Hello everyone,
The following versions of Totara have now been released:
- 2.9.10
- 2.7.18
- 2.6.35
- 2.5.42
- 2.4.44
- 2.2.50
These versions do contain security fixes and for this reason we strongly recommend upgrading.
Each release also includes bug fixes and improvements.
Thanks to the following people for their contributions to this release:
- Eugene Venter at Catalyst NZ - TL-9777
Kind regards
Sam Hemelryk
Package information:
| SHA1 checksum | Package name | Size |
|---|---|---|
| 18315454dcf1089ba31537765127bd77e75631df | totaralms-2.2.50.tar.gz | 26M |
| dfe5d1b5122c7aa2a1a2eb7bd4aa7a966e91f485 | totaralms-2.4.44.tar.gz | 32M |
| e4451697e766c7693023d4aabcd84a6fe8cac12b | totaralms-2.5.42.tar.gz | 44M |
| 92ad387004717eb12068b48241dbeaf39747dace | totaralms-2.6.35.tar.gz | 50M |
| 1f3783e7e9b43cfce3c8956e521479e2fb614181 | totaralms-2.7.18.tar.gz | 56M |
| 6ab688463e73158b35125092e5b2e4a1e503fb3a | totaralms-2.9.10.tar.gz | 47M |
Release 2.9.10 (23rd August 2016):
Security issues:
TL-9448 Search terms when searching user messaging are now strictly escaped
Previously it was possible to use the wildcard "%" character when searching
for users on the Messages page, and doing so would return a list of all
users.
While the result is correct, allowing the use of the wildcard character
here means large result sets can be easily returned.
While not strictly a security issue such functionality could be targeted by
the likes of DOS attacks as an effective page on which to generate
arbitrary load.
The search term is now strictly escaped, and "%" is now searched for as a
literal.
Bug fixes:
TL-7902 Attempting to assign a manager that would lead to a circular dependency now results in a validation error
Previously it was possible to create a circular reporting path which could
lead to unexpected behaviour and possible errors.
A validation error is now displayed when attempting to set a users manager
if it would result in a circular reporting path.
TL-9196 Course set completion state is now reset when editing Certification completion records
When a certification completion record is changed from "Certified, before
window opens" to any other state using the certification completion editor,
the corresponding course set completion records will be reset.
This prevents users being re-marked certified due to these records when
cron runs.
Please note that changes in the certification completion editor do not
affect course completion. And as a consequence, if the courses contained in
the course sets are still marked complete then this may lead to the course
sets being marked complete again. This may lead to re-certification.
TL-9222 The Program and Certification completion editor now shows how a user is assigned
TL-9262 Fixed a bug with Face-to-face iCal attachments for sessions with multiple dates
Previously when loading an iCal attachment from a Face-to-face seminar with
multiple dates into your chosen calendar application only a single date
(the first date) may have been imported.
Now the iCal attachment contains all of the correct information to allow
the calendar application to import the event on multiple dates.
TL-9343 Horizontal scrolling in the grader report keeps users name visible
TL-9394 Fixed inconsistent timezone handling in Face-to-face notifications when "User timezone" was selected
TL-9395 Fixed inconsistent timezone handling on the "My Bookings" page in Face-to-face
TL-9449 Improved the performance of the Course and Certification completion import report sources
TL-9777 Fixed Face-to-face unit tests to use site specific module ids for testing
TL-9820 Improved the reliability of behat testing when executing multiple scenarios
Contributions:
* Eugene Venter at Catalyst NZ - TL-9777
Release 2.7.18 (23rd August 2016):
Security issues:
TL-9448 Search terms when searching user messaging are now strictly escaped
Previously it was possible to use the wildcard "%" character when searching
for users on the Messages page, and doing so would return a list of all
users.
While the result is correct, allowing the use of the wildcard character
here means large result sets can be easily returned.
While not strictly a security issue such functionality could be targeted by
the likes of DOS attacks as an effective page on which to generate
arbitrary load.
The search term is now strictly escaped, and "%" is now searched for as a
literal.
Bug fixes:
TL-7902 Attempting to assign a manager that would lead to a circular dependency now results in a validation error
Previously it was possible to create a circular reporting path which could
lead to unexpected behaviour and possible errors.
A validation error is now displayed when attempting to set a users manager
if it would result in a circular reporting path.
TL-9196 Course set completion state is now reset when editing Certification completion records
When a certification completion record is changed from "Certified, before
window opens" to any other state using the certification completion editor,
the corresponding course set completion records will be reset.
This prevents users being re-marked certified due to these records when
cron runs.
Please note that changes in the certification completion editor do not
affect course completion. And as a consequence, if the courses contained in
the course sets are still marked complete then this may lead to the course
sets being marked complete again. This may lead to re-certification.
TL-9222 The Program and Certification completion editor now shows how a user is assigned
TL-9262 Fixed a bug with Face-to-face iCal attachments for sessions with multiple dates
Previously when loading an iCal attachment from a Face-to-face seminar with
multiple dates into your chosen calendar application only a single date
(the first date) may have been imported.
Now the iCal attachment contains all of the correct information to allow
the calendar application to import the event on multiple dates.
TL-9394 Fixed inconsistent timezone handling in Face-to-face notifications when "User timezone" was selected
TL-9395 Fixed inconsistent timezone handling on the "My Bookings" page in Face-to-face
TL-9449 Improved the performance of the Course and Certification completion import report sources
TL-9777 Fixed Face-to-face unit tests to use site specific module ids for testing
TL-9820 Improved the reliability of behat testing when executing multiple scenarios
Contributions:
* Eugene Venter at Catalyst NZ - TL-9777
Release 2.6.35 (23rd August 2016):
Security issues:
TL-9448 Search terms when searching user messaging are now strictly escaped
Previously it was possible to use the wildcard "%" character when searching
for users on the Messages page, and doing so would return a list of all
users.
While the result is correct, allowing the use of the wildcard character
here means large result sets can be easily returned.
While not strictly a security issue such functionality could be targeted by
the likes of DOS attacks as an effective page on which to generate
arbitrary load.
The search term is now strictly escaped, and "%" is now searched for as a
literal.
Bug fixes:
TL-7902 Attempting to assign a manager that would lead to a circular dependency now results in a validation error
Previously it was possible to create a circular reporting path which could
lead to unexpected behaviour and possible errors.
A validation error is now displayed when attempting to set a users manager
if it would result in a circular reporting path.
TL-9196 Course set completion state is now reset when editing Certification completion records
When a certification completion record is changed from "Certified, before
window opens" to any other state using the certification completion editor,
the corresponding course set completion records will be reset.
This prevents users being re-marked certified due to these records when
cron runs.
Please note that changes in the certification completion editor do not
affect course completion. And as a consequence, if the courses contained in
the course sets are still marked complete then this may lead to the course
sets being marked complete again. This may lead to re-certification.
TL-9222 The Program and Certification completion editor now shows how a user is assigned
TL-9449 Improved the performance of the Course and Certification completion import report sources
TL-9777 Fixed Face-to-face unit tests to use site specific module ids for testing
TL-9820 Improved the reliability of behat testing when executing multiple scenarios
Contributions:
* Eugene Venter at Catalyst NZ - TL-9777
Release 2.5.42 (23rd August 2016):
Security issues:
TL-9448 Search terms when searching user messaging are now strictly escaped
Previously it was possible to use the wildcard "%" character when searching
for users on the Messages page, and doing so would return a list of all
users.
While the result is correct, allowing the use of the wildcard character
here means large result sets can be easily returned.
While not strictly a security issue such functionality could be targeted by
the likes of DOS attacks as an effective page on which to generate
arbitrary load.
The search term is now strictly escaped, and "%" is now searched for as a
literal.
Bug fixes:
TL-9196 Course set completion state is now reset when editing Certification completion records
When a certification completion record is changed from "Certified, before
window opens" to any other state using the certification completion editor,
the corresponding course set completion records will be reset.
This prevents users being re-marked certified due to these records when
cron runs.
Please note that changes in the certification completion editor do not
affect course completion. And as a consequence, if the courses contained in
the course sets are still marked complete then this may lead to the course
sets being marked complete again. This may lead to re-certification.
TL-9222 The Program and Certification completion editor now shows how a user is assigned
TL-9449 Improved the performance of the Course and Certification completion import report sources
Release 2.4.44 (23rd August 2016):
Security issues:
TL-9448 Search terms when searching user messaging are now strictly escaped
Previously it was possible to use the wildcard "%" character when searching
for users on the Messages page, and doing so would return a list of all
users.
While the result is correct, allowing the use of the wildcard character
here means large result sets can be easily returned.
While not strictly a security issue such functionality could be targeted by
the likes of DOS attacks as an effective page on which to generate
arbitrary load.
The search term is now strictly escaped, and "%" is now searched for as a
literal.
Release 2.2.50 (23rd August 2016):
Security issues:
TL-9448 Search terms when searching user messaging are now strictly escaped
Previously it was possible to use the wildcard "%" character when searching
for users on the Messages page, and doing so would return a list of all
users.
While the result is correct, allowing the use of the wildcard character
here means large result sets can be easily returned.
While not strictly a security issue such functionality could be targeted by
the likes of DOS attacks as an effective page on which to generate
arbitrary load.
The search term is now strictly escaped, and "%" is now searched for as a
literal.