Totara Release Notes

Security releases for Totara 2.9.10, 2.7.18, 2.6.35, 2.5.42, 2.4.44, and 2.2.50 released 23rd August 2016

 
Sam Hemelryk
Security releases for Totara 2.9.10, 2.7.18, 2.6.35, 2.5.42, 2.4.44, and 2.2.50 released 23rd August 2016
de Sam Hemelryk - Monday, 22 de August de 2016, 16:12
Grupo Totara

Hello everyone,

The following versions of Totara have now been released:

  • 2.9.10
  • 2.7.18
  • 2.6.35
  • 2.5.42
  • 2.4.44
  • 2.2.50

These versions do contain security fixes and for this reason we strongly recommend upgrading.
Each release also includes bug fixes and improvements.

Thanks to the following people for their contributions to this release:

  • Eugene Venter at Catalyst NZ - TL-9777

Kind regards
Sam Hemelryk

Package information:
SHA1 checksumPackage nameSize
18315454dcf1089ba31537765127bd77e75631dftotaralms-2.2.50.tar.gz26M
dfe5d1b5122c7aa2a1a2eb7bd4aa7a966e91f485totaralms-2.4.44.tar.gz32M
e4451697e766c7693023d4aabcd84a6fe8cac12btotaralms-2.5.42.tar.gz44M
92ad387004717eb12068b48241dbeaf39747dacetotaralms-2.6.35.tar.gz50M
1f3783e7e9b43cfce3c8956e521479e2fb614181totaralms-2.7.18.tar.gz56M
6ab688463e73158b35125092e5b2e4a1e503fb3atotaralms-2.9.10.tar.gz47M
Release 2.9.10 (23rd August 2016):

Security issues:

    TL-9448        Search terms when searching user messaging are now strictly escaped

                   Previously it was possible to use the wildcard "%" character when searching
                   for users on the Messages page, and doing so would return a list of all
                   users.
                   While the result is correct, allowing the use of the wildcard character
                   here means large result sets can be easily returned.
                   While not strictly a security issue such functionality could be targeted by
                   the likes of DOS attacks as an effective page on which to generate
                   arbitrary load.
                   The search term is now strictly escaped, and "%" is now searched for as a
                   literal.


Bug fixes:

    TL-7902        Attempting to assign a manager that would lead to a circular dependency now results in a validation error

                   Previously it was possible to create a circular reporting path which could
                   lead to unexpected behaviour and possible errors.
                   A validation error is now displayed when attempting to set a users manager
                   if it would result in a circular reporting path.

    TL-9196        Course set completion state is now reset when editing Certification completion records

                   When a certification completion record is changed from "Certified, before
                   window opens" to any other state using the certification completion editor,
                   the corresponding course set completion records will be reset.
                   This prevents users being re-marked certified due to these records when
                   cron runs.
                   Please note that changes in the certification completion editor do not
                   affect course completion. And as a consequence, if the courses contained in
                   the course sets are still marked complete then this may lead to the course
                   sets being marked complete again. This may lead to re-certification.

    TL-9222        The Program and Certification completion editor now shows how a user is assigned
    TL-9262        Fixed a bug with Face-to-face iCal attachments for sessions with multiple dates

                   Previously when loading an iCal attachment from a Face-to-face seminar with
                   multiple dates into your chosen calendar application only a single date
                   (the first date) may have been imported.
                   Now the iCal attachment contains all of the correct information to allow
                   the calendar application to import the event on multiple dates.

    TL-9343        Horizontal scrolling in the grader report keeps users name visible
    TL-9394        Fixed inconsistent timezone handling in Face-to-face notifications when "User timezone" was selected
    TL-9395        Fixed inconsistent timezone handling on the "My Bookings" page in Face-to-face
    TL-9449        Improved the performance of the Course and Certification completion import report sources
    TL-9777        Fixed Face-to-face unit tests to use site specific module ids for testing
    TL-9820        Improved the reliability of behat testing when executing multiple scenarios

Contributions:

    * Eugene Venter at Catalyst NZ - TL-9777

Release 2.7.18 (23rd August 2016):

Security issues:

    TL-9448        Search terms when searching user messaging are now strictly escaped

                   Previously it was possible to use the wildcard "%" character when searching
                   for users on the Messages page, and doing so would return a list of all
                   users.
                   While the result is correct, allowing the use of the wildcard character
                   here means large result sets can be easily returned.
                   While not strictly a security issue such functionality could be targeted by
                   the likes of DOS attacks as an effective page on which to generate
                   arbitrary load.
                   The search term is now strictly escaped, and "%" is now searched for as a
                   literal.


Bug fixes:

    TL-7902        Attempting to assign a manager that would lead to a circular dependency now results in a validation error

                   Previously it was possible to create a circular reporting path which could
                   lead to unexpected behaviour and possible errors.
                   A validation error is now displayed when attempting to set a users manager
                   if it would result in a circular reporting path.

    TL-9196        Course set completion state is now reset when editing Certification completion records

                   When a certification completion record is changed from "Certified, before
                   window opens" to any other state using the certification completion editor,
                   the corresponding course set completion records will be reset.
                   This prevents users being re-marked certified due to these records when
                   cron runs.
                   Please note that changes in the certification completion editor do not
                   affect course completion. And as a consequence, if the courses contained in
                   the course sets are still marked complete then this may lead to the course
                   sets being marked complete again. This may lead to re-certification.

    TL-9222        The Program and Certification completion editor now shows how a user is assigned
    TL-9262        Fixed a bug with Face-to-face iCal attachments for sessions with multiple dates

                   Previously when loading an iCal attachment from a Face-to-face seminar with
                   multiple dates into your chosen calendar application only a single date
                   (the first date) may have been imported.
                   Now the iCal attachment contains all of the correct information to allow
                   the calendar application to import the event on multiple dates.

    TL-9394        Fixed inconsistent timezone handling in Face-to-face notifications when "User timezone" was selected
    TL-9395        Fixed inconsistent timezone handling on the "My Bookings" page in Face-to-face
    TL-9449        Improved the performance of the Course and Certification completion import report sources
    TL-9777        Fixed Face-to-face unit tests to use site specific module ids for testing
    TL-9820        Improved the reliability of behat testing when executing multiple scenarios

Contributions:

    * Eugene Venter at Catalyst NZ - TL-9777

Release 2.6.35 (23rd August 2016):

Security issues:

    TL-9448        Search terms when searching user messaging are now strictly escaped

                   Previously it was possible to use the wildcard "%" character when searching
                   for users on the Messages page, and doing so would return a list of all
                   users.
                   While the result is correct, allowing the use of the wildcard character
                   here means large result sets can be easily returned.
                   While not strictly a security issue such functionality could be targeted by
                   the likes of DOS attacks as an effective page on which to generate
                   arbitrary load.
                   The search term is now strictly escaped, and "%" is now searched for as a
                   literal.


Bug fixes:

    TL-7902        Attempting to assign a manager that would lead to a circular dependency now results in a validation error

                   Previously it was possible to create a circular reporting path which could
                   lead to unexpected behaviour and possible errors.
                   A validation error is now displayed when attempting to set a users manager
                   if it would result in a circular reporting path.

    TL-9196        Course set completion state is now reset when editing Certification completion records

                   When a certification completion record is changed from "Certified, before
                   window opens" to any other state using the certification completion editor,
                   the corresponding course set completion records will be reset.
                   This prevents users being re-marked certified due to these records when
                   cron runs.
                   Please note that changes in the certification completion editor do not
                   affect course completion. And as a consequence, if the courses contained in
                   the course sets are still marked complete then this may lead to the course
                   sets being marked complete again. This may lead to re-certification.

    TL-9222        The Program and Certification completion editor now shows how a user is assigned
    TL-9449        Improved the performance of the Course and Certification completion import report sources
    TL-9777        Fixed Face-to-face unit tests to use site specific module ids for testing
    TL-9820        Improved the reliability of behat testing when executing multiple scenarios

Contributions:

    * Eugene Venter at Catalyst NZ - TL-9777

Release 2.5.42 (23rd August 2016):

Security issues:

    TL-9448        Search terms when searching user messaging are now strictly escaped

                   Previously it was possible to use the wildcard "%" character when searching
                   for users on the Messages page, and doing so would return a list of all
                   users.
                   While the result is correct, allowing the use of the wildcard character
                   here means large result sets can be easily returned.
                   While not strictly a security issue such functionality could be targeted by
                   the likes of DOS attacks as an effective page on which to generate
                   arbitrary load.
                   The search term is now strictly escaped, and "%" is now searched for as a
                   literal.


Bug fixes:

    TL-9196        Course set completion state is now reset when editing Certification completion records

                   When a certification completion record is changed from "Certified, before
                   window opens" to any other state using the certification completion editor,
                   the corresponding course set completion records will be reset.
                   This prevents users being re-marked certified due to these records when
                   cron runs.
                   Please note that changes in the certification completion editor do not
                   affect course completion. And as a consequence, if the courses contained in
                   the course sets are still marked complete then this may lead to the course
                   sets being marked complete again. This may lead to re-certification.

    TL-9222        The Program and Certification completion editor now shows how a user is assigned
    TL-9449        Improved the performance of the Course and Certification completion import report sources

Release 2.4.44 (23rd August 2016):

Security issues:

    TL-9448        Search terms when searching user messaging are now strictly escaped

                   Previously it was possible to use the wildcard "%" character when searching
                   for users on the Messages page, and doing so would return a list of all
                   users.
                   While the result is correct, allowing the use of the wildcard character
                   here means large result sets can be easily returned.
                   While not strictly a security issue such functionality could be targeted by
                   the likes of DOS attacks as an effective page on which to generate
                   arbitrary load.
                   The search term is now strictly escaped, and "%" is now searched for as a
                   literal.


Release 2.2.50 (23rd August 2016):

Security issues:

    TL-9448        Search terms when searching user messaging are now strictly escaped

                   Previously it was possible to use the wildcard "%" character when searching
                   for users on the Messages page, and doing so would return a list of all
                   users.
                   While the result is correct, allowing the use of the wildcard character
                   here means large result sets can be easily returned.
                   While not strictly a security issue such functionality could be targeted by
                   the likes of DOS attacks as an effective page on which to generate
                   arbitrary load.
                   The search term is now strictly escaped, and "%" is now searched for as a
                   literal.