Note:

If you want to create a new page for developers, you should create it on the Moodle Developer Resource site.

Moodle 1.8.11 release notes

From MoodleDocs
Revision as of 10:17, 1 December 2009 by Gisela Hillenbrand (talk | contribs)

Release date: 25th November 2009

Important: Upgrading is very highly recommended!

Here is the full list of fixed issues in 1.8.11.

Functional changes

  • After upgrading, admins will be asked to change their passwords next time they log in (manual or email based self-registration accounts only).
  • To reduce the risk of password theft, a password salt is set in config.php in new installs and for upgrades, admins are sent an email recommending that they do so.
  • Teachers lose permission to include ANY user data in a course backup or restore a course including user data due to new capabilities moodle/backup:userinfo and moodle/restore:userinfo which are not set for the default role of teacher. Sites with custom roles should check permissions carefully.
  • Hashed user passwords are no longer saved in backup files containing user data. If a backup is restored to a new site, users will be asked to go through the "forgot my password" routine the first time they log in.

Security issues

  • Passwords and secrets are no longer ever saved in backups
  • New backup capabilities moodle/backup:userinfo and moodle/restore:userinfo for controlling who can backup/restore user data
  • Enabling password salt in encouraged in config.php
  • Admins are forced to change password after the upgrade
  • Unneeded MD5 hashes removed from user table
  • Fixed invalid application access control in MNET interface
  • Multiple CSRF problems fixed
  • Fixed user account disclosure in LAMS module
  • Fixed insufficient access control in glossary
  • Ensured login information is always sent secured when using SSL for logins
  • Fixed SQL injection in SCORM module