate revisions by 5 users not shown)
Line 1: Line 1:
{{Template:Migrated|newDocId=/general/releases/1.8/1.8.11}}
Release date: 25th November 2009
Release date: 25th November 2009
'''Important''':  Upgrading is very highly recommended!


Here is [http://tracker.moodle.org/browse/MDL/fixforversion/10383 the full list of fixed issues in 1.8.11].  
Here is [http://tracker.moodle.org/browse/MDL/fixforversion/10383 the full list of fixed issues in 1.8.11].  


===Functional changes===
===Functional changes===
* To force users to use stronger passwords that are less susceptible to being cracked the [[Password policy|password policy]] is enabled by default in new installs, and switched on when upgrading.
:Admins can review their password policy in ''Administration > Security > [[Site policies]]''. The default policy requires passwords of at least 8 characters long and containing at least 1 digit, 1 lower case letter, 1 upper case letter and 1 non-alphanumeric character.


* After upgrading, admins will be asked to change their passwords next time they log in (manual or email based self-registration accounts only).
* After upgrading, admins will be asked to change their passwords next time they log in (manual or email based self-registration accounts only).
 
* To reduce the risk of password theft, a [[:en:Password salting|password salt]] is set in ''config.php'' in new installs and for upgrades, admins are sent an email recommending that they do so.
* To reduce the risk of password theft, a [[Password salting|password salt]] is set in ''config.php'' in new installs and for upgrades, admins are sent an email recommending that they do so.
* Teachers lose permission to include ANY user data in a course backup or restore a course including user data due to new capabilities  [[:en:Capabilities/moodle/backup:userinfo|moodle/backup:userinfo]] and [[:en:Capabilities/moodle/restore:userinfo|moodle/restore:userinfo]] which are not set for the default role of teacher. Sites with custom roles should check permissions carefully.
 
* Teachers lose the ability to include user data in a course backup or restore a course including user data due to new capabilities  [[Capabilities/moodle/backup:userinfo|moodle/backup:userinfo]] and [[Capabilities/moodle/restore:userinfo|moodle/restore:userinfo]] which are not set for the default role of teacher. Sites with custom roles should check permissions carefully.
 
* Hashed user passwords are no longer saved in backup files containing user data. If a backup is restored to a new site, users will be asked to go through the "forgot my password" routine the first time they log in.
* Hashed user passwords are no longer saved in backup files containing user data. If a backup is restored to a new site, users will be asked to go through the "forgot my password" routine the first time they log in.
* In Moodle 1.8.11+ weekly from 23/12/09 onwards: Moodle will no longer serve any uploaded Flash files to browsers with old Flash plugins. Admins can set the minimum required Flash player version in ''Site Administration > Security > HTTP Security''.


===Security issues===
===Security issues===


* Multiple password related issues - [[Password policy|password policy]] enabled by default, [[Password salting|password salt]] in ''config.php'', forced admin password change, force password change option in [[Bulk user actions]]
* [http://moodle.org/mod/forum/discuss.php?d=139100 MSA-09-0022] - Multiple CSRF problems fixed
* Multiple backup/restore related issues - new capabilities [[Capabilities/moodle/backup:userinfo|moodle/backup:userinfo]] and [[Capabilities/moodle/restore:userinfo|moodle/restore:userinfo]] for controlling who can backup/restore user data, passwords no longer saved in backups
* [http://moodle.org/mod/forum/discuss.php?d=139102 MSA-09-0023] - Fixed user account disclosure in [[:en:LAMS module|LAMS module]]
 
* [http://moodle.org/mod/forum/discuss.php?d=139103 MSA-09-0024] - Fixed insufficient access control in [[:en:Glossary module|Glossary module]]
''Additional issues to follow.''
* [http://moodle.org/mod/forum/discuss.php?d=139105 MSA-09-0025] - Unneeded MD5 hashes removed from user table
 
* [http://moodle.org/mod/forum/discuss.php?d=139106 MSA-09-0026] - Fixed invalid application access control in MNET interface
* [http://moodle.org/mod/forum/discuss.php?d=139107 MSA-09-0027] - Ensured login information is always sent secured when using SSL for logins
* [http://moodle.org/mod/forum/discuss.php?d=139110 MSA-09-0028] - Passwords and secrets are no longer ever saved in backups, new backup capabilities [[:en:Capabilities/moodle/backup:userinfo|moodle/backup:userinfo]] and [[:en:Capabilities/moodle/restore:userinfo|moodle/restore:userinfo]] for controlling who can backup/restore user data
* [http://moodle.org/mod/forum/discuss.php?d=139111 MSA-09-0029] - Enabling a [[:en:Password salting|password salt]] in encouraged in ''config.php'' and admins are forced to change password after the upgrade
* [http://moodle.org/mod/forum/discuss.php?d=139120 MSA-09-0031] - Fixed SQL injection in [[:en:SCORM module|SCORM module]]
* In Moodle 1.8.11+ weekly from 23/12/09 onwards: [http://moodle.org/mod/forum/discuss.php?d=139119 MSA-09-0030] - New detection of insecure Flash player plugins, Moodle won't serve Flash to insecure plugins
<noinclude>
<noinclude>


Line 30: Line 33:
[[fr:Notes de mise à jour de Moodle 1.8.11]]
[[fr:Notes de mise à jour de Moodle 1.8.11]]
[[es:Notas de Moodle 1.8.11]]
[[es:Notas de Moodle 1.8.11]]
[[de:Moodle 1.8.11 Versionsinformationen]]
</noinclude>
</noinclude>

Latest revision as of 09:06, 25 May 2022

Important:

This content of this page has been updated and migrated to the new Moodle Developer Resources. The information contained on the page should no longer be seen up-to-date.

Why not view this page on the new site and help us to migrate more content to the new site!

Release date: 25th November 2009

Important: Upgrading is very highly recommended!

Here is the full list of fixed issues in 1.8.11.

Functional changes

  • After upgrading, admins will be asked to change their passwords next time they log in (manual or email based self-registration accounts only).
  • To reduce the risk of password theft, a password salt is set in config.php in new installs and for upgrades, admins are sent an email recommending that they do so.
  • Teachers lose permission to include ANY user data in a course backup or restore a course including user data due to new capabilities moodle/backup:userinfo and moodle/restore:userinfo which are not set for the default role of teacher. Sites with custom roles should check permissions carefully.
  • Hashed user passwords are no longer saved in backup files containing user data. If a backup is restored to a new site, users will be asked to go through the "forgot my password" routine the first time they log in.
  • In Moodle 1.8.11+ weekly from 23/12/09 onwards: Moodle will no longer serve any uploaded Flash files to browsers with old Flash plugins. Admins can set the minimum required Flash player version in Site Administration > Security > HTTP Security.

Security issues

Retrieved from "https://docs.moodle.org/dev/index.php?title=Moodle_1.8.11_release_notes&oldid=62795"
Powered by MediaWiki