Totara Release Notes

Security releases for Totara 9.0rc1, 2.9.11, 2.7.19, 2.6.36, 2.5.43, 2.4.45, and 2.2.51 released 22nd September 2016

 
Sam Hemelryk
Security releases for Totara 9.0rc1, 2.9.11, 2.7.19, 2.6.36, 2.5.43, 2.4.45, and 2.2.51 released 22nd September 2016
על ידי Sam Hemelryk בתאריך 21/09/2016, 21:58
קבוצה Totara

Hello everyone,

The following versions of Totara have now been released:

  • 9.0 rc1
  • 2.9.11
  • 2.7.19
  • 2.6.36
  • 2.5.43
  • 2.4.45
  • 2.2.51

The stable releases do contain security fixes and for this reason we strongly recommend upgrading. Each release also includes bug fixes and improvements.

Thanks to the following people for their contributions to this release:

  • Andre Yamin at Kineo NZ - TL-9491
  • Russell England at Kineo USA - TL-10235

Kind regards
Sam Hemelryk


Package information:
SHA1 checksumPackage nameSize
0a2e0bef9c250f0af58a7254f48470704a1de56ctotaralms-9.0-rc1.tar.gz51M
c1e1f173923e736cd77ec51c828fb2356b60fe23totaralms-2.9.11.tar.gz47M
c6f3c9f4f8d2dabf32be1dd1234145f74868b728totaralms-2.7.19.tar.gz56M
384e093522884100abb9624fdc4c5e0cd99fb37ctotaralms-2.6.36.tar.gz50M
6c4840352e4504ac43abe1951591d8b7934cfe6ftotaralms-2.5.43.tar.gz44M
156c4beca89e63b902e021541771daf52348c93btotaralms-2.4.45.tar.gz32M
63f0c85d7c861c6a5a7db6529cde239f4d278257totaralms-2.2.51.tar.gz26M
Release 9.0 release candidate 1 (22nd September 2016):
Changelogs for the 9.0 release will be provided with the final, production ready release, due out early October.
Please see the release announcement for this release for more information.
Release 2.9.11 (22nd September 2016):

Important:

    TL-8675        Improvements to certification completion import

                   There were several bugs and unexpected behaviours in the import
                   certification completion module. This was often compounded by the confusion
                   about how the "Override" option was supposed to work.

                   To solve these problems, major changes were required. The internal
                   processes have been completely rewritten, allowing the result of importing
                   records to be clearly defined. Detailed logs are recorded in the
                   certification completion transaction logs.

                   To facilitate this, the "Override" option has been removed. To reduce
                   confusion and allow flexibility, it was replaced with a new setting called
                   "Import action" which has three possible settings; "Save to history",
                   "Certify uncertified users" and "Certify if newer". The old "Override off"
                   maps most closely to "Save to history", while "Override on" maps most
                   closely to "Certify if newer". Detailed help has been included for these
                   options in a popup, clearly explaining what will happen given any
                   combination of input record and existing data.

                   While "bulk" database transactions were maintained and improved, it is
                   possible that this change could lead to an increase in import processing
                   times. Most notably, user assignments are now being properly processed
                   during import, which could increase running time when importing a large
                   number of records for users who are not already assigned. This can be
                   avoided by assigning the users to the certification first, making sure to
                   wait for "deferred" user assignments to finish being processed by the
                   scheduled task, before importing the completion records.

                   Course completion import was not affected by this change.

    TL-9717        Prevent circular management structures being created using HR Import

                   TL-7902 prevented circular management structures being created using the
                   position assignments form. This patch enforces the same rules for data
                   imported using HR import.

                   If you attempt to import users with management structures that would lead
                   to circular references, all users forming the circular reference will fail
                   to import with a notice explaining why.

    TL-10487        Inclusion of Moodle 2.9.8

                   Please note not all changes included in Moodle 2.9.8 were included in this
                   release.
                   Specifically MDL-49026 was not included as we feel a more complete solution
                   can be found, TL-10488 will be used to find that complete solution.


Security issues:

    TL-10044        Removed unnecessary sesskey param when managing hierarchies

                   The sesskey param was previously passed on hierarchy management actions,
                   including those that had confirmation steps.
                   The sesskey is now only added when actually performing the action, and all
                   actions have been confirmed to redirect.
                   This ensures that the sesskey is never exposed unnecessarily when managing
                   hierarchies.

    TL-10355        Fixed information disclosure within Feedback 360 responses

                   Previously one of the Feedback 360 AJAX scripts could be used to test which
                   users had responded to a Feedback activity due to insufficient capability
                   checks.
                   Capability checks are now applied correctly and the output of the script
                   has been normalised so that it can no longer be used to test if a user has
                   responded.

    TL-10435        Capability checks when changing hierarchy item types are now explicit

                   Prior to this update access control when changing a hierarchy item type was
                   carried out by the admin setting page capabilities. This allowed a user
                   with only the capability to manage frameworks to change item types.
                   The totara/hierarchy:update capability is now explicitly checked when
                   changing the type of a hierarchy item.

    TL-10463        Applied stricter type validation when managing custom fields

                   Previously when creating, or editing custom fields it was possible to
                   manipulate the form markup and exploit the loose validation to execute
                   exploits.
                   All custom field input types have been reviewed and much stricter type
                   validation is now in place to ensure that incoming data is stringently
                   cleaned.

    TL-10489        Forgotten password workflow no longer exposes the token via headers

                   Previously if the theme introduced any external links on all pages, then
                   during the forgotten password process if the user followed these links the
                   token used to reset their password would be present in the referrer
                   information sent to the external page.
                   The token is no longer masked through a redirect on the initial request,
                   and is no longer exposed via referrer information.


Improvements:

    TL-9426        Program assignments with due date based on first login will be assigned immediately

                   Previously, if you assigned users to a program or certification and set
                   their due date to "within N days of first login" then the user assignment
                   and program and certification completion records were not being created
                   until the user first logged in. Now, these records are created immediately,
                   and will be updated with a due date when the user first logs in. This is
                   consistent with adding a user with no due date criteria and later adding
                   the "first login" criteria. Note that users who previously had been
                   assigned and were immediately given the "first login" criteria were not
                   showing in completion reports until they first logged in - now they will be
                   included in reports immediately. Previous report behaviour can be achieved
                   by using the "User First Access" report filter.

    TL-9491        Enhanced SCORM report source to use additional tracking fields
    TL-10161        Added accessibility text to action menus
    TL-10358        Deleted unused test course backup file
    TL-10469        Stopped duplicate log entries being created when creating an objective within a plan

Bug fixes:

    TL-8803        Fixed rules for first/last log in dates in dynamic audiences

                   This fixes an issue where users who have never logged in are incorrectly
                   included in dynamic audiences with a single rule, of the type first log in,
                   or last log in.
                   Users who have never logged in are now correctly excluded.

                   Please note this may lead to audience membership changes if you have any
                   dynamic audiences with a single rule, of the type first log in, or last log
                   in.

    TL-9275        Fixed the variable translations for course reminder templates
    TL-9405        Fixed the visibility of user profile custom fields in user reports
    TL-9431        Fixed the formatting of Report Builder titles when exporting to Excel
    TL-9480        Always reset activity grades when course completion is archived

                   Previously, when course completion was archived (due to certification
                   window opening, or by using the "Completions archive" link), it was
                   possible that under some specific circumstances activity grades were not
                   being reset, possibly leading to unwanted re-completion of the activity,
                   course and/or certification. Now, activity grades will always be reset, in
                   all activities, including custom activities. Activities which implement the
                   "_archive_completion" function are no longer required to
                   reset grades themselves, although they may continue to reset grades if they
                   do so already.

    TL-9490        Fixed the pagination of content when viewing a category
    TL-9512        Fixed incorrect uniqueness checks on empty user custom profile fields
    TL-9701        Report builder graph legend now sizes dynamically to better accommodate its content
    TL-9734        Corrected the "is equal to" proficiency filter in Competency Status report
    TL-9776        Corrected the string used by the "status" filter in Program Membership reports
    TL-9793        Fixed dimming of course names in course overview block when audience visibility is on
    TL-9801        Fixed incorrect API call when upgrading dashboards
    TL-9806        Fixed undefined event property when assigning goals to a hierarchy item
    TL-9889        Fixed undefined property allowduplicatedemails warning on HR import user CSV page
    TL-10033        Fixed program course sets set to "Some courses" and "0"
    TL-10088        Fixed pagination within the Totara Report block
    TL-10116        Fixed Face-to-face notification templates when manager copy prefix was missing
    TL-10181        Site managers within category context can now see users emails in program assignment dialogs
    TL-10229        Fixed upgrade of assignment submissions which had been graded twice
    TL-10235        Face-to-face events are now correctly shown on the site calendar when configured to do so
    TL-10251        Fixed HTML validation when viewing a single badge
    TL-10275        Removed empty link from Record of Learning previous course completion column
    TL-10313        Fixed Report builder graph placement issues in PDF exports
    TL-10341        Removed program status column for non-assigned users

                   The status column was recently inadvertently added when non-assigned users
                   were viewing a program or certification.

    TL-10400        Audience start and end dates are now shown correctly on the overview tab
    TL-10425        Searching without providing a term no longer leads to an error in Report Builder
    TL-10446        Removed invalid future 3.2 version from server environment tests

Contributions:

    * Andre Yamin at Kineo NZ - TL-9491
    * Russell England at Kineo USA - TL-10235

Release 2.7.19 (22nd September 2016):

Important:

    TL-8675        Improvements to certification completion import

                   There were several bugs and unexpected behaviours in the import
                   certification completion module. This was often compounded by the confusion
                   about how the "Override" option was supposed to work.

                   To solve these problems, major changes were required. The internal
                   processes have been completely rewritten, allowing the result of importing
                   records to be clearly defined. Detailed logs are recorded in the
                   certification completion transaction logs.

                   To facilitate this, the "Override" option has been removed. To reduce
                   confusion and allow flexibility, it was replaced with a new setting called
                   "Import action" which has three possible settings; "Save to history",
                   "Certify uncertified users" and "Certify if newer". The old "Override off"
                   maps most closely to "Save to history", while "Override on" maps most
                   closely to "Certify if newer". Detailed help has been included for these
                   options in a popup, clearly explaining what will happen given any
                   combination of input record and existing data.

                   While "bulk" database transactions were maintained and improved, it is
                   possible that this change could lead to an increase in import processing
                   times. Most notably, user assignments are now being properly processed
                   during import, which could increase running time when importing a large
                   number of records for users who are not already assigned. This can be
                   avoided by assigning the users to the certification first, making sure to
                   wait for "deferred" user assignments to finish being processed by the
                   scheduled task, before importing the completion records.

                   Course completion import was not affected by this change.

    TL-9717        Prevent circular management structures being created using HR Import

                   TL-7902 prevented circular management structures being created using the
                   position assignments form. This patch enforces the same rules for data
                   imported using HR import.

                   If you attempt to import users with management structures that would lead
                   to circular references, all users forming the circular reference will fail
                   to import with a notice explaining why.

    TL-10486        Inclusion of Moodle 2.7.16

                   Please note not all changes included in Moodle 2.7.16 were included in this
                   release.
                   Specifically MDL-49026 was not included as we feel a more complete solution
                   can be found.


Security issues:

    TL-10044        Removed unnecessary sesskey param when managing hierarchies

                   The sesskey param was previously passed on hierarchy management actions,
                   including those that had confirmation steps.
                   The sesskey is now only added when actually performing the action, and all
                   actions have been confirmed to redirect.
                   This ensures that the sesskey is never exposed unnecessarily when managing
                   hierarchies.

    TL-10355        Fixed information disclosure within Feedback 360 responses

                   Previously one of the Feedback 360 AJAX scripts could be used to test which
                   users had responded to a Feedback activity due to insufficient capability
                   checks.
                   Capability checks are now applied correctly and the output of the script
                   has been normalised so that it can no longer be used to test if a user has
                   responded.

    TL-10435        Capability checks when changing hierarchy item types are now explicit

                   Prior to this update access control when changing a hierarchy item type was
                   carried out by the admin setting page capabilities. This allowed a user
                   with only the capability to manage frameworks to change item types.
                   The totara/hierarchy:update capability is now explicitly checked when
                   changing the type of a hierarchy item.

    TL-10463        Applied stricter type validation when managing custom fields

                   Previously when creating, or editing custom fields it was possible to
                   manipulate the form markup and exploit the loose validation to execute
                   exploits.
                   All custom field input types have been reviewed and much stricter type
                   validation is now in place to ensure that incoming data is stringently
                   cleaned.

    TL-10489        Forgotten password workflow no longer exposes the token via headers

                   Previously if the theme introduced any external links on all pages, then
                   during the forgotten password process if the user followed these links the
                   token used to reset their password would be present in the referrer
                   information sent to the external page.
                   The token is no longer masked through a redirect on the initial request,
                   and is no longer exposed via referrer information.


Improvements:

    TL-9426        Program assignments with due date based on first login will be assigned immediately

                   Previously, if you assigned users to a program or certification and set
                   their due date to "within N days of first login" then the user assignment
                   and program and certification completion records were not being created
                   until the user first logged in. Now, these records are created immediately,
                   and will be updated with a due date when the user first logs in. This is
                   consistent with adding a user with no due date criteria and later adding
                   the "first login" criteria. Note that users who previously had been
                   assigned and were immediately given the "first login" criteria were not
                   showing in completion reports until they first logged in - now they will be
                   included in reports immediately. Previous report behaviour can be achieved
                   by using the "User First Access" report filter.

    TL-9491        Enhanced SCORM report source to use additional tracking fields
    TL-10358        Deleted unused test course backup file
    TL-10469        Stopped duplicate log entries being created when creating an objective within a plan

Bug fixes:

    TL-8803        Fixed rules for first/last log in dates in dynamic audiences

                   This fixes an issue where users who have never logged in are incorrectly
                   included in dynamic audiences with a single rule, of the type first log in,
                   or last log in.
                   Users who have never logged in are now correctly excluded.

                   Please note this may lead to audience membership changes if you have any
                   dynamic audiences with a single rule, of the type first log in, or last log
                   in.

    TL-9480        Always reset activity grades when course completion is archived

                   Previously, when course completion was archived (due to certification
                   window opening, or by using the "Completions archive" link), it was
                   possible that under some specific circumstances activity grades were not
                   being reset, possibly leading to unwanted re-completion of the activity,
                   course and/or certification. Now, activity grades will always be reset, in
                   all activities, including custom activities. Activities which implement the
                   "_archive_completion" function are no longer required to
                   reset grades themselves, although they may continue to reset grades if they
                   do so already.

    TL-9490        Fixed the pagination of content when viewing a category
    TL-9512        Fixed incorrect uniqueness checks on empty user custom profile fields
    TL-9701        Report builder graph legend now sizes dynamically to better accommodate its content
    TL-9793        Fixed dimming of course names in course overview block when audience visibility is on
    TL-9801        Fixed incorrect API call when upgrading dashboards
    TL-10116        Fixed Face-to-face notification templates when manager copy prefix was missing
    TL-10181        Site managers within category context can now see users emails in program assignment dialogs
    TL-10235        Face-to-face events are now correctly shown on the site calendar when configured to do so
    TL-10313        Fixed Report builder graph placement issues in PDF exports
    TL-10341        Removed program status column for non-assigned users

                   The status column was recently inadvertently added when non-assigned users
                   were viewing a program or certification.

    TL-10400        Audience start and end dates are now shown correctly on the overview tab
    TL-10422        Fixed a JavaScript error occurring when playing some SCORM packages
    TL-10425        Searching without providing a term no longer leads to an error in Report Builder
    TL-10446        Removed invalid future 3.2 version from server environment tests

Contributions:

    * Andre Yamin at Kineo NZ - TL-9491
    * Russell England at Kineo USA - TL-10235

Release 2.6.36 (22nd September 2016):

Important:

    TL-8675        Improvements to certification completion import

                   There were several bugs and unexpected behaviours in the import
                   certification completion module. This was often compounded by the confusion
                   about how the "Override" option was supposed to work.

                   To solve these problems, major changes were required. The internal
                   processes have been completely rewritten, allowing the result of importing
                   records to be clearly defined. Detailed logs are recorded in the
                   certification completion transaction logs.

                   To facilitate this, the "Override" option has been removed. To reduce
                   confusion and allow flexibility, it was replaced with a new setting called
                   "Import action" which has three possible settings; "Save to history",
                   "Certify uncertified users" and "Certify if newer". The old "Override off"
                   maps most closely to "Save to history", while "Override on" maps most
                   closely to "Certify if newer". Detailed help has been included for these
                   options in a popup, clearly explaining what will happen given any
                   combination of input record and existing data.

                   While "bulk" database transactions were maintained and improved, it is
                   possible that this change could lead to an increase in import processing
                   times. Most notably, user assignments are now being properly processed
                   during import, which could increase running time when importing a large
                   number of records for users who are not already assigned. This can be
                   avoided by assigning the users to the certification first, making sure to
                   wait for "deferred" user assignments to finish being processed by the
                   scheduled task, before importing the completion records.

                   Course completion import was not affected by this change.

    TL-9717        Prevent circular management structures being created using HR Import

                   TL-7902 prevented circular management structures being created using the
                   position assignments form. This patch enforces the same rules for data
                   imported using HR import.

                   If you attempt to import users with management structures that would lead
                   to circular references, all users forming the circular reference will fail
                   to import with a notice explaining why.


Security issues:

    TL-10044        Removed unnecessary sesskey param when managing hierarchies

                   The sesskey param was previously passed on hierarchy management actions,
                   including those that had confirmation steps.
                   The sesskey is now only added when actually performing the action, and all
                   actions have been confirmed to redirect.
                   This ensures that the sesskey is never exposed unnecessarily when managing
                   hierarchies.

    TL-10355        Fixed information disclosure within Feedback 360 responses

                   Previously one of the Feedback 360 AJAX scripts could be used to test which
                   users had responded to a Feedback activity due to insufficient capability
                   checks.
                   Capability checks are now applied correctly and the output of the script
                   has been normalised so that it can no longer be used to test if a user has
                   responded.

    TL-10435        Capability checks when changing hierarchy item types are now explicit

                   Prior to this update access control when changing a hierarchy item type was
                   carried out by the admin setting page capabilities. This allowed a user
                   with only the capability to manage frameworks to change item types.
                   The totara/hierarchy:update capability is now explicitly checked when
                   changing the type of a hierarchy item.

    TL-10463        Applied stricter type validation when managing custom fields

                   Previously when creating, or editing custom fields it was possible to
                   manipulate the form markup and exploit the loose validation to execute
                   exploits.
                   All custom field input types have been reviewed and much stricter type
                   validation is now in place to ensure that incoming data is stringently
                   cleaned.

    TL-10489        Forgotten password workflow no longer exposes the token via headers

                   Previously if the theme introduced any external links on all pages, then
                   during the forgotten password process if the user followed these links the
                   token used to reset their password would be present in the referrer
                   information sent to the external page.
                   The token is no longer masked through a redirect on the initial request,
                   and is no longer exposed via referrer information.


Improvements:

    TL-9426        Program assignments with due date based on first login will be assigned immediately

                   Previously, if you assigned users to a program or certification and set
                   their due date to "within N days of first login" then the user assignment
                   and program and certification completion records were not being created
                   until the user first logged in. Now, these records are created immediately,
                   and will be updated with a due date when the user first logs in. This is
                   consistent with adding a user with no due date criteria and later adding
                   the "first login" criteria. Note that users who previously had been
                   assigned and were immediately given the "first login" criteria were not
                   showing in completion reports until they first logged in - now they will be
                   included in reports immediately. Previous report behaviour can be achieved
                   by using the "User First Access" report filter.

    TL-10358        Deleted unused test course backup file

Bug fixes:

    TL-8803        Fixed rules for first/last log in dates in dynamic audiences

                   This fixes an issue where users who have never logged in are incorrectly
                   included in dynamic audiences with a single rule, of the type first log in,
                   or last log in.
                   Users who have never logged in are now correctly excluded.

                   Please note this may lead to audience membership changes if you have any
                   dynamic audiences with a single rule, of the type first log in, or last log
                   in.

    TL-10422        Fixed a JavaScript error occurring when playing some SCORM packages

Release 2.5.43 (22nd September 2016):

Security issues:

    TL-10044        Removed unnecessary sesskey param when managing hierarchies

                   The sesskey param was previously passed on hierarchy management actions,
                   including those that had confirmation steps.
                   The sesskey is now only added when actually performing the action, and all
                   actions have been confirmed to redirect.
                   This ensures that the sesskey is never exposed unnecessarily when managing
                   hierarchies.

    TL-10355        Fixed information disclosure within Feedback 360 responses

                   Previously one of the Feedback 360 AJAX scripts could be used to test which
                   users had responded to a Feedback activity due to insufficient capability
                   checks.
                   Capability checks are now applied correctly and the output of the script
                   has been normalised so that it can no longer be used to test if a user has
                   responded.

    TL-10435        Capability checks when changing hierarchy item types are now explicit

                   Prior to this update access control when changing a hierarchy item type was
                   carried out by the admin setting page capabilities. This allowed a user
                   with only the capability to manage frameworks to change item types.
                   The totara/hierarchy:update capability is now explicitly checked when
                   changing the type of a hierarchy item.

    TL-10463        Applied stricter type validation when managing custom fields

                   Previously when creating, or editing custom fields it was possible to
                   manipulate the form markup and exploit the loose validation to execute
                   exploits.
                   All custom field input types have been reviewed and much stricter type
                   validation is now in place to ensure that incoming data is stringently
                   cleaned.


Improvements:

    TL-10358        Deleted unused test course backup file

Release 2.4.45 (22nd September 2016):

Security issues:

    TL-10435        Capability checks when changing hierarchy item types are now explicit

                   Prior to this update access control when changing a hierarchy item type was
                   carried out by the admin setting page capabilities. This allowed a user
                   with only the capability to manage frameworks to change item types.
                   The totara/hierarchy:update capability is now explicitly checked when
                   changing the type of a hierarchy item.

    TL-10463        Applied stricter type validation when managing custom fields

                   Previously when creating, or editing custom fields it was possible to
                   manipulate the form markup and exploit the loose validation to execute
                   exploits.
                   All custom field input types have been reviewed and much stricter type
                   validation is now in place to ensure that incoming data is stringently
                   cleaned.


Release 2.2.51 (22nd September 2016):

Security issues:

    TL-10435        Capability checks when changing hierarchy item types are now explicit

                   Prior to this update access control when changing a hierarchy item type was
                   carried out by the admin setting page capabilities. This allowed a user
                   with only the capability to manage frameworks to change item types.
                   The totara/hierarchy:update capability is now explicitly checked when
                   changing the type of a hierarchy item.

    TL-10463        Applied stricter type validation when managing custom fields

                   Previously when creating, or editing custom fields it was possible to
                   manipulate the form markup and exploit the loose validation to execute
                   exploits.
                   All custom field input types have been reviewed and much stricter type
                   validation is now in place to ensure that incoming data is stringently
                   cleaned.