Totara Release Notes

Emergency Release of Totara 2.4.26.1, 2.5.23.1, and 2.6.16.1

This release fixes a major security flaw found in Moodle which also affects Totara version 2.4.0 and above. The bug can be exploited without a login and could result in the server being compromised. The issue will be publicly disclosed within a week so we strongly recommend an immediate upgrade. Sore more information can be found on the Moodle site:

https://moodle.org/news/#p1200747

For customers who are unable to schedule a full upgrade within that timescale the attached patch files for each of the affected versions can be applied as a standalone patch to fix this issue.

Thanks to Russell England for contributing to T-13006 Fixed users in limbo due to facetoface session signup capacity collisions

Here are the changelogs:

Release 2.6.16.1 (2nd February 2015):
==================================================

Security issues:
    MDL-48980      Always clean the result from min_get_slash_argument
    T-13866        Ensured require_login is called before course visibility checks

Improvements:
    T-13873        Added notification that course completion criteria changes will be applied on next cron

Bug Fixes:
    T-13755        Fixed link for changing messages preferences in emails sent by the system
    T-13871        Fixed display of tabs in course grades Course Outcomes page
    T-12741        Converted the SQL params within badges_get_user_badges to named params.

                   Only affects badges - the badges_get_user_badges function is using
                   concatenation to form an SQL statement, an action which could potentially
                   be exploited if this function is called incorrectly. The fix is to use
                   named params and is entirely constrained within the function itself. It
                   should have no impact on functionality or customised uses of this function.

    T-13899        Fixed weekly scheduling of Reportbuilder reports when using non-English language

                   If scheduled reports have been sending on every cron run on your site then,
                   once this patch is installed, they will send one more time on the next cron
                   run before being correctly rescheduled.

    T-13868        Changed display of times to 24-hour format in non-English languages

                   The %p date format modifier to display AM/PM with time data in the 12-hour
                   clock format is unreliable across platforms and locales so we have switched
                   to 24-hour time display for most non-English languages. You can change this
                   back by making a local language customisation to the
                   nice_time_in_timezone_format and timedisplay24 strings in
                   totara_reportbuilder, and the sessiondatetimeformat string in
                   mod_facetoface, using the formats described here
                   http://php.net/manual/en/function.strftime.php

    T-13006        Fixed users in limbo due to facetoface session signup capacity collisions

                   It is possible, although highly unlikely, that two users tried to sign up
                   to the last place in a session at the same time, and one of the users
                   became stuck in limbo, neither properly assigned nor able to sign up to
                   another session. This patch fixes existing records and prevents the error
                   from occurring.

Release 2.5.23.1 (2nd February 2015):
==================================================

Security issues:
    MDL-48980      Always clean the result from min_get_slash_argument
    T-13866        Ensured require_login is called before course visibility checks

Improvements:
    T-13873        Added notification that course completion criteria changes will be applied on next cron

                   This patch reverts the changes made in patch T-13138. Performing instant
                   course completion recalculation when changing course completion criteria
                   could cause performance issues, and be inconsistent with other features,
                   such as certification completion recalculation.


Bug Fixes:
    T-13868        Changed display of times to 24-hour format in non-English languages

                   The %p date format modifier to display AM/PM with time data in the 12-hour
                   clock format is unreliable across platforms and locales so we have switched
                   to 24-hour time display for most non-English languages. You can change this
                   back by making a local language customisation to the
                   nice_time_in_timezone_format and timedisplay24 strings in
                   totara_reportbuilder, and the sessiondatetimeformat string in
                   mod_facetoface, using the formats described here
                   http://php.net/manual/en/function.strftime.php

    T-13006        Fixed users in limbo due to facetoface session signup capacity collisions

                   It is possible, although highly unlikely, that two users tried to sign up
                   to the last place in a session at the same time, and one of the users
                   became stuck in limbo, neither properly assigned nor able to sign up to
                   another session. This patch fixes existing records and prevents the error
                   from occurring.

Release 2.4.26.1 (2nd February 2015):
==================================================

Security issues:
    MDL-48980      Always clean the result from min_get_slash_argument

MDL-48980_2.6.patch

Dauerlink

2.5 Patchfile

MDL-48980_2.5.patch

Dauerlink | Ursprungsbeitrag anzeigen

2.4 patchfile

MDL-48980_2.4.patch

Dauerlink | Ursprungsbeitrag anzeigen