Release date: Not yet released

Highlights

• MDL-20591 - IMS Common Cartridge import (requires enabling in Site Administration > Miscellaneous > Experimental)
• MDL-13049 Workshop module finally pushes grades into Gradebook during Synchronize legacy grades procedure
• Miscellaneous Workshop module fixes (MDL-20668, MDL-7218, MDL-20827)

Security issues

This release contains a lot of security and privacy fixes related to the handling of user data and passwords in Moodle backups, MDL-20851 (currently with security level setting which restricts access).

• MDL-20838 Hashed user passwords are no longer saved in backup files containing user data

If anyone really needs passwords to be saved (in rare case of restoring a backup with user data to a different site) $CFG->includeuserpasswordsinbackups may be added to config.php.

• MDL-20846 Restore has been fixed to cope with missing user password hashes in backups containing new user data. It will set the password to a special value that prevents login. The next time that user tries to log in with their username on this new site they get an explanation and are led through the standard password recovery process.
• MDL-20844 We no longer include course+group enrolment keys in backups, unless 'includecoursepasswordsinbackup' is set. Instead, put in a marker to show that there was a key at some point.
• MDL-20866 Restore is fixed to cope with missing course+group enrolment keys. The restore routine will now inform the user about it and ask them to type in new keys.
• MDL-18807 We try to ensure that $CFG->passwordsaltmain is set in config.php, so that passwords are stored more securely in the database. (We can't save the salt itself in the database, in case it got hacked and changed, so we need the admin to add it manually). We do this during install in the automatic config.php, and also by annoying the admin to add it to config.php, via messaging, security report, upgrade notice etc. I'd stop short of making the site dead until it's added, though it's an option.
• MDL-20834 For privacy, we now allow admins to choose whether teachers can export user data. We implemented a new capability to allow teachers to include any user data in backups at all, called moodle/backup:userinfo. This is not allowed by default, so that admin needs to turn it on explicitly. It should be labelled with risks, and the security report should also warn about roles that have it.
• MDL-20849 We have implemented a new capability to allow teachers to restore user data (including creation of new users if required), called moodle/restore:userinfo. Not allowed by default, as above.
• MDL-20854 To remove possible passwords hidden in existing backups, we have implemented a cleanup script to process existing backup files in moodledata and delete all password hashes from them.
• MDL-18006 To improve password quality and reduce the chance of md5 lookup attack, the password policy is enabled by default in new installs, and switched on during upgrade to 1.9.7.
• MDL-20853 To protect sites from old backups that are not accessible to Moodle, all admins are forced to recreate their passwords after upgrade to 1.9.7 or later. This is done by setting auth_forcepasswordchange of those users, so that they are prompted to change their passwords on the next login (with the new password policy and hopefully salt).
• MDL-19608 To assist admins who might want to force their users to reset their passwords, a force password change option is available in Bulk user actions

New language pack

• Dhivehi - Ahmed Shareef, Moosa Ali, Amir Hussein

(See Translation credits for additional details.)

See also

• Moodle 1.9.6 release notes