Totara Release Notes

Security releases for Totara 2.7.8, 2.6.25, 2.5.32, 2.4.35, and 2.2.42 released 20 October 2015

 
HemelrykSam
Security releases for Totara 2.7.8, 2.6.25, 2.5.32, 2.4.35, and 2.2.42 released 20 October 2015
HemelrykSam 发表于 2015年10月20日 Tuesday 08:44
小组 Totara

Hello everyone,

The following versions of Totara have now been released:

  • 2.7.8
  • 2.6.25
  • 2.5.32
  • 2.4.35
  • 2.2.42

These versions do contain security fixes and for this reason we strongly recommend upgrading.
Each release also includes bug fixes and improvements.

Thanks to the following people for there contributions: Amir Elion at Kineo Israel, Joby Harding from Mindclick and Eugene Venter from Catalyst NZ

 

Release 2.7.8 (20th October 2015):

Security issues:

    TL-7112        Added options to secure how referrer information is sent to external sites
    TL-7138        Improved the cleaning of dynamically generated module names

                   Calling "required_param('module', PARAM_COMPONENT)" actually restricts the
                   allowable characters in a module name and the function returns an empty
                   string upon detecting an invalid module name. In the past, there was no
                   check if an empty string was indeed returned. Now, the code throws an
                   "invalid_parameter_exception" if the required_param() call returns an empty
                   string.

    TL-7152        Added workaround for known security issues with Flowplayer
    TL-7377        Fixed the capability moodle/cohort:view allowing a user to edit global audience settings

Improvements:

    TL-6570        Added events to the Totara Alerts and Tasks APIs
    TL-6821        Added full textual representation for the 'month of year' and for the 'weekday' within report builder reports
    TL-7089        Added support for external Oracle databases in HR Import
    TL-7298        Implemented access to courses with "enrolled only" visibility via visible programs

                   Previously, if users were assigned to a program containing courses with
                   visibility settings of "enrolled users only" or "enrolled users and members
                   of selected audiences" where they weren't a member of the selected
                   audience(s) and weren't already assigned to the courses, the users couldn't
                   launch the courses because they were hidden. Launching the course from the
                   record of learning and required learning pages now process enrolments
                   before checking visibility, allowing users access to the course.

    TL-7316        Added 'Percentage Completed via RPL' column to 'Course completion by RPL' report source
    TL-7397        Reduced the memory usage of program assignment completion date calculations

                   These functions were loading huge amounts of data in an attempt to improve
                   speed, much of which was never going to be used, and resulted in memory
                   overflows in some large sites. They now load smaller chunks of data which
                   are more likely to be used, this should result in a better balance between
                   speed and memory use.

    TL-7402        Improved the fixed expiry minimum calculation to be relative to completion date

                   Previously, the "Minimum active period" was being calculated relative to
                   the current date. This worked fine for users completing their
                   certifications within Totara, but completion uploads resulted in unexpected
                   results. Now, the calculation will ensure that the new expiry date is at
                   least "Minimum active period" away from the completion date. If the
                   completion date was far in the past, the calculated expiry date may also be
                   in the past. This change will have little effect on users completing their
                   certifications within Totara (the exception being where an activity reports
                   completion to have occurred some time in the past, such as Face to face).

    TL-7413        Improved the completion upload instructions for the certifications "duedate" column
    TL-7419        Improved scheduled tasks error logging
    TL-7511        Improved the layout of the dock when using the Kiwifruit responsive theme
    TL-7512        Increased the size of icons within the enhanced catalogue when using the Kiwifruit responsive theme
    TL-7528        Removed the gap between toolbars and editor content in the Kiwifruit responsive theme
    TL-7576        Improved the performance of the prog_get_all_programs function

                   This change should improve the performance of the Record of Learning
                   Programs & Certifications tabs, along with the required learning page. This
                   will be most noticeable for larger mysql sites.

    TL-7613        Improved right-to-left language support within the my team report
    TL-7656        Added docs explaining that db row locking is not reliable

                   Documentation on lock factories has been expanded to explain that database
                   locking is not reliable and should only be used as a last option.
                   The main reason for this is that the cleanup of locks may be delayed until
                   shutdown, this can lead to locks not being released in the following
                   situations:
                   * If PHP segfaults, as in this situation shutdown handlers are not
                   executed.
                   * The database connection is dropped or closed prior to the shutdown
                   handlers finishing their execution.
                   * Incorrect configuration of FastCGI (especially on IIS) can lead to cron
                   scripts terminating prematurely after a relatively short period of time.
                   * If PHP runs out of memory during its operation.


Bug fixes:

    TL-4379        Fixed the behaviour of Face-to-face notification templates

                   Face-to-face notifications are now linked to Face-to-face templates. This
                   allows updates to templates to also update linked notifications. This also
                   means when creating a new  Face-to-face activity the there will be
                   notifications for all templates. 

    TL-5226        Fixed incorrect email footer when a Feedback360 request is sent to external users
    TL-5261        Made the course upload tool respect the defaults for course completion settings
    TL-5730        Scheduled Face-to-face notifications are now only sent to users who were eligible at the time

                   Previously, if a notification was scheduled to be sent out a certain amount
                   of time prior to the start of the Face-to-face session, this notification
                   would also be sent to any new users who signed up after the scheduled time.
                   
                   
                   Now, even if cron is run much later, these notifications will only go to
                   users who were eligible to receive the notification at the time it was due
                   to be sent.
                   
                   The condition still exists that they must currently be eligible. For
                   example, if a notification is to be sent to booked users only, and a booked
                   user cancels before the notification is sent out, that user will not
                   receive the notification.

    TL-6877        Allow a user to enter a Face-to-face signup note when using the direct enrolment plugin
    TL-6909        Fixed dynamic audience rules based upon checkbox organisation custom fields
    TL-7134        Fixed the 'Force password change' flag which was being incorectly set for single sign on authentication types
    TL-7181        Fixed and restored recipients default values for Face-to-face automatic notifications if they were updated
    TL-7286        Fixed HR Import to properly handle csv files with UTF BOM encoding
    TL-7306        Fixed Face-to-face notifications showing a timezone of 99 when set to display in the user's timezone.

                   Previously, Face-to-face notifications that used the [alldates] placeholder
                   would show '99' in place of the timezone when a session was set to display
                   in the user's timezone. This has been fixed so that they properly show the
                   user's timezone. 

    TL-7308        Fixed possible timeouts when activating appraisals and creating appraisal snapshots
    TL-7317        Prevented a scenario in the question bank where it was possible to make a question category one of its own children

                   It was possible for a question category to be a parent of its own child if
                   two people had the edit page open at the same time. This can no longer
                   happen and an appropriate error message will be displayed instead. 

    TL-7334        Fixed the user selector to respect the user identity settings
    TL-7338        Removed blank lines from error cells when exporting completion upload reports
    TL-7365        Fixed the display of the task block when empty yet configured to show
    TL-7391        Fixed current session pagination to hide/show reportbuilder columns
    TL-7414        Fixed view hidden learning capabilities when managing learning

                   The capabilities 'moodle/course:viewhiddencourses',
                   'totara/program:viewhiddenprograms' and
                   'totara/certification:viewhiddencertifications' were not being checked
                   correctly when viewing the old course, program or certification catalogs or
                   managing courses, programs or certifications. This prevented users who had
                   been granted one of these capabilities at a category level from viewing the
                   corresponding content at that level or below.
                   Note: This still will not work for the enhanced catalog, due to
                   restrictions with capability checks in report builder sources. 

    TL-7431        Fixed the vaildation of position start and end date when importing users via HR Import
    TL-7435        Fixed the misalignment of table cells on the Face-to-face attendance page
    TL-7436        Fixed the editing of a user's position so that the description field is now saved the first time it is edited
    TL-7442        Audience management tabs now correctly check moodle/cohort:view

                   The cabability 'moodle/cohort:view' now allows a user to view, but not
                   edit, the tabs for enrolled learning, visible learning and goals. This
                   works in both system and category contexts. 

    TL-7447        Added help icons to Totara Connect client edit form
    TL-7448        Prevented historical Face-to-face session completions from overriding more recent ones

                   There were a couple of problems with Face-to-face session completions. If
                   you marked attendance for a user in a recent session, then later marked
                   their attendance in an older session, then the older session date was being
                   used when calculating completion. This caused a problem when the course had
                   been reset as part of a certification, or when activity completion criteria
                   were unlocked and deleted.

    TL-7450        Prevent incorrect notifications from being sent to users when acting upon a Face-to-face booking request task

                   When a booking request is approved or declined via the tasks block in My
                   Learning, but the request had already been actioned directly via the
                   Approval required tab in the Face-to-face activity an incorrect
                   notification would be sent to the learner.

    TL-7484        Fixed regression in phpunit tests with incorrect file location
    TL-7499        Fixed which users get shown in the recipients fields when manually awarding a badge
    TL-7500        Fixed program availability with available from date only
    TL-7517        Fixed the sync password setting for Totara Connect server
    TL-7522        Fixed the export of user reports where the User ID was being exported instead of the user's fullname
    TL-7534        Fixed the HR Import of custom user date fields when some values are missing from the CSV file
    TL-7554        Fixed the use of a PHP short tag when adding a menu of choices custom field filter in report builder
    TL-7563        Enabled dock in older versions of internet explorer (IE8 & IE9)
    TL-7570        Fixed the display of Positions and Organisations within the administration block

                   Previously users with permission to view positions and organisations were
                   not always shown these items within the administration settings block.
                   These pages are now correctly shown to users who have permission to view
                   them.

    TL-7573        Improved right-to-left language support within multi-select dialogs
    TL-7592        Fixed room checks to prevent the double booking of rooms
    TL-7650        Increased the length of some database fields in appraisals

                   Short field lengths for scale values and sorting could lead to database
                   errors if adding more than 99 questions to a single page in an appraisal,
                   or more than 99 values to a single scale.
                   This has been fixed by increasing the size of the sortorder and scaletype
                   fields within appraisals.


API changes:

    TL-7502        Embedding of Youtube content now uses the current Google API

                   This is a backport of MDL-50176. Google has switched off support for the
                   API Totara was previously using for Youtube.
                   The current API is now in place and being used for all embedded Youtube
                   content.


Contributions:

    * Amir Elion at Kineo Israel - TL-7613
    * Joby Harding from Mindclick - TL-6570

Release 2.6.25 (20th October 2015):

Security issues:

    TL-7138        Improved the cleaning of dynamically generated module names

                   Calling "required_param('module', PARAM_COMPONENT)" actually restricts the
                   allowable characters in a module name and the function returns an empty
                   string upon detecting an invalid module name. In the past, there was no
                   check if an empty string was indeed returned. Now, the code throws an
                   "invalid_parameter_exception" if the required_param() call returns an empty
                   string.

    TL-7152        Added workaround for known security issues with Flowplayer
    TL-7377        Fixed the capability moodle/cohort:view allowing a user to edit global audience settings

Bug fixes:

    TL-5226        Fixed incorrect email footer when a Feedback360 request is sent to external users
    TL-5261        Made the course upload tool respect the defaults for course completion settings
    TL-5730        Scheduled Face-to-face notifications are now only sent to users who were eligible at the time

                   Previously, if a notification was scheduled to be sent out a certain amount
                   of time prior to the start of the Face-to-face session, this notification
                   would also be sent to any new users who signed up after the scheduled time.
                   
                   
                   Now, even if cron is run much later, these notifications will only go to
                   users who were eligible to receive the notification at the time it was due
                   to be sent.
                   
                   The condition still exists that they must currently be eligible. For
                   example, if a notification is to be sent to booked users only, and a booked
                   user cancels before the notification is sent out, that user will not
                   receive the notification.

    TL-6909        Fixed dynamic audience rules based upon checkbox organisation custom fields
    TL-7171        Fixed calls to send email when the user does not have an email address

                   Totara Sync allows users to be created without an email address.
                   This was leading to issues when processing certification messages if the
                   user had not logged in and set an email address.
                   In this case a notification was added for them by each cron run, every 15
                   minutes.
                   If they then logged in they would be presented with repeated
                   notifications.
                   The root of this issue was the email processor expecting a valid email
                   address.

    TL-7181        Fixed and restored recipients default values for Face-to-face automatic notifications if they were updated
    TL-7286        Fixed HR Import to properly handle csv files with UTF BOM encoding
    TL-7299        Fixed display of newline characters in reportbuilder pdf (landscape) exports
    TL-7308        Fixed possible timeouts when activating appraisals and creating appraisal snapshots
    TL-7365        Fixed the display of the task block when empty yet configured to show
    TL-7436        Fixed the editing of a user's position so that the description field is now saved the first time it is edited
    TL-7448        Prevented historical Face-to-face session completions from overriding more recent ones

                   There were a couple of problems with Face-to-face session completions. If
                   you marked attendance for a user in a recent session, then later marked
                   their attendance in an older session, then the older session date was being
                   used when calculating completion. This caused a problem when the course had
                   been reset as part of a certification, or when activity completion criteria
                   were unlocked and deleted.

    TL-7500        Fixed program availability with available from date only
    TL-7522        Fixed the export of user reports where the User ID was being exported instead of the user's fullname
    TL-7570        Fixed the display of Positions and Organisations within the administration block

                   Previously users with permission to view positions and organisations were
                   not always shown these items within the administration settings block.
                   These pages are now correctly shown to users who have permission to view
                   them.


API changes:

    TL-7502        Embedding of Youtube content now uses the current Google API

                   This is a backport of MDL-50176. Google has switched off support for the
                   API Totara was previously using for Youtube.
                   The current API is now in place and being used for all embedded Youtube
                   content.


Contributions:

    * Eugene Venter from Catalyst NZ - TL-7299

Release 2.5.32 (20th October 2015):

Security issues:

    TL-7138        Improved the cleaning of dynamically generated module names

                   Calling "required_param('module', PARAM_COMPONENT)" actually restricts the
                   allowable characters in a module name and the function returns an empty
                   string upon detecting an invalid module name. In the past, there was no
                   check if an empty string was indeed returned. Now, the code throws an
                   "invalid_parameter_exception" if the required_param() call returns an empty
                   string.

    TL-7152        Added workaround for known security issues with Flowplayer
    TL-7377        Fixed the capability moodle/cohort:view allowing a user to edit global audience settings

Bug fixes:

    TL-5730        Scheduled Face-to-face notifications are now only sent to users who were eligible at the time

                   Previously, if a notification was scheduled to be sent out a certain amount
                   of time prior to the start of the Face-to-face session, this notification
                   would also be sent to any new users who signed up after the scheduled time.
                   
                   
                   Now, even if cron is run much later, these notifications will only go to
                   users who were eligible to receive the notification at the time it was due
                   to be sent.
                   
                   The condition still exists that they must currently be eligible. For
                   example, if a notification is to be sent to booked users only, and a booked
                   user cancels before the notification is sent out, that user will not
                   receive the notification.

    TL-6909        Fixed dynamic audience rules based upon checkbox organisation custom fields
    TL-7181        Fixed and restored recipients default values for Face-to-face automatic notifications if they were updated
    TL-7308        Fixed possible timeouts when activating appraisals and creating appraisal snapshots
    TL-7436        Fixed the editing of a user's position so that the description field is now saved the first time it is edited
    TL-7448        Prevented historical Face-to-face session completions from overriding more recent ones

                   There were a couple of problems with Face-to-face session completions. If
                   you marked attendance for a user in a recent session, then later marked
                   their attendance in an older session, then the older session date was being
                   used when calculating completion. This caused a problem when the course had
                   been reset as part of a certification, or when activity completion criteria
                   were unlocked and deleted.

    TL-7570        Fixed the display of Positions and Organisations within the administration block

                   Previously users with permission to view positions and organisations were
                   not always shown these items within the administration settings block.
                   These pages are now correctly shown to users who have permission to view
                   them.


API changes:

    TL-7502        Embedding of Youtube content now uses the current Google API

                   This is a backport of MDL-50176. Google has switched off support for the
                   API Totara was previously using for Youtube.
                   The current API is now in place and being used for all embedded Youtube
                   content.


Release 2.4.35 (20th October 2015):

Security issues:

    TL-7152        Added workaround for known security issues with Flowplayer
    TL-7377        Fixed the capability moodle/cohort:view allowing a user to edit global audience settings

Release 2.2.42 (20th October 2015):

Security issues:

    TL-7152        Added workaround for known security issues with Flowplayer
    TL-7377        Fixed the capability moodle/cohort:view allowing a user to edit global audience settings