| Topic: | Unneeded MD5 hashes removed from user table |
| Severity/Risk: | Major |
| Versions affected: | <1.8.11 and <1.9.7 |
| Reported by: | internal code review |
| Issue no.: | MDL-20934 |
| Solution: | upgrade to 1.8.11 or 1.9.7 |
| Workaround: | none |
Description:
All authentication plugins except LDAP were storing md5 hashes of passwords in the user table, but these "cached" hashes were only actually used in some authentication plugins. We have now replaced md5 hashes with 'not cached' flag in all external authentication types. Please note this change may break backwards compatibility and some 3rd party modifications. If you have any custom code using this field in the table it will need to be rewritten.