Security Announcements

 
 
Picture of Helen Foster
MSA-09-0028: Multiple backup/restore related issues
 
Topic: Multiple backup/restore related issues
Severity/Risk: Critical
Versions affected: <1.8.11 and <1.9.7
Reported by: multiple reports
Issue no.: MDL-20838, MDL-20849, MDL-20939, MDL-20932
Solution: upgrade to 1.8.11 or 1.9.7
Workaround: remove backup capability from all users


Description:
User password hashes and secrets are now never included in backup files. There are also new capabilities that control backup/restore of all user information (separately from the course data), and these are off by default. The admin has much better control over who has these capabilities, and the security overview report now gives a comprehensive picture of dangerous roles, overrides, users etc. Even if this capability is enabled, only enrolled users can be included in backup files.