Description:
Older Flash versions that do not respect the download http header may be used to gain unauthorised access. Moodle is now able to detect obsolete and vulnerable Flash plugin versions. Moodle will actually refuse to send uploaded files to older Flash plugins and will instead send an alternative Flash file that asks users to upgrade. All administrators and teachers should upgrade their computers as soon as possible.

Description:
All authentication plugins except LDAP were storing md5 hashes of passwords in the user table, but these "cached" hashes were only actually used in some authentication plugins. We have now replaced md5 hashes with 'not cached' flag in all external authentication types. Please note this change may break backwards compatibility and some 3rd party modifications. If you have any custom code using this field in the table it will need to be rewritten.

Description:
Andrea Tuccia discovered escaping issue when processing AICC CRS file (Course_Title). The problem is marked as minor because only trusted users are allow to upload SCORM packages.

Description:
Administrators are now forced to change their password after upgrading. The installer now puts a random password salt into config.php, existing sites notify administrators to configure the salt via security overview reports. Strong password policy is now enabled by default. Only internal authentication plugins now store password hashes in user table, cached hashes are removed for all external plugins (though the LDAP plugin already had the option to prevent passwords in user table). Bulk user actions now contain an option to force password change.

Description:
User password hashes and secrets are now never included in backup files. There are also new capabilities that control backup/restore of all user information (separately from the course data), and these are off by default. The admin has much better control over who has these capabilities, and the security overview report now gives a comprehensive picture of dangerous roles, overrides, users etc. Even if this capability is enabled, only enrolled users can be included in backup files.

Description:
Mike Churchward described a potential problem and proposed a solution that prevents sending of password via unsecured connection when SSL required only for logins.

Description:
Adrian Schlegel reported a serious problem in the MNET implementation allowing execution of any MNET function from all registered remote servers. The server is vulnerable only when MNET services are enabled on the server.

Description:
We have discovered that insufficient access control may allow unauthorised users to view glossary entries.

Description:
LAMS module code discloses username, firstname and lastname database fields from user table. This information could be used in other types of attacks.

Description:
We have discovered and fixed multiple cross site request forgery (CSRF) problems during internal code review.