Totara Release Notes

Security releases for Totara 2.9.9, 2.7.17, 2.6.34, 2.5.41, 2.4.43, and 2.2.49 released 26th July 2016

 
Sam Hemelryk
Security releases for Totara 2.9.9, 2.7.17, 2.6.34, 2.5.41, 2.4.43, and 2.2.49 released 26th July 2016
par Sam Hemelryk, Monday 25 July 2016, 21:48
Groupe Totara

Hello everyone,

The following versions of Totara have now been released:

  • 2.9.9
  • 2.7.17
  • 2.6.34
  • 2.5.41
  • 2.4.43
  • 2.2.49

These versions do contain security fixes and for this reason we strongly recommend upgrading.
Each release also includes bug fixes and improvements, including from the latest Moodle releases.

Thanks to the following people for their contributions to this release:

  • Davo Smith at Synergy Learning - TL-9485
  • Francis Devine at Catalyst NZ - TL-9086
  • Nigel Cunningham at Catalyst AU - TL-8601, TL-9261

Kind regards
Sam Hemelryk


Release 2.9.9 (26th July 2016):

Important:

    TL-9703        This release contains fixes made in Moodle 2.9.9

                   Moodle 2.9.9 received two fixes as noted below:
                   
                   1. MDL-53431 tool_monitor: Access control for tool monitor subscriptions
                      Imported as TL-9551
                   2. MDL-55069 core: escape special characters in email headers
                      Imported as TL-9515
                   3. MDL-53019 environment: 3.2 requirements added
                      Imported as TL-9556
                   4. MDL-54564 behat: Wait after hover, to ensure page is ready
                      Imported as TL-9631
                   5. MDL-54620 ratings: display '0' when aggregate = 0
                      Imported as TL-9633


Security issues:

    TL-9340        Fixed access control when deleting calendar subscriptions

                   Users can only delete their own calendar subscriptions.
                   Previously it was possible to craft a special request that would allow you
                   to delete a calendar subscription regardless of whether you were the owner
                   or not.
                   The moodle/calendar:manageownentries capability is now consistently
                   checked.

    TL-9400        Fixed access control when deleting personal goals

                   A user's personal goals can only be deleted if one of the following
                   conditions is true for the current user:
                   
                   1. They have the totara/hierarchy:managegoalassignments capability in the
                   system context.
                   2. They are a manager of the goal's owner and they have the
                   totara/hierarchy:managestaffpersonalgoal capability in the users context.
                   3. It is one of their own personal goals and they have the
                   totara/hierarchy:manageownpersonalgoal capability in the system context.
                   
                   Previously it was possible to craft a special request that would allow you
                   to delete any personal goal, regardless of whether it was one of your
                   personal goals or not.
                   The relevant capability checks are now consistently applied.

    TL-9515        Fixed sanitisation of user's firstname and lastname when sending emails

                   Totara was not previously sanitising the users firstname and lastname
                   correct when compiling emails to the user.
                   An authenticated user could therefor alter their firstname or lastname in
                   Totara to contain invalid content including additional email addresses.
                   As their firstname and lastname was not being correctly sanitised this
                   could be abused to send spam to others.
                   The users firstname and lastname is now properly sanitised.
                   
                   References MDL-55069

    TL-9668        Improved the security of all repository plugins

                   Previously it may have been possible to perform SSRF attacks on a server
                   through the repository API which was not working with installed repository
                   plugins to sanitise downloaded content.
                   With this update comes a change to the repository API that allows it to
                   work with the repository plugins to ensure that content requested for
                   download is expected and valid.
                   By default any plugin which attempts to use the repository API to download
                   content without implementing the now required get_file() method will stop
                   working as this is deemed a security risk.
                   We are aware that some subscribers do use third party repository plugins,
                   and that this change may stop those plugins from working.
                   Whilst it is our recommendation for those sites to get the affected third
                   party repositories updated to support the new API and downloading of files
                   we have also in 2.9 added a special setting to bypass the lacking support
                   and allow the plugins to function as they once did.
                   This setting is present in 2.9 only and will not be available in 9.0.
                   To enable this setting add the following to your config.php:
                   {code}
                   $CFG->repositoryignoresecurityproblems = 1;
                   {code}
                   Please be aware that adding this setting may open a security hole on your
                   site.
                   We do not recommend adding it.


Improvements:

    TL-8996        Added support for syncing a user's image during SSO login
    TL-9221        Added the ability to resolve dismissed program exceptions to the completion editor

                   The Program and Certification completion editors now display information
                   about dismissed program exceptions when viewing a user's completion data,
                   and allow dismissed exceptions to be overridden.

    TL-9265        Added a new filter for Audience Visibility to Course reports

                   Previously a Visibility filter could be added to Course reports, however
                   there was no corresponding Audience Visibility filter for those sites that
                   had Audience Visibility turned on.
                   A new Audience Visibility filter has been added to all Course reports so
                   that those sites that have Audience Visibility turned on can filter by the
                   relevant visibility options.

    TL-9276        Improved the description of Global Report Restrictions when only one restriction exists

                   If there is only one Global Report Restriction for a user it is
                   automatically applied for that user.
                   This was previously undocumented.
                   The description within the Global Report Restriction user interface has
                   been improved to elude to this behaviour.

    TL-9314        Improved the information shown when viewing a Certification

                   When a user views one of their certifications, they will see a more verbose
                   description of the status.
                   It is now clear when a user is not required to work on a certification.
                   When working on a specific certification path, only courses in that path
                   are shown (as before), otherwise both paths are shown, rather than trying
                   to show the last path completed (which cannot be calculated under several
                   circumstances).
                   
                   Additionally, a warning has been added, and is shown when the user is due
                   to recertify but the window opening process has not yet occurred.

    TL-9344        Improved the time allowance strings used for Programs to ease translation
    TL-9378        Ensured that goal management capabilities are consistently applied

                   Personal goals created by either a site administrator or a user's manager
                   cannot be edited or deleted by the user.
                   Additionally the action icons for actions you can't preform are now greyed
                   out.

    TL-9383        Improved the performance of sidebar searches within Report Builder

                   For reports which had multi-check filters enabled in the sidebar, such as
                   in the course catalog, item counts shown in the filter were sometimes being
                   queried twice unnecessarily.
                   In cases where there were thousands of items, this had a noticeable effect
                   on performance.
                   These items counts are now only queried once, and only if needed.

    TL-9433        Developers may now disable editor autosave in forms where it is not desirable

                   Previously it was not possible for the developer to disable autoasaving
                   within an editor when defining a form.
                   A small improvement has been made to allow the developer to pass
                   ['autosave' = false] as an editor option, this gets passed through to the
                   editor initialisation and allows the developer to disable autosaving when
                   defining the form.

    TL-9456        Plugins can now define Report Builder filters within the plugin space

                   If is now possible for plugins to define their own Report Builder filters
                   for use within their own Report Sources.
                   In order to do this the plugin defines an class called
                   `rb_filter_"filtertype"` in a location it chooses, and then requires the
                   file containing the class within the Report Builder sources that will use
                   it.

    TL-9483        Fixed Behat file uploads to work in all browsers and in remote selenium instances
    TL-9484        Added a workaround for missing alert confirmation support in PhantomJS
    TL-9502        The Course and Activity completion reports now use the standard paging control

                   The Course completion and Activity completion reports now use the standard
                   paging control bar.
                   This helps bring the look and feel of these reports (which are not Report
                   Builder reports) inline with the other reports available in the system.

    TL-9556        Environment definition updated to reflect Moodle 3.2 requirements
    TL-9670        Course visibility filters show as not applicable depending on the sites audience visibility setting

Bug fixes:

    TL-7907        Fixed manager approval for Face-to-face direct enrolment when automatic signup is enabled

                   Previously if you had a Face-to-face activity that was configured to
                   require manager approval, within a course with a Face-to-face direct
                   enrolment instance added and configured to automatically sign new users up
                   to all available sessions, then when a new user signed up they would be
                   automatically booked to the session requiring manager approval, bypassing
                   the approval stage.
                   Now the Face-to-face direct enrolment plugin, with automatic signup
                   enabled, correctly respects the manager approval requirements for available
                   sessions.

    TL-8179        Program and Certification reports now order courseset data correctly

                   The Program and Certification overview reports now ensure that columns
                   displaying courseset information order the content in the same manner that
                   is applied when viewing the Program or Certification content.

    TL-8555        Recurring courses now respect the tempdir setting

                   When recurring courses were copied during cron, it was assumed that the
                   temp folder was set to its default rather than what was in the 'tempdir'
                   config setting. The temporary backup folder is now created in the location
                   specified by the 'tempdir' setting.
                   
                   This fix also ensures that the copy recurring courses cron task will run
                   when certifications are disabled, but programs are enabled, as recurring
                   courses can only be used within programs.

    TL-8601        Fixed backup and restore of multi-select and file type Course custom fields
    TL-8985        Suspending a user no longer cancels past Face-to-face signups

                   Previously if you suspended a user any Face-to-face signups they had made
                   would be cancelled. Even when the Face-to-face session had already been
                   run.
                   Now when a user is suspended only Face-to-face signups for future sessions
                   are cancelled.

    TL-9056        Fixed program enrolment messages not being sent

                   It was possible that some program and certification enrolment messages were
                   not being sent. This would only occur in the unlikely event that the
                   program messaging scheduled task took some time to run, and that program
                   assignments changed during that time (either by a manual change made in the
                   Assignments interface when there were less than 200 users involved in the
                   program, or due to one of the two user assignment scheduled tasks running
                   at the same time). This has now been fixed. This patch does not
                   retroactively send program/certification enrolment messages that were
                   missed.

    TL-9086        HR Import now validates incoming user custom field values consistently

                   Previously HR Import was validating incoming user custom field data without
                   first passing it through the user custom fields API.
                   This could lead to invalid data passing validation as it had not been
                   appropriately translated.
                   HR Import now correctly passes incoming data through the user custom fields
                   API prior to validation to ensure any invalid data is detected and not
                   imported.

    TL-9115        Improved the display of averaged columns in Report Builder

                   When averaging a field the number of decimal places shown was the default
                   returned by the database.
                   The display has been improved to only show 2 decimal places.

    TL-9118        HR Import now converts mixed case usernames to lower case

                   This fixes a backwards compatibility issue introduced by TL-8502.
                   TL-8502 improved validation of usernames being imported through HR Import.
                   Unfortunately a previously added hack was present which was converting
                   mixed case usernames to lower case.
                   TL-8502 reverted this hack, ensuring only completely valid usernames could
                   be imported, and any invalid usernames would be skipped with an error.
                   After the release of 2.9.7 we received several reports of people relying on
                   this conversion to import their data.
                   After much discussion we decided to treat this as a backwards compatibility
                   issue and fix it as a bug in 2.7 and 2.9.
                   Now when you import a username with mixed case you will receive a warning,
                   the username will be converted to lower case and the user will be
                   imported.
                   Please note that in Totara 9.0 you will receive an error and the user will
                   not be imported.
                   We advise those who are getting these warning to fix the data they are
                   importing so as to make it accurate.

    TL-9135        Fixed the use of files within textarea type custom fields
    TL-9159        Multi-select custom field data params are now correctly deleted when the field is deleted

                   Previously data params for multi-select custom field values were not being
                   deleted when the multi-select custom field was deleted.
                   This resulted in orphaned data param records being left in the database.
                   Now when a multi-select custom field is deleted the data params for it are
                   also deleted.
                   Additionally an upgrade step will clean up any orphaned multi-select data
                   params that may be lurking in your database.

    TL-9162        Removing a user from an allocated Face-to-face session now returns capacity

                   Previously when a user was removed from an allocated spot in a Face-to-face
                   session by their manager the space they were occupying was not returned to
                   the available capacity of the session, nor were they being informed that
                   their allocation had been cancelled.
                   Now when a user is removed from an allocated spot the capacity is returned
                   and the user is notified.

    TL-9187        Fixed searching of the Program exceptions list by firstname and lastname
    TL-9210        Fixed a missing iCal attachment in the Face-to-face session allocation notification email
    TL-9235        Fixed the display of aggregated yes_or_no Report Builder columns

                   "Yes" is counted as 1, "No" is counted as 0. Aggregate functions use these
                   values for the calculations.

    TL-9241        Ensured the ability to choose an appraiser is not available when appraisals have been disabled
    TL-9261        Fixed the "Re-sort" button within the Certification management UI
    TL-9341        Fixed the User's Position Framework ID filter within the User report source
    TL-9362        Fixed the status display for certification in progress within the Record of Learning
    TL-9387        Fixed the display of Face-to-face sessions in the Face-to-face block
    TL-9388        Fixed the expansion of the Site Administration menu in IE8
    TL-9392        Available courses on the front page are no longer duplicated when the user is not enrolled in any courses

                   If the front page had been configured to display a list of Enrolled Courses
                   and the user was not enrolled on any courses then a list of available
                   courses would be displayed in stead.
                   Previously if you had also configured the front page to contain a list of
                   available courses this would then lead to the list of available courses
                   being displayed twice.
                   Now when the front page has been configured to display a list of available
                   courses and enrolled courses, when the user is not enrolled on courses then
                   nothing is printed.
                   This stops the list of available courses from being printed twice.

    TL-9397        Fixed an error encountered while exporting a Face-to-face cancellation report

                   This fixes a regression introduced by TL-6962, released in Totara 2.7.14,
                   2.9.6.

    TL-9434        Fixed a bug preventing roles from being assigned via audiences at the category level
    TL-9438        Fixed average aggregation within Report Builder when using MSSQL

                   MSSQL now ensures that it is using decimals when fetching average
                   aggregations.

    TL-9453        Prevented the adding of a Program to a Learning Plan from resetting Program status

                   When a program was already assigned to a user, if the same program was then
                   added to the user's learning plan, the status of the program was reset. The
                   program would likely be re-marked completed by cron, but only if the course
                   requirements were unchanged and the courses involved were still marked
                   complete.
                   Additionally, dates related to the program may have changed.
                   This fix prevents changes when adding a program to a learning plan if the
                   user is already assigned to the program.

    TL-9473        Fixed the "Download all" button within the file manager in IE and Safari
    TL-9485        Fixed data param handling in the core data object class
    TL-9669        Fixed the possibility of a "maximum SQL input variables" bug within the Face-to-face upgrade

Contributions:

    * Davo Smith at Synergy Learning - TL-9485
    * Francis Devine at Catalyst NZ - TL-9086
    * Nigel Cunningham at Catalyst AU - TL-8601, TL-9261

Release 2.7.17 (26th July 2016):

Important:

    TL-9702        This release contains fixes made in Moodle 2.7.15

                   Moodle 2.7.15 received two fixes as noted below:
                   
                   1. MDL-55069 core: escape special characters in email headers
                      Imported as TL-9515
                   2. MDL-53019 environment: 3.2 requirements added
                      Imported as TL-9556


Security issues:

    TL-9340        Fixed access control when deleting calendar subscriptions

                   Users can only delete their own calendar subscriptions.
                   Previously it was possible to craft a special request that would allow you
                   to delete a calendar subscription regardless of whether you were the owner
                   or not.
                   The moodle/calendar:manageownentries capability is now consistently
                   checked.

    TL-9400        Fixed access control when deleting personal goals

                   A user's personal goals can only be deleted if one of the following
                   conditions is true for the current user:
                   
                   1. They have the totara/hierarchy:managegoalassignments capability in the
                   system context.
                   2. They are a manager of the goal's owner and they have the
                   totara/hierarchy:managestaffpersonalgoal capability in the users context.
                   3. It is one of their own personal goals and they have the
                   totara/hierarchy:manageownpersonalgoal capability in the system context.
                   
                   Previously it was possible to craft a special request that would allow you
                   to delete any personal goal, regardless of whether it was one of your
                   personal goals or not.
                   The relevant capability checks are now consistently applied.

    TL-9515        Fixed sanitisation of user's firstname and lastname when sending emails

                   Totara was not previously sanitising the users firstname and lastname
                   correct when compiling emails to the user.
                   An authenticated user could therefor alter their firstname or lastname in
                   Totara to contain invalid content including additional email addresses.
                   As their firstname and lastname was not being correctly sanitised this
                   could be abused to send spam to others.
                   The users firstname and lastname is now properly sanitised.
                   
                   References MDL-55069


Improvements:

    TL-9221        Added the ability to resolve dismissed program exceptions to the completion editor

                   The Program and Certification completion editors now display information
                   about dismissed program exceptions when viewing a user's completion data,
                   and allow dismissed exceptions to be overridden.

    TL-9314        Improved the information shown when viewing a Certification

                   When a user views one of their certifications, they will see a more verbose
                   description of the status.
                   It is now clear when a user is not required to work on a certification.
                   When working on a specific certification path, only courses in that path
                   are shown (as before), otherwise both paths are shown, rather than trying
                   to show the last path completed (which cannot be calculated under several
                   circumstances).
                   
                   Additionally, a warning has been added, and is shown when the user is due
                   to recertify but the window opening process has not yet occurred.

    TL-9383        Improved the performance of sidebar searches within Report Builder

                   For reports which had multi-check filters enabled in the sidebar, such as
                   in the course catalog, item counts shown in the filter were sometimes being
                   queried twice unnecessarily.
                   In cases where there were thousands of items, this had a noticeable effect
                   on performance.
                   These items counts are now only queried once, and only if needed.

    TL-9483        Fixed Behat file uploads to work in all browsers and in remote selenium instances
    TL-9484        Added a workaround for missing alert confirmation support in PhantomJS
    TL-9556        Environment definition updated to reflect Moodle 3.2 requirements

Bug fixes:

    TL-7907        Fixed manager approval for Face-to-face direct enrolment when automatic signup is enabled

                   Previously if you had a Face-to-face activity that was configured to
                   require manager approval, within a course with a Face-to-face direct
                   enrolment instance added and configured to automatically sign new users up
                   to all available sessions, then when a new user signed up they would be
                   automatically booked to the session requiring manager approval, bypassing
                   the approval stage.
                   Now the Face-to-face direct enrolment plugin, with automatic signup
                   enabled, correctly respects the manager approval requirements for available
                   sessions.

    TL-8601        Fixed backup and restore of multi-select and file type Course custom fields
    TL-8985        Suspending a user no longer cancels past Face-to-face signups

                   Previously if you suspended a user any Face-to-face signups they had made
                   would be cancelled. Even when the Face-to-face session had already been
                   run.
                   Now when a user is suspended only Face-to-face signups for future sessions
                   are cancelled.

    TL-9056        Fixed program enrolment messages not being sent

                   It was possible that some program and certification enrolment messages were
                   not being sent. This would only occur in the unlikely event that the
                   program messaging scheduled task took some time to run, and that program
                   assignments changed during that time (either by a manual change made in the
                   Assignments interface when there were less than 200 users involved in the
                   program, or due to one of the two user assignment scheduled tasks running
                   at the same time). This has now been fixed. This patch does not
                   retroactively send program/certification enrolment messages that were
                   missed.

    TL-9086        HR Import now validates incoming user custom field values consistently

                   Previously HR Import was validating incoming user custom field data without
                   first passing it through the user custom fields API.
                   This could lead to invalid data passing validation as it had not been
                   appropriately translated.
                   HR Import now correctly passes incoming data through the user custom fields
                   API prior to validation to ensure any invalid data is detected and not
                   imported.

    TL-9116        Fixed broken images when viewing the description for a live Appraisal
    TL-9118        HR Import now converts mixed case usernames to lower case

                   This fixes a backwards compatibility issue introduced by TL-8502.
                   TL-8502 improved validation of usernames being imported through HR Import.
                   Unfortunately a previously added hack was present which was converting
                   mixed case usernames to lower case.
                   TL-8502 reverted this hack, ensuring only completely valid usernames could
                   be imported, and any invalid usernames would be skipped with an error.
                   After the release of 2.9.7 we received several reports of people relying on
                   this conversion to import their data.
                   After much discussion we decided to treat this as a backwards compatibility
                   issue and fix it as a bug in 2.7 and 2.9.
                   Now when you import a username with mixed case you will receive a warning,
                   the username will be converted to lower case and the user will be
                   imported.
                   Please note that in Totara 9.0 you will receive an error and the user will
                   not be imported.
                   We advise those who are getting these warning to fix the data they are
                   importing so as to make it accurate.

    TL-9135        Fixed the use of files within textarea type custom fields
    TL-9159        Multi-select custom field data params are now correctly deleted when the field is deleted

                   Previously data params for multi-select custom field values were not being
                   deleted when the multi-select custom field was deleted.
                   This resulted in orphaned data param records being left in the database.
                   Now when a multi-select custom field is deleted the data params for it are
                   also deleted.
                   Additionally an upgrade step will clean up any orphaned multi-select data
                   params that may be lurking in your database.

    TL-9187        Fixed searching of the Program exceptions list by firstname and lastname
    TL-9210        Fixed a missing iCal attachment in the Face-to-face session allocation notification email
    TL-9235        Fixed the display of aggregated yes_or_no Report Builder columns

                   "Yes" is counted as 1, "No" is counted as 0. Aggregate functions use these
                   values for the calculations.

    TL-9387        Fixed the display of Face-to-face sessions in the Face-to-face block
    TL-9392        Available courses on the front page are no longer duplicated when the user is not enrolled in any courses

                   If the front page had been configured to display a list of Enrolled Courses
                   and the user was not enrolled on any courses then a list of available
                   courses would be displayed in stead.
                   Previously if you had also configured the front page to contain a list of
                   available courses this would then lead to the list of available courses
                   being displayed twice.
                   Now when the front page has been configured to display a list of available
                   courses and enrolled courses, when the user is not enrolled on courses then
                   nothing is printed.
                   This stops the list of available courses from being printed twice.

    TL-9397        Fixed an error encountered while exporting a Face-to-face cancellation report

                   This fixes a regression introduced by TL-6962, released in Totara 2.7.14,
                   2.9.6.

    TL-9438        Fixed average aggregation within Report Builder when using MSSQL

                   MSSQL now ensures that it is using decimals when fetching average
                   aggregations.

    TL-9453        Prevented the adding of a Program to a Learning Plan from resetting Program status

                   When a program was already assigned to a user, if the same program was then
                   added to the user's learning plan, the status of the program was reset. The
                   program would likely be re-marked completed by cron, but only if the course
                   requirements were unchanged and the courses involved were still marked
                   complete.
                   Additionally, dates related to the program may have changed.
                   This fix prevents changes when adding a program to a learning plan if the
                   user is already assigned to the program.

    TL-9485        Fixed data param handling in the core data object class
    TL-9669        Fixed the possibility of a "maximum SQL input variables" bug within the Face-to-face upgrade

Contributions:

    * Davo Smith at Synergy Learning - TL-9485
    * Francis Devine at Catalyst NZ - TL-9086
    * Nigel Cunningham at Catalyst AU - TL-8601

Release 2.6.34 (26th July 2016):

Security issues:

    TL-9340        Fixed access control when deleting calendar subscriptions

                   Users can only delete their own calendar subscriptions.
                   Previously it was possible to craft a special request that would allow you
                   to delete a calendar subscription regardless of whether you were the owner
                   or not.
                   The moodle/calendar:manageownentries capability is now consistently
                   checked.

    TL-9400        Fixed access control when deleting personal goals

                   A user's personal goals can only be deleted if one of the following
                   conditions is true for the current user:
                   
                   1. They have the totara/hierarchy:managegoalassignments capability in the
                   system context.
                   2. They are a manager of the goal's owner and they have the
                   totara/hierarchy:managestaffpersonalgoal capability in the users context.
                   3. It is one of their own personal goals and they have the
                   totara/hierarchy:manageownpersonalgoal capability in the system context.
                   
                   Previously it was possible to craft a special request that would allow you
                   to delete any personal goal, regardless of whether it was one of your
                   personal goals or not.
                   The relevant capability checks are now consistently applied.

    TL-9515        Fixed sanitisation of user's firstname and lastname when sending emails

                   Totara was not previously sanitising the users firstname and lastname
                   correct when compiling emails to the user.
                   An authenticated user could therefor alter their firstname or lastname in
                   Totara to contain invalid content including additional email addresses.
                   As their firstname and lastname was not being correctly sanitised this
                   could be abused to send spam to others.
                   The users firstname and lastname is now properly sanitised.
                   
                   References MDL-55069


Improvements:

    TL-9221        Added the ability to resolve dismissed program exceptions to the completion editor

                   The Program and Certification completion editors now display information
                   about dismissed program exceptions when viewing a user's completion data,
                   and allow dismissed exceptions to be overridden.

    TL-9483        Fixed Behat file uploads to work in all browsers and in remote selenium instances
    TL-9484        Added a workaround for missing alert confirmation support in PhantomJS

Bug fixes:

    TL-5108        Stopped timezones being displayed within Face-to-face reports when they are disabled in the plugin settings
    TL-5654        Added missing notification templates to Face-to-face settings
    TL-9135        Fixed the use of files within textarea type custom fields
    TL-9210        Fixed a missing iCal attachment in the Face-to-face session allocation notification email
    TL-9392        Available courses on the front page are no longer duplicated when the user is not enrolled in any courses

                   If the front page had been configured to display a list of Enrolled Courses
                   and the user was not enrolled on any courses then a list of available
                   courses would be displayed in stead.
                   Previously if you had also configured the front page to contain a list of
                   available courses this would then lead to the list of available courses
                   being displayed twice.
                   Now when the front page has been configured to display a list of available
                   courses and enrolled courses, when the user is not enrolled on courses then
                   nothing is printed.
                   This stops the list of available courses from being printed twice.

    TL-9453        Prevented the adding of a Program to a Learning Plan from resetting Program status

                   When a program was already assigned to a user, if the same program was then
                   added to the user's learning plan, the status of the program was reset. The
                   program would likely be re-marked completed by cron, but only if the course
                   requirements were unchanged and the courses involved were still marked
                   complete.
                   Additionally, dates related to the program may have changed.
                   This fix prevents changes when adding a program to a learning plan if the
                   user is already assigned to the program.

    TL-9466        Fixed notice when sending registration information via cron when executed from the command line

Release 2.5.41 (26th July 2016):

Security issues:

    TL-9340        Fixed access control when deleting calendar subscriptions

                   Users can only delete their own calendar subscriptions.
                   Previously it was possible to craft a special request that would allow you
                   to delete a calendar subscription regardless of whether you were the owner
                   or not.
                   The moodle/calendar:manageownentries capability is now consistently
                   checked.

    TL-9400        Fixed access control when deleting personal goals

                   A user's personal goals can only be deleted if one of the following
                   conditions is true for the current user:
                   
                   1. They have the totara/hierarchy:managegoalassignments capability in the
                   system context.
                   2. They are a manager of the goal's owner and they have the
                   totara/hierarchy:managestaffpersonalgoal capability in the users context.
                   3. It is one of their own personal goals and they have the
                   totara/hierarchy:manageownpersonalgoal capability in the system context.
                   
                   Previously it was possible to craft a special request that would allow you
                   to delete any personal goal, regardless of whether it was one of your
                   personal goals or not.
                   The relevant capability checks are now consistently applied.

    TL-9515        Fixed sanitisation of user's firstname and lastname when sending emails

                   Totara was not previously sanitising the users firstname and lastname
                   correct when compiling emails to the user.
                   An authenticated user could therefor alter their firstname or lastname in
                   Totara to contain invalid content including additional email addresses.
                   As their firstname and lastname was not being correctly sanitised this
                   could be abused to send spam to others.
                   The users firstname and lastname is now properly sanitised.
                   
                   References MDL-55069


Improvements:

    TL-9221        Added the ability to resolve dismissed program exceptions to the completion editor

                   The Program and Certification completion editors now display information
                   about dismissed program exceptions when viewing a user's completion data,
                   and allow dismissed exceptions to be overridden.


Bug fixes:

    TL-9392        Available courses on the front page are no longer duplicated when the user is not enrolled in any courses

                   If the front page had been configured to display a list of Enrolled Courses
                   and the user was not enrolled on any courses then a list of available
                   courses would be displayed in stead.
                   Previously if you had also configured the front page to contain a list of
                   available courses this would then lead to the list of available courses
                   being displayed twice.
                   Now when the front page has been configured to display a list of available
                   courses and enrolled courses, when the user is not enrolled on courses then
                   nothing is printed.
                   This stops the list of available courses from being printed twice.

    TL-9453        Prevented the adding of a Program to a Learning Plan from resetting Program status

                   When a program was already assigned to a user, if the same program was then
                   added to the user's learning plan, the status of the program was reset. The
                   program would likely be re-marked completed by cron, but only if the course
                   requirements were unchanged and the courses involved were still marked
                   complete.
                   Additionally, dates related to the program may have changed.
                   This fix prevents changes when adding a program to a learning plan if the
                   user is already assigned to the program.

    TL-9466        Fixed notice when sending registration information via cron when executed from the command line

Release 2.4.43 (26th July 2016):

Security issues:

    TL-9340        Fixed access control when deleting calendar subscriptions

                   Users can only delete their own calendar subscriptions.
                   Previously it was possible to craft a special request that would allow you
                   to delete a calendar subscription regardless of whether you were the owner
                   or not.
                   The moodle/calendar:manageownentries capability is now consistently
                   checked.

    TL-9515        Fixed sanitisation of user's firstname and lastname when sending emails

                   Totara was not previously sanitising the users firstname and lastname
                   correct when compiling emails to the user.
                   An authenticated user could therefor alter their firstname or lastname in
                   Totara to contain invalid content including additional email addresses.
                   As their firstname and lastname was not being correctly sanitised this
                   could be abused to send spam to others.
                   The users firstname and lastname is now properly sanitised.
                   
                   References MDL-55069


Bug fixes:

    TL-9466        Fixed notice when sending registration information via cron when executed from the command line

Release 2.2.49 (26th July 2016):

Security issues:

    TL-9515        Fixed sanitisation of user's firstname and lastname when sending emails

                   Totara was not previously sanitising the users firstname and lastname
                   correct when compiling emails to the user.
                   An authenticated user could therefor alter their firstname or lastname in
                   Totara to contain invalid content including additional email addresses.
                   As their firstname and lastname was not being correctly sanitised this
                   could be abused to send spam to others.
                   The users firstname and lastname is now properly sanitised.
                   
                   References MDL-55069


Bug fixes:

    TL-9298        Fixed PHP warnings on the My Learning page when there are no tasks or alerts