Hi
there is a list of security issues here:
https://moodle.org/mod/forum/view.php?id=7128
every secutiry issue is resolved by a path of code files.
I currently have moodle 2.7.0
will these pathes that fix these security issues be part of the next versions of moodle ? 2.8 etc ?
because I really don't want to make core changes that will be overwritten next time I upgrade my moodle.
If you click on any of those security issues, you'll see in which Moodle version they were fixed. Generally-speaking, if you are running a "supported" version of Moodle, You can patch the security issues by upgrading to the latest in that version. For example, you are running Moodle 2.7.0. The security issues will be fixed if you upgrade to Moodle 2.7.7+. Doing so should be a minor upgrade that shouldn't make any major changes to the way Moodle works.
And if you were to want to upgrade to 2.8, as long as you upgraded to 2.8.5+ and not 2.8.0 the security issues would be fixed in that version as well.
Best advice to keeping hackers out of Moodle: keep the environment patched, upgrade to a supported Moodle version, upgrade to the latest release in that version as soon as security issues are announced.
what's weird is that it doesn't imply that all next versions will be fixed.
this one for example:
https://moodle.org/mod/forum/discuss.php?d=307382
says:
"Versions affected: 2.8 to 2.8.3, 2.7 to 2.7.5, 2.6 to 2.6.8 and earlier unsupported versions"
"Versions fixed: 2.8.4, 2.7.6 and 2.6.9"
can I conclude that my version, 2.7.0 , includes this fix ?
can conclude that 2.8.0 includes this fix ?
seems not
No - 2.8.0 is not necessarily a 'next' version after 2.7.6 in those terms as it will have been created chronologically earlier.
You need to upgrade to the latest version of whatever branch you are using, so if you are on the 2.7.x branch, upgrade to the latest 2.7.x - currently I think thats 2.7.7+ which will have all those fixes in.
So if you are moving from 2.7.x (or 2.6.x) -> 2.8, you wouldn't choose to go to 2.8.0, you'd go directly to 2.8.5+ (currently), which would then contain those security fixes brought out by that point.
You need to consider 'next' versions in terms of the actual chronology of creating them and not as a linear sequence of numbers as the version branches will overlap (2.8.0 does not 'follow' 2.7.9, it was probably brought out about the same time as something like 2.7.2). https://docs.moodle.org/dev/Releases#General_release_calendar
so basically the best way to fix the security issues of 2.7.0 is to upgrade to 2.7.5+
did I get that right ?
bearing in mind that currently I cannot upgrade to 2.8.5+ or above (because a lot of code that was built in our department around 2.7... don't ask)
Yes - but I would suggest going to 2.7.8 as that's now the latest version of 2.7 and 2.7 is an LTS version so has extended support for security issues, so should be fine for a while. Just without the additional feature developments that have gone into 2.8/2.9.