Totara Release Notes

Security Releases for Totara 2.2.39, 2.4.32, 2.5.29, 2.6.22 and 2.7.5 released 21st July 2015

 
Sam Hemelryk
Security Releases for Totara 2.2.39, 2.4.32, 2.5.29, 2.6.22 and 2.7.5 released 21st July 2015
על ידי Sam Hemelryk בתאריך 21/07/2015, 01:07
קבוצה Totara

Hello everyone,

The following versions of Totara have now been released:

  • 2.7.5
  • 2.6.22
  • 2.5.29
  • 2.4.32
  • 2.2.39

These versions do contain security fixes and for this reason we strongly recommend upgrading.
Each release also includes bug fixes and improvements.

Thanks to Sergey Vidusov at Androgogic and Russell England at Vision By Deloitte for their contributions this release.

Changelogs are as follows: 

Release 2.7.5 (21st July 2015):

Security issues:

    TL-5289   Missing database record errors no longer contain the database table name
    TL-6469   Fixed missing session key error when setting up scheduled reports

                   This occurred if a user search resulted in more than one page of results
                   and one of the page links was clicked. Session key checking was also added
                   to the audience dialog on this page.

    TL-6823   Improved access control handling in Appraisal and Feedback360 assignments

                   Two scripts in Appraisal and two scripts in Feedback360 were identified as
                   having insufficient access control checks.
                   This has now being remedied and all required access control checks are now
                   being made in the four identified scripts.

    TL-6927   Fixed incorrect synchronisation of suspended users in course meta enrolments
    TL-6930   Fixed incorrect protocol handling in the curl library

                   Prior to this patch use of CURLOPT_PROTOCOLS and CURLOPT_REDIR_PROTOCOLS
                   were limited by the existence of the CURLOPT_PROTOCOLS define.
                   This restriction has been removed as it was no longer necessary.

    TL-7032   Improved the generation of random strings within core

                   It was brought to our attention that in some situations the random string
                   generation used during processes such as resetting of user passwords could
                   be predicted and possible exploits crafted.
                   Prior to this patch random string generation used the PHP built in mt_rand
                   function.
                   After this change we use a variety of methods and fall back to our own
                   unpredictable generation.

Bug fixes:

    TL-5562   Fixed a potential problem when inserting multiple records in a batch

                   This fixes a potential problem when importing a broken CSV file into course
                   completion and a potential minor problem when upgrading multiple custom
                   menu fields in Facetoface module.

    TL-6338   Fixed behaviour of "send all to waitlist" Facetoface setting when manager approval is required

                   Previously when manger approval was required and the send all to waitlist
                   setting was enabled, when a user request was approved they were then
                   booked. This fixes the behaviour so the user is correctly put onto the
                   waitlist when their request is approved.

    TL-6347   Fixed "Dropdown menu" profile custom fields always saving the first option
    TL-6378   Fixed report builder display of columns showing 0, 0% or No when the data is empty

                   If a database column contains no value and a Reportbuilder report is using
                   a number, time, grade, percentage or yes/no display function then the cell
                   in the report will now show "-" or will be empty, rather than showing 0, 0%
                   or No. If a custom report expected to display 0, 0% or No, then it should
                   be changed to return a value of 0 when the data contains null or an empty
                   string, e.g. "CASE WHEN val IS NULL OR val = '' THEN 0 ELSE val END AS
                   val".

    TL-6513   Fixed issue causing Certification expiry periods to double

                   If the Certification Completion Upload tool was used uploading completion
                   records for users who were already assigned to the Certification, an issue
                   could arise where the life of the certification would be incorrectly
                   doubled.

    TL-6527   Fixed events not being called when audiences were unenrolled from courses

                   Some problems relating to Facetoface events were also fixed,
                   including users not being removed from future sessions when they were
                   removed in bulk from courses, and ensuring that users are only removed once
                   their last enrolment was removed.

                   This patch also includes changes to unenrol_user_bulk to prevent sql errors
                   caused by unassigning huge numbers of users at once, and adds tests to ensure
                   that individual and bulk unassigning is working correctly.

    TL-6709   Fixed wrapping of long question titles in Appraisal PDF exports
    TL-6745   Fixed an access control bug preventing a manager's manager from reviewing a learner's goals in appraisals

                   The permissions checks to determine who can view goals didn't allow a
                   manager's manager to view a learner's goals and incorrectly displayed a
                   permissions error when they tried to do so.

    TL-6774   Fixed the display of buttons on the manage courses and category page

                   If a user didn't have the correct capabilities there would be 3 buttons
                   displayed with the text "Add new category" that didn't function correctly
                   due to a permissions issue. These buttons now only show when a user has the
                   correct permissions and function as expected.

    TL-6776   Fixed fatal error when viewing competency records within a learning plan
    TL-6784   Fixed the display of unassigned programs on the record of learning: programs report

                   The record of learning was not displaying programs assigned via learning
                   plans, or completed programs that the user was unassigned from.

    TL-6786   Fixed empty usernames bug in reports for users uploaded with empty name fields
    TL-6797   Fixed the access denied error message for appraisals
    TL-6799   Fixed course creator role capabilities for managing audiences
    TL-6802   Fixed a fatal error with learning plan enrolments when a course is included in multiple plans
    TL-6808   Fixed missing calendar icon when adding a set completion date to an audiences enrolled learning
    TL-6816   Fixed fatal error on cron task when calling function dp_plan_item_updated
    TL-6818   Fixed handling of Facetoface completion records when changing attendance for a user
    TL-6819   Changes in memcached connection settings are now applied immediately

                   Prior to this patch changes to memcached cache store settings were not
                   applied immediately.
                   These settings are now applied immediately after changing memcached cache
                   store settings.
                   Please note you still need to restart memcached server manually if the data
                   storage format changes.

    TL-6833   Fixed a regression where the definition of user profile fields could not be edited

                   Code changes associated with TL-6600 resulted in a regression being
                   introduced that prevented site administrators from being able to edit the
                   definition of a custom user profile field.

    TL-6940   Fixed permission handling when using multiple hierarchy dialog

                   The multi hierarchy dialog extends the standard hierarchy dialog but fails
                   to pass through the fourth parameter. This causes the permissions to be
                   incorrectly checked resulting in a false permissions error.

    TL-6960   Fixed alignment of row headings in course completion report
    TL-6976   Fixed issue where trainers were unable to annotate PDF's submited as part of an assignment
    TL-6979   Fixed Facetoface archive when certification window period equals active period

                   If a facetoface belonged to course which belonged to a certification, and
                   the certification window open period was the same as the active period,
                   then when the course was reset to allow recertification, the facetoface
                   activity was automatically re-triggering completion and recertification.

    TL-6997   Fix prog_get_all_programs incorrectly applying visibility

                   On sites which had switched from normal visibility settings to using
                   audience-based visibility, if a program had previously been set to
                   "hidden", progress was not being updated when users completed courses.

    TL-7028   Fixed handling of incorrectly defined embedded reports

                   This patch fixed a fatal error that would be experienced on the
                   Reportbuilder manage reports screen if the site contained an incorrectly
                   defined embedded report.
                   This is a regression from performance improvements made in the last minor
                   release.

Improvements:

    TL-5736   Course and certification completion import reports can now filter errors

                   A new 'errors' filter has been added to course and certification completion
                   import reports

    TL-6333   Improved robustness of completion and conditional activities in the SCORM module

                   Under cases of heavy learner load, or a misconfigured server, causing
                   errors and communication timeouts the SCORM instant completion could be
                   fragile, which could cause knock-on problems with the opening of any
                   subsequent conditional activities . These changes minimise the consequences
                   of any communication errors within the SCORM process.

    TL-6573   Improved support for RTL languages in reportbuilder graphs
    TL-6820   Improve performance when approving audience ruleset changes
    TL-6829   Added an option to the SCORM activity to ignore mastery score when saving state

                   Prior to this patch when a SCORM package provided a mastery score, and
                   LMSFinish was called, and if a raw score had been determined then the
                   status was being recalculated using the raw score and the mastery score.
                   Any status provided by the SCORM (including "incomplete") was being
                   overridden.
                   Turning this option off (it is on by default, to maintain previous
                   behaviour) will prevent this override.
                   This is only applicable to SCORM 1.2 packages.

    TL-6932   Added a link to the manage extension page in the program extension request emails
    TL-6933   Fixed a regression that prevented managers from approving Facetoface requests without enrolling into the course

Contributions:
* Sergey Vidusov of Androgogic - TL-6820 * Russell England at Vision By Deloitte - TL-6932

Release 2.6.22 (21st July 2015): Bug fixes: TL-4479 Fixed bug with poorly wrapped forum subjects when sent as an email TL-5552 Fixed manager approval being skipped when changing the date/time of a session TL-5562 Fixed a potential problem when inserting multiple records in a batch This fixes a potential problem when importing a broken CSV file into course completion and a potential minor problem when upgrading multiple custom menu fields in Facetoface module. TL-6513 Fixed issue causing Certification expiry periods to double If the Certification Completion Upload tool was used uploading completion records for users who were already assigned to the Certification, an issue could arise where the life of the certification would be incorrectly doubled. TL-6527 Fixed events not being called when audiences were unenrolled from courses Some problems relating to Facetoface events were also fixed, including users not being removed from future sessions when they were removed in bulk from courses, and ensuring that users are only removed once their last enrolment was removed. This patch also include changes to unenrol_user_bulk to prevent sql errors caused by unassigning huge numbers of users at once, and adds tests to ensure that individual and bulk unassigning is working correctly. TL-6709 Fixed wrapping of long question titles in Appraisal PDF exports TL-6745 Fixed an access control bug preventing a manager's manager from reviewing a learner's goals in appraisals The permissions checks to determine who can view goals didn't allow a manager's manager to view a learner's goals and incorrectly displayed a permissions error when they tried to do so. TL-6774 Fixed the display of buttons on the manage courses and category page If a user didn't have the correct capabilities there would be 3 buttons displayed with the text "Add new category" that didn't function correctly due to a permissions issue. These buttons now only show when a user has the correct permissions and function as expected. TL-6776 Fixed fatal error when viewing competency records within a learning plan TL-6784 Fixed the display of unassigned programs on the record of learning: programs report The record of learning was not displaying programs assigned via learning plans, or completed programs that the user was unassigned from. TL-6799 Fixed course creator role capabilities for managing audiences TL-6802 Fixed a fatal error with learning plan enrolments when a course is included in multiple plans TL-6818 Fixed handling of Facetoface completion records when changing attendance for a user TL-6819 Changes in memcached connection settings are now applied immediately Prior to this patch changes to memcached cache store settings were not applied immediately. These settings are now applied immediately after changing memcached cache store settings. Please note you still need to restart memcached server manually if the data storage format changes. TL-6832 Fixed course breadcrumbs not showing with audience visibility enabled If a course's Visibility was set to Hidden and then Audience Based Visibility was enabled, the breadcrumbs were not showing when a learner viewed the course. TL-6979 Fixed Facetoface archive when certification window period equals active period If a facetoface belonged to course which belonged to a certification, and the certification window open period was the same as the active period, then when the course was reset to allow recertification, the facetoface activity was automatically re-triggering completion and recertification. TL-6997 Fix prog_get_all_programs incorrectly applying visibility On sites which had switched from normal visibility settings to using audience-based visibility, if a program had previously been set to "hidden", progress was not being updated when users completed courses. TL-7028 Fixed handling of incorrectly defined embedded reports This patch fixed a fatal error that would be experienced on the Reportbuilder manage reports screen if the site contained an incorrectly defined embedded report. This is a regression from performance improvements made in the last minor release. Security issues: TL-5289 Missing database record errors no longer contain the database table name TL-6823 Improved access control handling in Appraisal and Feedback360 assignments Two scripts in Appraisal and two scripts in Feedback360 were identified as having insufficient access control checks. This has now being remedied and all required access control checks are now being made in the four identified scripts. TL-6927 Fixed incorrect synchronisation of suspended users in course meta enrolments TL-6930 Fixed incorrect protocol handling in the curl library Prior to this patch use of CURLOPT_PROTOCOLS and CURLOPT_REDIR_PROTOCOLS were limited by the existence of the CURLOPT_PROTOCOLS define. This restriction has been removed as it was no longer necessary. TL-7032 Improved the generation of random strings within core It was brought to our attention that in some situations the random string generation used during processes such as resetting of user passwords could be predicted and possible exploits crafted. Prior to this patch random string generation used the PHP built in mt_rand function. After this change we use a variety of methods and fall back to our own unpredictable generation. Improvements: TL-5736 Course and certification completion import reports can now filter errors A new 'errors' filter has been added to course and certification completion import reports TL-6333 Improved robustness of completion and conditional activities in the SCORM module Under cases of heavy learner load, or a misconfigured server, causing errors and communication timeouts the SCORM instant completion could be fragile, which could cause knock-on problems with the opening of any subsequent conditional activities . These changes minimise the consequences of any communication errors within the SCORM process. TL-6829 Added an option to the SCORM activity to ignore mastery score when saving state Prior to this patch when a SCORM package provided a mastery score, and LMSFinish was called, and if a raw score had been determined then the status was being recalculated using the raw score and the mastery score. Any status provided by the SCORM (including "incomplete") was being overridden. Turning this option off (it is on by default, to maintain previous behaviour) will prevent this override. This is only applicable to SCORM 1.2 packages. TL-6932 Added a link to the manage extension page in the program extension request emails TL-6933 Fixed a regression that prevented managers from approving Facetoface requests without enrolling into the course TL-7040 Improved default capabilities for totara sync Contributions: * Russell England at Vision By Deloitte - TL-6932
Release 2.5.29 (21st July 2015): Bug fixes: TL-4479 Fixed bug with poorly wrapped forum subjects when sent as an email TL-5552 Fixed manager approval being skipped when changing the date/time of a session TL-5562 Fixed a potential problem when inserting multiple records in a batch This fixes a potential problem when importing a broken CSV file into course completion and a potential minor problem when upgrading multiple custom menu fields in Facetoface module. TL-6513 Fixed issue causing Certification expiry periods to double If the Certification Completion Upload tool was used uploading completion records for users who were already assigned to the Certification, an issue could arise where the life of the certification would be incorrectly doubled. TL-6527 Fixed events not being called when audiences were unenrolled from courses Some problems relating to Facetoface events were also fixed, including users not being removed from future sessions when they were removed in bulk from courses, and ensuring that users are only removed once their last enrolment was removed. TL-6653 Fixed email duplication from program enrolment messaging TL-6709 Fixed wrapping of long question titles in Appraisal PDF exports TL-6784 Fixed the display of unassigned programs on the record of learning: programs report The record of learning was not displaying programs assigned via learning plans, or completed programs that the user was unassigned from. TL-6799 Fixed course creator role capabilities for managing audiences TL-6802 Fixed a fatal error with learning plan enrolments when a course is included in multiple plans TL-6979 Fixed Facetoface archive when certification window period equals active period If a facetoface belonged to course which belonged to a certification, and the certification window open period was the same as the active period, then when the course was reset to allow recertification, the facetoface activity was automatically re-triggering completion and recertification. TL-6997 Fix prog_get_all_programs incorrectly applying visibility On sites which had switched from normal visibility settings to using audience-based visibility, if a program had previously been set to "hidden", progress was not being updated when users completed courses. Security issues: TL-5289 Missing database record errors no longer contain the database table name TL-6823 Improved access control handling in Appraisal and Feedback360 assignments Two scripts in Appraisal and two scripts in Feedback360 were identified as having insufficient access control checks. This has now being remedied and all required access control checks are now being made in the four identified scripts. TL-6927 Fixed incorrect synchronisation of suspended users in course meta enrolments TL-6930 Fixed incorrect protocol handling in the curl library Prior to this patch use of CURLOPT_PROTOCOLS and CURLOPT_REDIR_PROTOCOLS were limited by the existence of the CURLOPT_PROTOCOLS define. This restriction has been removed as it was no longer necessary. TL-7032 Improved the generation of random strings within core It was brought to our attention that in some situations the random string generation used during processes such as resetting of user passwords could be predicted and possible exploits crafted. Prior to this patch random string generation used the PHP built in mt_rand function. After this change we use a variety of methods and fall back to our own unpredictable generation. Improvements: TL-6932 Added a link to the manage extension page in the program extension request emails TL-7040 Improved default capabilities for totara sync Contributions: * Russell England at Vision By Deloitte - TL-6932 Release 2.4.32 (21st July 2015): Security issues: TL-5289 Missing database record errors no longer contain the database table name TL-6927 Fixed incorrect synchronisation of suspended users in course meta enrolments TL-6930 Fixed incorrect protocol handling in the curl library Prior to this patch use of CURLOPT_PROTOCOLS and CURLOPT_REDIR_PROTOCOLS were limited by the existence of the CURLOPT_PROTOCOLS define. This restriction has been removed as it was no longer necessary. TL-7032 Improved the generation of random strings within core It was brought to our attention that in some situations the random string generation used during processes such as resetting of user passwords could be predicted and possible exploits crafted. Prior to this patch random string generation used the PHP built in mt_rand function. After this change we use a variety of methods and fall back to our own unpredictable generation. Bug fixes: TL-6527 Fixed events not being called when audiences were unenrolled from courses Some problems relating to Facetoface events were also fixed, including users not being removed from future sessions when they were removed in bulk from courses, and ensuring that users are only removed once their last enrolment was removed. Release 2.2.39 (21st July 2015):
Security issues: TL-5289 Missing database record errors no longer contain the database table name TL-6927 Fixed incorrect synchronisation of suspended users in course meta enrolments TL-6930 Fixed incorrect protocol handling in the curl library Prior to this patch use of CURLOPT_PROTOCOLS and CURLOPT_REDIR_PROTOCOLS were limited by the existence of the CURLOPT_PROTOCOLS define. This restriction has been removed as it was no longer necessary. TL-7032 Improved the generation of random strings within core It was brought to our attention that in some situations the random string generation used during processes such as resetting of user passwords could be predicted and possible exploits crafted. Prior to this patch random string generation used the PHP built in mt_rand function. After this change we use a variety of methods and fall back to our own unpredictable generation.