Moodle 3.9.8 release notes: Difference between revisions
From MoodleDocs
m (→Security fixes) |
|||
Line 1: | Line 1: | ||
<p class="note">'''This version of Moodle is no longer supported for general bug fixes.''' You are encouraged to [[:en:Upgrading|upgrade]] to a supported version of Moodle.</p> | <p class="note">'''This version of Moodle is no longer supported for general bug fixes.''' You are encouraged to [[:en:Upgrading|upgrade]] to a supported version of Moodle.</p> | ||
[[Releases]] > {{FULLPAGENAME}} | |||
Release date: 12 July 2021 | Release date: 12 July 2021 | ||
Here is [https://tracker.moodle.org/secure/IssueNavigator!executeAdvanced.jspa?jqlQuery=project+%3D+mdl+AND+resolution+%3D+fixed+AND+fixVersion+in+%28%223.9.8%22%29+ORDER+BY+priority+DESC&runQuery=true&clear=true the full list of fixed issues in 3.9.8]. | Here is [https://tracker.moodle.org/secure/IssueNavigator!executeAdvanced.jspa?jqlQuery=project+%3D+mdl+AND+resolution+%3D+fixed+AND+fixVersion+in+%28%223.9.8%22%29+ORDER+BY+priority+DESC&runQuery=true&clear=true the full list of fixed issues in 3.9.8]. | ||
==Backported bug fixes== | ==Backported bug fixes== | ||
* MDL-68747 - ChartJS quiz overview report should display numerical ranges LTR also for RTL languages | * MDL-68747 - ChartJS quiz overview report should display numerical ranges LTR also for RTL languages | ||
* MDL-71060 - Duplicates 'Current category' text in edit question form | * MDL-71060 - Duplicates 'Current category' text in edit question form | ||
==Security fixes== | ==Security fixes== | ||
* [https://moodle.org/mod/forum/discuss.php?d=424797 MSA-21-0020] SQL injection risk in code fetching enrolled courses | * [https://moodle.org/mod/forum/discuss.php?d=424797 MSA-21-0020] SQL injection risk in code fetching enrolled courses | ||
* [https://moodle.org/mod/forum/discuss.php?d=424798 MSA-21-0021] SQL injection risk in code fetching recent courses | * [https://moodle.org/mod/forum/discuss.php?d=424798 MSA-21-0021] SQL injection risk in code fetching recent courses | ||
Line 22: | Line 19: | ||
* [https://moodle.org/mod/forum/discuss.php?d=424806 MSA-21-0028] IDOR allows removal of other users' calendar URL subscriptions | * [https://moodle.org/mod/forum/discuss.php?d=424806 MSA-21-0028] IDOR allows removal of other users' calendar URL subscriptions | ||
* [https://moodle.org/mod/forum/discuss.php?d=424807 MSA-21-0029] Stored XSS when exporting to data formats supporting HTML via user ID number | * [https://moodle.org/mod/forum/discuss.php?d=424807 MSA-21-0029] Stored XSS when exporting to data formats supporting HTML via user ID number | ||
* [https://moodle.org/mod/forum/discuss.php?d=424808 MSA-21-0030] Insufficient escaping of users' names in account confirmation email | * [https://moodle.org/mod/forum/discuss.php?d=424808 MSA-21-0030] Insufficient escaping of users' names in account confirmation email - Note: If you have customised the language string ''emailconfirmation'', you will need to edit the customisation and remove the placeholder <code>{$a->firstname}</code>. | ||
* [https://moodle.org/mod/forum/discuss.php?d=424809 MSA-21-0031] Messaging email notifications containing HTML may hide the final line of the email | * [https://moodle.org/mod/forum/discuss.php?d=424809 MSA-21-0031] Messaging email notifications containing HTML may hide the final line of the email | ||
==See also== | ==See also== | ||
*[[Moodle 3.9.7 release notes]] | *[[Moodle 3.9.7 release notes]] | ||
[[Category:Release notes]] | [[Category:Release notes]] | ||
[[Category:Moodle 3.9]] | [[Category:Moodle 3.9]] | ||
[[fr:Notes de mise à jour de Moodle 3.9.8]] | [[fr:Notes de mise à jour de Moodle 3.9.8]] | ||
[[es:Notas de Moodle 3.9.8]] | [[es:Notas de Moodle 3.9.8]] |
Revision as of 03:45, 14 September 2021
This version of Moodle is no longer supported for general bug fixes. You are encouraged to upgrade to a supported version of Moodle.
Releases > Moodle 3.9.8 release notes
Release date: 12 July 2021
Here is the full list of fixed issues in 3.9.8.
Backported bug fixes
- MDL-68747 - ChartJS quiz overview report should display numerical ranges LTR also for RTL languages
- MDL-71060 - Duplicates 'Current category' text in edit question form
Security fixes
- MSA-21-0020 SQL injection risk in code fetching enrolled courses
- MSA-21-0021 SQL injection risk in code fetching recent courses
- MSA-21-0022 Remote code execution risk when Shibboleth authentication is enabled
- MSA-21-0023 Recursion denial of service possible due to recursive cURL in file repository
- MSA-21-0024 Blind SSRF possible against cURL blocked hosts via redirect
- MSA-21-0025 Messaging web service allows deletion of other users' messages
- MSA-21-0028 IDOR allows removal of other users' calendar URL subscriptions
- MSA-21-0029 Stored XSS when exporting to data formats supporting HTML via user ID number
- MSA-21-0030 Insufficient escaping of users' names in account confirmation email - Note: If you have customised the language string emailconfirmation, you will need to edit the customisation and remove the placeholder
{$a->firstname}
. - MSA-21-0031 Messaging email notifications containing HTML may hide the final line of the email