Note:

If you want to create a new page for developers, you should create it on the Moodle Developer Resource site.

Moodle 1.8.11 release notes

From MoodleDocs
Revision as of 14:42, 23 November 2009 by Helen Foster (talk | contribs) (→‎Security issues: MDL-9251)

Release date: Not yet released

Security issues

This release contains a lot of security and privacy fixes related to the handling of user data and passwords in Moodle backups, MDL-20851. (Note that MDL-20851 and all the following security issues currently have a security level setting which restricts access).

  • MDL-20838 Hashed user passwords are no longer saved in backup files containing user data.
If anyone really needs passwords to be saved (in rare case of restoring a backup with user data to a different site) $CFG->includeuserpasswordsinbackups may be added to config.php.
  • MDL-20846 - Restore has been fixed to cope with missing user password hashes in backups containing new user data. It will set the password to a special value that prevents login. The next time that user tries to log in with their username on this new site they get an explanation and are led through the standard password recovery process.
  • MDL-18807 To greatly reduce the risk of password theft, a password salt is set in config.php when installing 1.8.11 and for upgrades, a notification message strongly recommends admins to set a password salt. In addition, the security overview report gives a warning if no password salt has been set.
  • MDL-20834 - A new capability moodle/backup:userinfo allows admins to choose whether teachers can include user data in a course backup. The capability is allowed for the default admin role only. The security overview report warns of roles with the capability allowed.
  • MDL-20849 - A new capability moodle/restore:userinfo allows admins to choose whether teachers can restore user data from a course backup (including the possible creation of new users). The capability is allowed for the default admin role only.
  • MDL-20853 To protect sites from old backups that are not accessible to Moodle, after upgrading to 1.8.11, admins are prompted to change their password on next login.
  • MDL-9251 - The option to backup a course with all users on the site is only available to users with the capability moodle/site:backup in the system context. Similarly, the option to restore a course with all users on the site is only available to users with the capability moodle/site:restore in the system context.

More issues to be listed soon...

Retrieved from "https://docs.moodle.org/dev/index.php?title=Moodle_1.8.11_release_notes&oldid=25474"
Powered by MediaWiki