Falling out of supported releases?

Falling out of supported releases?

by Wen Hao Chuang -
Number of replies: 1

Dear all, haven't posted here in Moodle.org for a while now, how have everyone been?

So I have two quick questions.

1. Is there a way to find out how many mission-critical, enterprise-level of Moodle instances (production), that is falling out of the current supported (including Security-only-supported) releases? As of 2017/11/21, I believe that would be any version older than 3.1.9 or 3.2.6)


2. When it comes to "risk management," what are the risks to fall out of the currently supported version? Let's say that if we are running a heavily customized Moodle 2.7.x instance, what would the risks of having the instance hacked by hackers, and how would you manage such risks (if you can not get your 2.7.x instance upgraded to 3.1.9 or above right away)?


Thanks!

Average of ratings: -
In reply to Wen Hao Chuang

Re: Falling out of supported releases?

by Mathew Gancarz -
Picture of Core developers

Not sure if these are fully correct answers, but my best guesses are below:

1) You could probably figure this out atleast partially from https://moodle.net/stats/. Judging by the versions It looks roughly like 1/3rd of sites are 3.0.x or later at the moment. How many of those are 'mission-critical, enterprise-level' though is anyone's guess though I think. I'm not sure how many admins of sites like that would even admit to being out of date, since that also makes you an obvious target.

2) Look at the security issues fixed in the versions that are missed and extrapolate.. Are there serious remotely exploitable server busting type vulnerabilities fixed or is it something like a student being able to see other student's email addresses? 

For managing risk, you probably won't be able to do much to get around security/privacy level bugs in Moodle but should atleast harden your servers so that even if someone can run PHP code arbitrarily on your server, they can't get much other than Moodle data, which while still sensitive isn't as bad as getting remote admin on your servers and breaking into everything in your org.

Average of ratings: Useful (1)