Totara Release Notes

Security releases for Totara 2.9.5, 2.7.13, 2.6.30, 2.5.37, 2.4.40, and 2.2.46 released 23rd March 2016

 
Sam Hemelryk
Security releases for Totara 2.9.5, 2.7.13, 2.6.30, 2.5.37, 2.4.40, and 2.2.46 released 23rd March 2016
by Sam Hemelryk - Tuesday, 22 March 2016, 8:22 PM
Group Totara
Hello everyone,

The following versions of Totara have now been released:
  • 2.9.5
  • 2.7.13
  • 2.6.30
  • 2.5.37
  • 2.4.40
  • 2.2.46
These versions do contain security fixes and for this reason we strongly recommend upgrading.
Each release also includes bug fixes and improvements.

Kind regards
Sam Hemelryk


Release 2.9.5 (23rd March 2016):

Important:

    TL-6790        Changed the default behaviour of certification reassignment

                   Previously a user who was unassigned and reassigned to a certification
                   would be placed back into their initial certification path. Depending on
                   their current course completions, their status may have been reaggregated
                   on the next cron run. Now the system will look for the latest unassigned
                   certification completion history record and the user will be restored to
                   their previous status instead. Any events that need to occur (such as
                   window opening) will take place when the relevant scheduled task runs (e.g.
                   update_certification_task).


Security issues:

    TL-8641        The following security fixes were included with the merge of Moodle 2.9.5

                   * MDL-51167 Hidden courses are shown to students in Event Monitor
                   * MDL-52378 Non-Editing Instructor role can edit exclude checkbox in Single
                   View
                   * MDL-52651 Add no referrer to links with _blank target attribute
                   * MDL-52727 Reflected XSS in mod_data advanced search
                   * MDL-52774 Enumeration of category details possible without
                   authentication
                   * MDL-52808 External function get_calendar_events return events that
                   pertains to hidden activities
                   * MDL-52901 External function mod_assign_save_submission does not check due
                   dates
                   * MDL-53031 CSRF in Assignment plugin management page


Improvements:

    TL-6296        Added an aria-label to select user checkbox when viewing course participants
    TL-6723        Added automatic test coverage of the security overview report
    TL-7864        Added haschildren class to top level totara menu items when applicable
    TL-8295        Improved perfomance when getting items assigned to plans

                   This get_assigned_items function by default was returning the counts of any
                   linked items. This was leading to performance issues when the counts were
                   not required. The function now returns this information only when required.

    TL-8422        Improved output of the standard logstore cleanup task
    TL-8478        Added pagination to the Global Report Restriction administration page
    TL-8484        Linked Report Builder Financial year setting labels to their inputs
    TL-8532        Added an accessible label when adding a comment to a learning plan

Bug fixes:

    TL-8205        Removed unassigned users that incorrectly show up in certification completion reports

                   Reports that used the 'Certification Completion' report source would
                   contain users that had been unassigned from a certification. This would
                   only be the case if the user was unassigned before their recertification
                   window opened and the data for these users would be incorrect for some
                   columns. Unassigned users will no longer show up in certification
                   completion reports, which is in line with documentation on this report
                   source. 
                   
                   Note that if you require a report that includes data for unassigned users.
                   You may like to create a report that uses the Record of Learning:
                   Certification report source. 

    TL-8274        Fixed calendar navigation on non-default home page
    TL-8277        Fixed incorrect highlighting of menu items

                   When enhanced catalog was off, viewing the pages specific to the enhanced
                   catalog were leading to the Find Learning menu items being highlighted.
                   This has been corrected. 

    TL-8280        Fixed manual changes to course completion competency proficiency being overridden

                   Before the patch, if a manager set a course completion competency to
                   proficient, it was being overridden by a cron task. Now, the change the
                   manager made will be kept.

    TL-8339        Fixed saving of due dates when creating and editing objectives in learning plans
    TL-8345        Ensured sum aggregation uses display function if available
    TL-8363        Ensured courses assigned to plans are removed when a course is deleted
    TL-8364        Removed extra line breaks in Face-to-face messages
    TL-8381        Ensured Hierarchy custom field data is deleted when a Hierarchy item is deleted
    TL-8407        Improved layout of the graph tooltip in Internet Explorer using a rtl langauge
    TL-8409        Prevented saving scheduled reports without a recipient
    TL-8412        Fixed 'menuofchoice' custom field for sidebar filter in report builder
    TL-8419        Fixed issue that prevented blocks from being edited with Totara Dashboard enabled as default home
    TL-8427        Fixed position selecting which was incorrectly disabled when disabling position hierarchies
    TL-8441        Increased maxlength of objective scales value name to 255 characters
    TL-8444        Fixed Program and Certification Membership reports for MSSQL
    TL-8457        Fixed a spelling mistake in the program extension request error message
    TL-8477        Fixed Date (No timezone) user profile field in Report Builder
    TL-8479        Fixed the MSSQL NVARCHAR migration upgrade step
    TL-8482        Removed empty labels when adding/editing External tools
    TL-8496        Fixed count of overdue users on Appraisals report page
    TL-8506        Fixed AJAX deletion of an assigned audience when creating a dashboard
    TL-8508        Fixed untranslatable string "Face-to-face name" in Face-to-face sessions report source
    TL-8521        Improved course participants template for template library
    TL-8538        Fixed dates in ODS exports to use current user timezone to match all other export options
    TL-8583        Session end time is now adjusted in IE11 when start time is adjusted

Release 2.7.13 (23rd March 2016):

Important:

    TL-6790        Changed the default behaviour of certification reassignment

                   Previously a user who was unassigned and reassigned to a certification
                   would be placed back into their initial certification path. Depending on
                   their current course completions, their status may have been reaggregated
                   on the next cron run. Now the system will look for the latest unassigned
                   certification completion history record and the user will be restored to
                   their previous status instead. Any events that need to occur (such as
                   window opening) will take place when the relevant scheduled task runs (e.g.
                   update_certification_task).


Security issues:

    TL-8642        The following security fixes were included with the merge of Moodle 2.7.13

                   MDL-52378 Non-Editing Instructor role can edit exclude checkbox in Single
                   View
                   MDL-52651 Add no referrer to links with _blank target attribute
                   MDL-52727 Reflected XSS in mod_data advanced search
                   MDL-52774 Enumeration of category details possible without authentication
                   MDL-52808 External function get_calendar_events return events that pertains
                   to hidden activities
                   MDL-52901 External function mod_assign_save_submission does not check due
                   dates
                   MDL-53031 CSRF in Assignment plugin management page


Improvements:

    TL-6723        Added automatic test coverage of the security overview report
    TL-8295        Improved perfomance when getting items assigned to plans

                   This get_assigned_items function by default was returning the counts of any
                   linked items. This was leading to performance issues when the counts were
                   not required. The function now returns this information only when required.

    TL-8422        Improved output of the standard logstore cleanup task
    TL-8484        Linked Report Builder Financial year setting labels to their inputs

Bug fixes:

    TL-8205        Removed unassigned users that incorrectly show up in certification completion reports

                   Reports that used the 'Certification Completion' report source would
                   contain users that had been unassigned from a certification. This would
                   only be the case if the user was unassigned before their recertification
                   window opened and the data for these users would be incorrect for some
                   columns. Unassigned users will no longer show up in certification
                   completion reports, which is in line with documentation on this report
                   source. 
                   
                   Note that if you require a report that includes data for unassigned users.
                   You may like to create a report that uses the Record of Learning:
                   Certification report source. 

    TL-8274        Fixed calendar navigation on non-default home page
    TL-8277        Fixed incorrect highlighting of menu items

                   When enhanced catalog was off, viewing the pages specific to the enhanced
                   catalog were leading to the Find Learning menu items being highlighted.
                   This has been corrected. 

    TL-8280        Fixed manual changes to course completion competency proficiency being overridden

                   Before the patch, if a manager set a course completion competency to
                   proficient, it was being overridden by a cron task. Now, the change the
                   manager made will be kept.

    TL-8339        Fixed saving of due dates when creating and editing objectives in learning plans
    TL-8345        Ensured sum aggregation uses display function if available
    TL-8363        Ensured courses assigned to plans are removed when a course is deleted
    TL-8364        Removed extra line breaks in Face-to-face messages
    TL-8396        Fixed default sort order for graphical report block
    TL-8407        Improved layout of the graph tooltip in Internet Explorer using a rtl langauge
    TL-8409        Prevented saving scheduled reports without a recipient
    TL-8412        Fixed 'menuofchoice' custom field for sidebar filter in report builder
    TL-8419        Fixed issue that prevented blocks from being edited with Totara Dashboard enabled as default home
    TL-8440        Fixed report sort column for scheduled reports
    TL-8441        Increased maxlength of objective scales value name to 255 characters
    TL-8444        Fixed Program and Certification Membership reports for MSSQL
    TL-8479        Fixed the MSSQL NVARCHAR migration upgrade step
    TL-8508        Fixed untranslatable string "Face-to-face name" in Face-to-face sessions report source
    TL-8538        Fixed dates in ODS exports to use current user timezone to match all other export options

Release 2.6.30 (23rd March 2016):

Important:

    TL-6790        Changed the default behaviour of certification reassignment

                   Previously a user who was unassigned and reassigned to a certification
                   would be placed back into their initial certification path. Depending on
                   their current course completions, their status may have been reaggregated
                   on the next cron run. Now the system will look for the latest unassigned
                   certification completion history record and the user will be restored to
                   their previous status instead. Any events that need to occur (such as
                   window opening) will take place when the relevant scheduled task runs (e.g.
                   update_certification_task).


Security issues:

    TL-8614        Prevented reflected XSS vulnerability in mod_data advanced search
    TL-8616        Fixed access control in ajax script returning navigation branches
    TL-8617        Fixed external function get_calendar_events to not return events for hidden activities
    TL-8618        Added due dates check to external assignment save submission
    TL-8619        Added session check to assignment plugins management

Bug fixes:

    TL-8367        Fixed visiblity of hidden courses on the My Bookings page
    TL-8444        Fixed Program and Certification Membership reports for MSSQL
    TL-8479        Fixed the MSSQL NVARCHAR migration upgrade step
    TL-8600        Fixed error when saving Certification tab when editing or creating a Certification

Release 2.5.37 (23rd March 2016):

Important:

    TL-6790        Changed the default behaviour of certification reassignment

                   Previously a user who was unassigned and reassigned to a certification
                   would be placed back into their initial certification path. Depending on
                   their current course completions, their status may have been reaggregated
                   on the next cron run. Now the system will look for the latest unassigned
                   certification completion history record and the user will be restored to
                   their previous status instead. Any events that need to occur (such as
                   window opening) will take place when the relevant scheduled task runs (e.g.
                   update_certification_task).


Security issues:

    TL-8614        Prevented reflected XSS vulnerability in mod_data advanced search
    TL-8616        Fixed access control in ajax script returning navigation branches
    TL-8617        Fixed external function get_calendar_events to not return events for hidden activities
    TL-8619        Added session check to assignment plugins management

Bug fixes:

    TL-8367        Fixed visiblity of hidden courses on the My Bookings page
    TL-8444        Fixed Program and Certification Membership reports for MSSQL

Release 2.4.40 (23rd March 2016):

Security issues:

    TL-8614        Prevented reflected XSS vulnerability in mod_data advanced search
    TL-8616        Fixed access control in ajax script returning navigation branches
    TL-8619        Added session check to assignment plugins management

Release 2.2.46 (23rd March 2016):

Security issues:

    TL-8614        Prevented reflected XSS vulnerability in mod_data advanced search
    TL-8616        Fixed access control in ajax script returning navigation branches