Hi,
as we upgraded to 3.1.4 from 2.7 last week, I would like to know if we just can deactivate the feature competency in our moodle site, to avoid the security problems mentioned in the security annoncement :
MSA-17-0009:XSS in attachments to evidence of prior learning
MSA-17-0008:XSS in evidence of prior learning
Global search and webservices are deactivated for the other problems mentioned in the annoncements.
Thanks for answering in advance.
Cheers,
Monica
While I can't really (officially) respond to the question thought maybe that there would be a way to get the fixes you need without much fuss/muss but it depends upon response to the next question:
Was the upgrade of your site performed by using Git?
If so, it's trival to get the latest/secure code at any time and as soon as the fixes are provided.
XSS type issues a particularly nasty in that those can be initiated remotely by anyone with intent and from their own workstation if that's what they choose. This to say, even in server logs, it might look like any student, Google/Bing other search engine directed 'visitor'.
'spirit of sharing', Ken
Hi Ken,
unfortunately we aren't using Git!
That's why I thought that the easiest way is to deactivate competency as it is a new feature for us and I don't think a lot of courses have this in use yet.
Cheers,
Monica
You're safest path would be to upgrade once more, to 3.1.5. It only contains fixes and minor improvements - http://docs.moodle.org/dev/Moodle_3.1.5_release_notes
It won't take long to upgrade at all.
mike
Hi Mike,
as we only have fixed dates for shuting down moodle for updates, this isn't an option at the moment.
That's why I thought I could deactivate competency for the meantime.
Cheers,
Monica
Its reasonable to have fixed dates for updates. But it also makes sense to allow a policy for emergency situations. I think security issues would classify as that. You may want to push your organization to allow for such situations.
I'm not sure if deactivating competencies is enough or not. It seems like it should be.
mike
This was not an emergency release, this was a planned bi-monthly minor release of Moodle that contains security fixes. I can recommend you to have your fixed dates for upgrades to match Moodle minor releases. Our schedule is very simple - second Monday of odd months - January, March, May, July, September and November.
If you do not use competencies in your institution, by all means disable them in Site administration > Competencies > Competencies settings. You don't want to confuse students/teachers with options in the menu that do not match your policies.
If you do use competencies, you can disable only "Evidence of prior learning" as a temporary workaround. You can do it by removing capability moodle/competency:userevidencemanageown from the authenticated user role
Hi Marina,
thank you very much for the explainations (minor release schedule and capability, etc.)
Cheers,
Monica
