Totara Release Notes

Security releases for Totara 9.3, 2.9.15, 2.7.23, 2.6.40, 2.5.47, 2.4.49, and 2.2.55 released 25th January 2017

 
Sam Hemelryk
Security releases for Totara 9.3, 2.9.15, 2.7.23, 2.6.40, 2.5.47, 2.4.49, and 2.2.55 released 25th January 2017
بواسطة Wednesday, 25 January 2017, 2:40 AM - Sam Hemelryk
مجموعة Totara

Hello everyone,

The following versions of Totara have now been released:
  • 9.3
  • 2.9.15
  • 2.7.23
  • 2.6.40
  • 2.5.47
  • 2.4.49
  • 2.2.55
These versions do contain security fixes and for this reason we strongly recommend upgrading. Each release also includes bug fixes and improvements. Thanks to the following people for their contributions to this release:
  • David Shaw at Kineo UK - TL-12243

Kind regards Sam Hemelryk



Package information
SHA1 checksumSizePackage
9fd9ecb3d6fa6670ef449766467da51d43d2971851Mtotaralms-9.3.tar.gz
d61b64b05343f9ae0ad0bad54da3d872f1d0221747Mtotaralms-2.9.15.tar.gz
363d533ecec1356f6ccba74574aea2f9829d192f56Mtotaralms-2.7.23.tar.gz
edfecf9835885e6751d4e2253ec63a0924872d3c50Mtotaralms-2.6.40.tar.gz
780d6cc5460ba4e3ebde35fdbe76a99bb05425ff44Mtotaralms-2.5.47.tar.gz
9179659a176f5daf31f4dba172e843a3af5089aa32Mtotaralms-2.4.49.tar.gz
5594189b5b827d0419be64768c9fd085f65f5d5e26Mtotaralms-2.2.55.tar.gz

Release 9.3 (25th January 2017):

Security issues:

    TL-10773        Added safeguards to protect user anonymity when providing feedback within 360 Feedback
    TL-12322        Improved validation within the 360° Feedback request confirmation form

                   Previously, if a user manipulated the HTML of the form for confirming
                   requests for feedback in 360° Feedback, they could change emails to an
                   invalid format or, in some cases, alter requests they should not have
                   access to. 
                   Additional validation following the submission of the confirmation form now
                   prevents this.

    TL-12327        Added a setting to prevent the malicious deletion of files via the Completion Import tool

                   When adding completion records for courses and certifications via CSV, a
                   pathname can be specified instead of uploading a file. After the upload
                   occurs, the target file is deleted. Users with the capability to upload
                   completion records may have been able to delete other files aside from
                   those related to completion import. In some cases they were also being
                   shown the first line of the file. By default, only site managers have the
                   capability to upload completion records.
                   Additionally in order to exploit this the web server would need to have
                   been configured to permit read/write access on the targeted files.
                   
                   There is now a new setting ($CFG->completionimportdir) for specifying how
                   the pathname must begin in order to add completion records with this
                   method. This setting can only be added via the config.php file. When a
                   directory is specified in this setting, files immediately within it, as
                   well as within its subdirectories, can be used for completion import.
                   
                   If the setting is not added, completion imports can no longer be performed
                   via this method. They can still be performed by uploading a file using the
                   file picker.

    TL-12411        MDL-56225: Removed unnecessary parameters when posting to a Forum

                   Previously it was possible to maliciously modify a forum post form
                   submission to fake the author of a forum post due to the presence of a
                   redundant input parameter and poor forum post submission handling. 
                   The unused parameter has been removed and the post submission handling
                   improved.

    TL-12412        MDL-57531: Improved email sender handling to prevent PHPMailer vulnerabilities from being exploited
    TL-12413        MDL-57580: Improved type handling within the Assignment module

                   Previously loose type handling when submitting to an assignment activity
                   could potentially be exploited to perform XSS attacks, stricter type
                   handling has been implemented in order to remove this attack vector.


Improvements:

    TL-9016        Added content restrictions to the Goal custom fields report source

                   Content restrictions for restricting records by management, organisation
                   and position have been added to the Goal custom fields report source.

    TL-9756        Removed an HTML table when viewing a Learning plan that has been changed after being approved
    TL-10849        Improved the language strings used to describe Program and Certification exception types and actions
    TL-11074        Added additional text to the manager and approver copies of original Seminar notifications
    TL-12261        Improved code exception validation in several unit tests

Bug fixes:

    TL-10416        Fixed an error when answering appraisal competency questions as the manager's manager or appraiser
    TL-10945        Prevented loops in management job assignments in HR Import

                   Previously, if a circular management assignment was imported, HR Import
                   would fail without sensible warning. Now, if a circular management is found
                   when importing a manager with HR Import, then one or more of the users
                   forming the circular reference will fail to have their manager assigned,
                   with a notice explaining why. When importing, as many manager assignments
                   as possible will be assigned.

    TL-11150        Fixed an undefined property error in HR Import on the CSV configuration page
    TL-11238        Fixed the Seminar name link column within the Seminar sessions report
    TL-11270        Fixed Course Completion status not being set to "Not yet started" when removing RPL completions

                   Previously, when you removed RPL completion using the Course administration
                   -> Reports -> Course completion report, it would set the record to "In
                   progress", regardless of whether or not the user had actually done anything
                   that warranted being marked as such. If the user had already met the
                   criteria for completion, the record would not be updated until the
                   completion cron task next ran.
                   
                   Now, the records will be set to "Not yet started". Reaggregation occurs
                   immediately, and may update the user to "In progress" or "Complete"
                   depending on their progress. Note that if a course is set to "Mark as In
                   Progress on first view" and the user had previously viewed the course but
                   made no other progress, then their status will still be "Not yet started"
                   after reaggregation.

    TL-11316        Fixed an error when cloning an Appraisal containing aggregated questions
    TL-12243        Fixed a Totara menu issue leading to incorrectly encoded ampersands
    TL-12256        Prevented an incorrect redirect occurring when dismissing a notification from within a modal dialog
    TL-12263        Fixed an issue with the display of assigned users within 360° Feedback

                   The assigned group information is no longer shown for 360° Feedback in the
                   Active or Closed state. In these states, the pages always reflect actual
                   assigned users.

    TL-12277        Corrected an issue where redirects with a message did not have a page URL set
    TL-12280        Fixed a bug preventing block weights being cloned when a dashboard is cloned
    TL-12283        Fixed several issues on the waitlist page when Seminar approval type is changed

                   The waitlist page showed the wrong approval date (1 Jan 1970) and debug
                   messages when a seminar changed its approval type from no approval required
                   to manager approved.

    TL-12284        Fixed an upgrade error due to an incorrectly unique index in the completion import tables on SQL Server

                   Previously, if a site running SQL Server had imported course or
                   certification completions, there could have been an error when trying to
                   upgrade to Totara 9. This has been fixed. Sites that had already
                   successfully upgraded will have the unique index replaced with a non-unique
                   equivalent.

    TL-12287        Ensured Hierarchy 'ID number' field type is set as string in Excel and ODS format exports to avoid incorrect automatic type detection
    TL-12297        Removed options from the Reportbuilder "message type" filter when the corresponding feature is disabled
    TL-12299        Fixed an error on the search page when setting Program assignment relative due dates
    TL-12301        Fixed the replacement of course links from placeholders in notifications when restoring a Seminar

                   Previously when a course URL was embedded in a seminar notification
                   template, it would be changed to a placeholder string when the seminar was
                   backed up. Restoring the seminar would not change the placeholder back to
                   the proper URL. This fix ensures it does.

    TL-12303        Fixed the HTML formatting of Seminar notification templates for third-party emails
    TL-12305        Fixed incorrect wording in Learning Plan help text
    TL-12311        Fixed the "is after" criteria in the "Start date" filter within the Course report source

                   The "is after" start date filter criteria now correctly searching for
                   courses starting immediately after midnight in the users timezone.

    TL-12315        Waitlist notifications are now sent when one message per date is enabled

                   If a Seminar event was created with no dates, people could still sign up
                   and be waitlisted. 
                   However, they would only receive a sign up email if the "one message per
                   date" option was off. 
                   Now, the system will send the notification regardless of this setting.

    TL-12323        Removed references to the SCORM course format from course format help string
    TL-12325        Fixed the Quick Links block to ensure it decodes URL entities correctly
    TL-12333        Made improvements to the handling of invalid job assignment dates
    TL-12337        Fixed the formatting of event details placeholder in Seminar notifications
    TL-12339        Reverted removal of style causing regression in IE

                   TL-11341 applied a patch for a display issue in Chrome 55. 
                   This caused a regression for users of Edge / IE browsers making it
                   difficult and in some cases impossible to click grouped form elements. 
                   The Chrome rendering bug has since been addressed.

    TL-12344        Fixed an error message when updating Competency scale values
    TL-12352        Fixed a bug in the cache API when fetching multiple keys having specified MUST_EXIST

                   Previously when fetching multiple entries from a cache, if you specified
                   that the data must exist, in some circumstances the expected exception was
                   not being thrown.
                   Now if MUST_EXIST is provide to cache::get_many() an exception will be
                   thrown if one or more of the requested keys cannot be found.

    TL-12369        Marked class totara_dialog_content_manager as deprecated

                   This class is no longer in use now that Totara has multiple job
                   assignments. Class totara_job_dialog_assign_manager should be used instead.


Miscellaneous Moodle fixes:

    TL-12406        MDL-57100: Prevented javascript exceptions from being displayed during an AJAX request
    TL-12407        MDL-56948: Fixed Assignment bug when viewing a submission with a grade type of "none"
    TL-12409        MDL-57170: Fixed fault in legacy Dropbox API usage
    TL-12410        MDL-57193: Fixed external database authentication where more than 10000 users are imported

Contributions:

    * David Shaw at Kineo UK - TL-12243

Release 2.9.15 (25th January 2017):

Security issues:

    TL-10773        Added safeguards to protect user anonymity when providing feedback within 360 Feedback
    TL-12322        Improved validation within the 360° Feedback request confirmation form

                   Previously, if a user manipulated the HTML of the form for confirming
                   requests for feedback in 360° Feedback, they could change emails to an
                   invalid format or, in some cases, alter requests they should not have
                   access to. 
                   Additional validation following the submission of the confirmation form now
                   prevents this.

    TL-12327        Added a setting to prevent the malicious deletion of files via the Completion Import tool

                   When adding completion records for courses and certifications via CSV, a
                   pathname can be specified instead of uploading a file. After the upload
                   occurs, the target file is deleted. Users with the capability to upload
                   completion records may have been able to delete other files aside from
                   those related to completion import. In some cases they were also being
                   shown the first line of the file. By default, only site managers have the
                   capability to upload completion records.
                   Additionally in order to exploit this the web server would need to have
                   been configured to permit read/write access on the targeted files.
                   
                   There is now a new setting ($CFG->completionimportdir) for specifying how
                   the pathname must begin in order to add completion records with this
                   method. This setting can only be added via the config.php file. When a
                   directory is specified in this setting, files immediately within it, as
                   well as within its subdirectories, can be used for completion import.
                   
                   If the setting is not added, completion imports can no longer be performed
                   via this method. They can still be performed by uploading a file using the
                   file picker.

    TL-12411        MDL-56225: Removed unnecessary parameters when posting to a Forum

                   Previously it was possible to maliciously modify a forum post form
                   submission to fake the author of a forum post due to the presence of a
                   redundant input parameter and poor forum post submission handling. 
                   The unused parameter has been removed and the post submission handling
                   improved.

    TL-12412        MDL-57531: Improved email sender handling to prevent PHPMailer vulnerabilities from being exploited
    TL-12413        MDL-57580: Improved type handling within the Assignment module

                   Previously loose type handling when submitting to an assignment activity
                   could potentially be exploited to perform XSS attacks, stricter type
                   handling has been implemented in order to remove this attack vector.


Improvements:

    TL-10849        Improved the language strings used to describe Program and Certification exception types and actions
    TL-12261        Improved code exception validation in several unit tests

Bug fixes:

    TL-10416        Fixed an error when answering appraisal competency questions as the manager's manager or appraiser
    TL-11150        Fixed an undefined property error in HR Import on the CSV configuration page
    TL-11270        Fixed Course Completion status not being set to "Not yet started" when removing RPL completions

                   Previously, when you removed RPL completion using the Course administration
                   -> Reports -> Course completion report, it would set the record to "In
                   progress", regardless of whether or not the user had actually done anything
                   that warranted being marked as such. If the user had already met the
                   criteria for completion, the record would not be updated until the
                   completion cron task next ran.
                   
                   Now, the records will be set to "Not yet started". Reaggregation occurs
                   immediately, and may update the user to "In progress" or "Complete"
                   depending on their progress. Note that if a course is set to "Mark as In
                   Progress on first view" and the user had previously viewed the course but
                   made no other progress, then their status will still be "Not yet started"
                   after reaggregation.

    TL-12256        Prevented an incorrect redirect occurring when dismissing a notification from within a modal dialog
    TL-12262        Fixed problem removing manager when only importing the manager column in HR Import

                   Previously, if the only position assignment column imported was for the
                   manager, and the value was an empty string, the value was ignored rather
                   than removing the manager. Now, as happens when your import includes other
                   position assignment columns, if the value is an empty string then it will
                   remove the manager from the user's primary position assignment.

    TL-12263        Fixed an issue with the display of assigned users within 360° Feedback

                   The assigned group information is no longer shown for 360° Feedback in the
                   Active or Closed state. In these states, the pages always reflect actual
                   assigned users.

    TL-12277        Corrected an issue where redirects with a message did not have a page URL set
    TL-12287        Ensured Hierarchy 'ID number' field type is set as string in Excel and ODS format exports to avoid incorrect automatic type detection
    TL-12297        Removed options from the Reportbuilder "message type" filter when the corresponding feature is disabled
    TL-12299        Fixed an error on the search page when setting Program assignment relative due dates
    TL-12301        Fixed the replacement of course links from placeholders in notifications when restoring a Seminar

                   Previously when a course URL was embedded in a seminar notification
                   template, it would be changed to a placeholder string when the seminar was
                   backed up. Restoring the seminar would not change the placeholder back to
                   the proper URL. This fix ensures it does.

    TL-12303        Fixed the HTML formatting of Seminar notification templates for third-party emails
    TL-12311        Fixed the "is after" criteria in the "Start date" filter within the Course report source

                   The "is after" start date filter criteria now correctly searching for
                   courses starting immediately after midnight in the users timezone.

    TL-12316        Added missing include in Hierarchy unit tests covering moving custom fields
    TL-12325        Fixed the Quick Links block to ensure it decodes URL entities correctly
    TL-12339        Reverted removal of style causing regression in IE

                   TL-11341 applied a patch for a display issue in Chrome 55. 
                   This caused a regression for users of Edge / IE browsers making it
                   difficult and in some cases impossible to click grouped form elements. 
                   The Chrome rendering bug has since been addressed.

    TL-12344        Fixed an error message when updating Competency scale values
    TL-12352        Fixed a bug in the cache API when fetching multiple keys having specified MUST_EXIST

                   Previously when fetching multiple entries from a cache, if you specified
                   that the data must exist, in some circumstances the expected exception was
                   not being thrown.
                   Now if MUST_EXIST is provide to cache::get_many() an exception will be
                   thrown if one or more of the requested keys cannot be found.


Release 2.7.23 (25th January 2017):

Security issues:

    TL-12322        Improved validation within the 360° Feedback request confirmation form

                   Previously, if a user manipulated the HTML of the form for confirming
                   requests for feedback in 360° Feedback, they could change emails to an
                   invalid format or, in some cases, alter requests they should not have
                   access to. 
                   Additional validation following the submission of the confirmation form now
                   prevents this.

    TL-12327        Added a setting to prevent the malicious deletion of files via the Completion Import tool

                   When adding completion records for courses and certifications via CSV, a
                   pathname can be specified instead of uploading a file. After the upload
                   occurs, the target file is deleted. Users with the capability to upload
                   completion records may have been able to delete other files aside from
                   those related to completion import. In some cases they were also being
                   shown the first line of the file. By default, only site managers have the
                   capability to upload completion records.
                   Additionally in order to exploit this the web server would need to have
                   been configured to permit read/write access on the targeted files.
                   
                   There is now a new setting ($CFG->completionimportdir) for specifying how
                   the pathname must begin in order to add completion records with this
                   method. This setting can only be added via the config.php file. When a
                   directory is specified in this setting, files immediately within it, as
                   well as within its subdirectories, can be used for completion import.
                   
                   If the setting is not added, completion imports can no longer be performed
                   via this method. They can still be performed by uploading a file using the
                   file picker.

    TL-12411        MDL-56225: Removed unnecessary parameters when posting to a Forum

                   Previously it was possible to maliciously modify a forum post form
                   submission to fake the author of a forum post due to the presence of a
                   redundant input parameter and poor forum post submission handling. 
                   The unused parameter has been removed and the post submission handling
                   improved.

    TL-12412        MDL-57531: Improved email sender handling to prevent PHPMailer vulnerabilities from being exploited
    TL-12413        MDL-57580: Improved type handling within the Assignment module

                   Previously loose type handling when submitting to an assignment activity
                   could potentially be exploited to perform XSS attacks, stricter type
                   handling has been implemented in order to remove this attack vector.


Improvements:

    TL-10849        Improved the language strings used to describe Program and Certification exception types and actions
    TL-12261        Improved code exception validation in several unit tests

Bug fixes:

    TL-10416        Fixed an error when answering appraisal competency questions as the manager's manager or appraiser
    TL-11150        Fixed an undefined property error in HR Import on the CSV configuration page
    TL-11270        Fixed Course Completion status not being set to "Not yet started" when removing RPL completions

                   Previously, when you removed RPL completion using the Course administration
                   -> Reports -> Course completion report, it would set the record to "In
                   progress", regardless of whether or not the user had actually done anything
                   that warranted being marked as such. If the user had already met the
                   criteria for completion, the record would not be updated until the
                   completion cron task next ran.
                   
                   Now, the records will be set to "Not yet started". Reaggregation occurs
                   immediately, and may update the user to "In progress" or "Complete"
                   depending on their progress. Note that if a course is set to "Mark as In
                   Progress on first view" and the user had previously viewed the course but
                   made no other progress, then their status will still be "Not yet started"
                   after reaggregation.

    TL-12262        Fixed problem removing manager when only importing the manager column in HR Import

                   Previously, if the only position assignment column imported was for the
                   manager, and the value was an empty string, the value was ignored rather
                   than removing the manager. Now, as happens when your import includes other
                   position assignment columns, if the value is an empty string then it will
                   remove the manager from the user's primary position assignment.

    TL-12263        Fixed an issue with the display of assigned users within 360° Feedback

                   The assigned group information is no longer shown for 360° Feedback in the
                   Active or Closed state. In these states, the pages always reflect actual
                   assigned users.

    TL-12287        Ensured Hierarchy 'ID number' field type is set as string in Excel and ODS format exports to avoid incorrect automatic type detection
    TL-12299        Fixed an error on the search page when setting Program assignment relative due dates
    TL-12301        Fixed the replacement of course links from placeholders in notifications when restoring a Seminar

                   Previously when a course URL was embedded in a seminar notification
                   template, it would be changed to a placeholder string when the seminar was
                   backed up. Restoring the seminar would not change the placeholder back to
                   the proper URL. This fix ensures it does.

    TL-12303        Fixed the HTML formatting of Seminar notification templates for third-party emails
    TL-12344        Fixed an error message when updating Competency scale values
    TL-12352        Fixed a bug in the cache API when fetching multiple keys having specified MUST_EXIST

                   Previously when fetching multiple entries from a cache, if you specified
                   that the data must exist, in some circumstances the expected exception was
                   not being thrown.
                   Now if MUST_EXIST is provide to cache::get_many() an exception will be
                   thrown if one or more of the requested keys cannot be found.

    TL-12440        Fixed grade completion Behat test problem.

Release 2.6.40 (25th January 2017):

Security issues: TL-12322 Improved validation within the 360° Feedback request confirmation form Previously, if a user manipulated the HTML of the form for confirming requests for feedback in 360° Feedback, they could change emails to an invalid format or, in some cases, alter requests they should not have access to. Additional validation following the submission of the confirmation form now prevents this. TL-12327 Added a setting to prevent the malicious deletion of files via the Completion Import tool When adding completion records for courses and certifications via CSV, a pathname can be specified instead of uploading a file. After the upload occurs, the target file is deleted. Users with the capability to upload completion records may have been able to delete other files aside from those related to completion import. In some cases they were also being shown the first line of the file. By default, only site managers have the capability to upload completion records. Additionally in order to exploit this the web server would need to have been configured to permit read/write access on the targeted files. There is now a new setting ($CFG->completionimportdir) for specifying how the pathname must begin in order to add completion records with this method. This setting can only be added via the config.php file. When a directory is specified in this setting, files immediately within it, as well as within its subdirectories, can be used for completion import. If the setting is not added, completion imports can no longer be performed via this method. They can still be performed by uploading a file using the file picker. TL-12411 MDL-56225: Removed unnecessary parameters when posting to a Forum Previously it was possible to maliciously modify a forum post form submission to fake the author of a forum post due to the presence of a redundant input parameter and poor forum post submission handling. The unused parameter has been removed and the post submission handling improved. TL-12412 MDL-57531: Improved email sender handling to prevent PHPMailer vulnerabilities from being exploited TL-12413 MDL-57580: Improved type handling within the Assignment module Previously loose type handling when submitting to an assignment activity could potentially be exploited to perform XSS attacks, stricter type handling has been implemented in order to remove this attack vector. Improvements: TL-10849 Improved the language strings used to describe Program and Certification exception types and actions TL-12261 Improved code exception validation in several unit tests Bug fixes: TL-10416 Fixed an error when answering appraisal competency questions as the manager's manager or appraiser TL-11150 Fixed an undefined property error in HR Import on the CSV configuration page TL-11270 Fixed Course Completion status not being set to "Not yet started" when removing RPL completions Previously, when you removed RPL completion using the Course administration -> Reports -> Course completion report, it would set the record to "In progress", regardless of whether or not the user had actually done anything that warranted being marked as such. If the user had already met the criteria for completion, the record would not be updated until the completion cron task next ran. Now, the records will be set to "Not yet started". Reaggregation occurs immediately, and may update the user to "In progress" or "Complete" depending on their progress. Note that if a course is set to "Mark as In Progress on first view" and the user had previously viewed the course but made no other progress, then their status will still be "Not yet started" after reaggregation. TL-12262 Fixed problem removing manager when only importing the manager column in HR Import Previously, if the only position assignment column imported was for the manager, and the value was an empty string, the value was ignored rather than removing the manager. Now, as happens when your import includes other position assignment columns, if the value is an empty string then it will remove the manager from the user's primary position assignment. TL-12299 Fixed an error on the search page when setting Program assignment relative due dates TL-12303 Fixed the HTML formatting of Seminar notification templates for third-party emails TL-12352 Fixed a bug in the cache API when fetching multiple keys having specified MUST_EXIST Previously when fetching multiple entries from a cache, if you specified that the data must exist, in some circumstances the expected exception was not being thrown. Now if MUST_EXIST is provide to cache::get_many() an exception will be thrown if one or more of the requested keys cannot be found.

Release 2.5.47 (25th January 2017):

Security issues:

    TL-12322        Improved validation within the 360° Feedback request confirmation form

                   Previously, if a user manipulated the HTML of the form for confirming
                   requests for feedback in 360° Feedback, they could change emails to an
                   invalid format or, in some cases, alter requests they should not have
                   access to. 
                   Additional validation following the submission of the confirmation form now
                   prevents this.

    TL-12327        Added a setting to prevent the malicious deletion of files via the Completion Import tool

                   When adding completion records for courses and certifications via CSV, a
                   pathname can be specified instead of uploading a file. After the upload
                   occurs, the target file is deleted. Users with the capability to upload
                   completion records may have been able to delete other files aside from
                   those related to completion import. In some cases they were also being
                   shown the first line of the file. By default, only site managers have the
                   capability to upload completion records.
                   Additionally in order to exploit this the web server would need to have
                   been configured to permit read/write access on the targeted files.
                   
                   There is now a new setting ($CFG->completionimportdir) for specifying how
                   the pathname must begin in order to add completion records with this
                   method. This setting can only be added via the config.php file. When a
                   directory is specified in this setting, files immediately within it, as
                   well as within its subdirectories, can be used for completion import.
                   
                   If the setting is not added, completion imports can no longer be performed
                   via this method. They can still be performed by uploading a file using the
                   file picker.

    TL-12411        MDL-56225: Removed unnecessary parameters when posting to a Forum

                   Previously it was possible to maliciously modify a forum post form
                   submission to fake the author of a forum post due to the presence of a
                   redundant input parameter and poor forum post submission handling. 
                   The unused parameter has been removed and the post submission handling
                   improved.

    TL-12412        MDL-57531: Improved email sender handling to prevent PHPMailer vulnerabilities from being exploited
    TL-12413        MDL-57580: Improved type handling within the Assignment module

                   Previously loose type handling when submitting to an assignment activity
                   could potentially be exploited to perform XSS attacks, stricter type
                   handling has been implemented in order to remove this attack vector.


Improvements:

    TL-10849        Improved the language strings used to describe Program and Certification exception types and actions

Bug fixes:

    TL-10416        Fixed an error when answering appraisal competency questions as the manager's manager or appraiser
    TL-12262        Fixed problem removing manager when only importing the manager column in HR Import

                   Previously, if the only position assignment column imported was for the
                   manager, and the value was an empty string, the value was ignored rather
                   than removing the manager. Now, as happens when your import includes other
                   position assignment columns, if the value is an empty string then it will
                   remove the manager from the user's primary position assignment.

    TL-12299        Fixed an error on the search page when setting Program assignment relative due dates
    TL-12352        Fixed a bug in the cache API when fetching multiple keys having specified MUST_EXIST

                   Previously when fetching multiple entries from a cache, if you specified
                   that the data must exist, in some circumstances the expected exception was
                   not being thrown.
                   Now if MUST_EXIST is provide to cache::get_many() an exception will be
                   thrown if one or more of the requested keys cannot be found.


Release 2.4.49 (25th January 2017):

Security issues:

    TL-12411        MDL-56225: Removed unnecessary parameters when posting to a Forum

                   Previously it was possible to maliciously modify a forum post form
                   submission to fake the author of a forum post due to the presence of a
                   redundant input parameter and poor forum post submission handling. 
                   The unused parameter has been removed and the post submission handling
                   improved.

    TL-12412        MDL-57531: Improved email sender handling to prevent PHPMailer vulnerabilities from being exploited
    TL-12413        MDL-57580: Improved type handling within the Assignment module

                   Previously loose type handling when submitting to an assignment activity
                   could potentially be exploited to perform XSS attacks, stricter type
                   handling has been implemented in order to remove this attack vector.


Bug fixes:

    TL-12299        Fixed an error on the search page when setting Program assignment relative due dates

Release 2.2.55 (25th January 2017):

Security issues:

    TL-12411        MDL-56225: Removed unnecessary parameters when posting to a Forum

                   Previously it was possible to maliciously modify a forum post form
                   submission to fake the author of a forum post due to the presence of a
                   redundant input parameter and poor forum post submission handling. 
                   The unused parameter has been removed and the post submission handling
                   improved.

    TL-12412        MDL-57531: Improved email sender handling to prevent PHPMailer vulnerabilities from being exploited

Bug fixes:

    TL-12299        Fixed an error on the search page when setting Program assignment relative due dates