This release fixes a major security flaw found in Moodle which also affects Totara version 2.4.0 and above. The bug can be exploited without a login and could result in the server being compromised. The issue will be publicly disclosed within a week so we strongly recommend an immediate upgrade. Sore more information can be found on the Moodle site:
https://moodle.org/news/#p1200747
For customers who are unable to schedule a full upgrade within that timescale the attached patch files for each of the affected versions can be applied as a standalone patch to fix this issue.
Thanks to Russell England for contributing to T-13006 Fixed users in limbo due to facetoface session signup capacity collisions
Here are the changelogs:
Release 2.6.16.1 (2nd February 2015):
==================================================
Security issues:
MDL-48980 Always clean the result from min_get_slash_argument
T-13866 Ensured require_login is called before course visibility checks
Improvements:
T-13873 Added notification that course completion criteria changes will be applied on next cron
Bug Fixes:
T-13755 Fixed link for changing messages preferences in emails sent by the system
T-13871 Fixed display of tabs in course grades Course Outcomes page
T-12741 Converted the SQL params within badges_get_user_badges to named params.
Only affects badges - the badges_get_user_badges function is using
concatenation to form an SQL statement, an action which could potentially
be exploited if this function is called incorrectly. The fix is to use
named params and is entirely constrained within the function itself. It
should have no impact on functionality or customised uses of this function.
T-13899 Fixed weekly scheduling of Reportbuilder reports when using non-English language
If scheduled reports have been sending on every cron run on your site then,
once this patch is installed, they will send one more time on the next cron
run before being correctly rescheduled.
T-13868 Changed display of times to 24-hour format in non-English languages
The %p date format modifier to display AM/PM with time data in the 12-hour
clock format is unreliable across platforms and locales so we have switched
to 24-hour time display for most non-English languages. You can change this
back by making a local language customisation to the
nice_time_in_timezone_format and timedisplay24 strings in
totara_reportbuilder, and the sessiondatetimeformat string in
mod_facetoface, using the formats described here
http://php.net/manual/en/function.strftime.php
T-13006 Fixed users in limbo due to facetoface session signup capacity collisions
It is possible, although highly unlikely, that two users tried to sign up
to the last place in a session at the same time, and one of the users
became stuck in limbo, neither properly assigned nor able to sign up to
another session. This patch fixes existing records and prevents the error
from occurring.
Release 2.5.23.1 (2nd February 2015):
==================================================
Security issues:
MDL-48980 Always clean the result from min_get_slash_argument
T-13866 Ensured require_login is called before course visibility checks
Improvements:
T-13873 Added notification that course completion criteria changes will be applied on next cron
This patch reverts the changes made in patch T-13138. Performing instant
course completion recalculation when changing course completion criteria
could cause performance issues, and be inconsistent with other features,
such as certification completion recalculation.
Bug Fixes:
T-13868 Changed display of times to 24-hour format in non-English languages
The %p date format modifier to display AM/PM with time data in the 12-hour
clock format is unreliable across platforms and locales so we have switched
to 24-hour time display for most non-English languages. You can change this
back by making a local language customisation to the
nice_time_in_timezone_format and timedisplay24 strings in
totara_reportbuilder, and the sessiondatetimeformat string in
mod_facetoface, using the formats described here
http://php.net/manual/en/function.strftime.php
T-13006 Fixed users in limbo due to facetoface session signup capacity collisions
It is possible, although highly unlikely, that two users tried to sign up
to the last place in a session at the same time, and one of the users
became stuck in limbo, neither properly assigned nor able to sign up to
another session. This patch fixes existing records and prevents the error
from occurring.
Release 2.4.26.1 (2nd February 2015):
==================================================
Security issues:
MDL-48980 Always clean the result from min_get_slash_argument