Totara Release Notes

Security releases for Totara Evergreen-20170522, 9.7, 2.9.19, 2.7.27, 2.6.44, 2.5.51, 2.4.51 and 2.2.57 released 22nd May 2017

 
David Curry (Core Developer)
Security releases for Totara Evergreen-20170522, 9.7, 2.9.19, 2.7.27, 2.6.44, 2.5.51, 2.4.51 and 2.2.57 released 22nd May 2017
על ידי David Curry (Core Developer) בתאריך 21/05/2017, 19:35
קבוצה Totara
Hello everyone,


The following versions of Totara have now been released:

  • Evergreen-20170522
  • 9.7
  • 2.9.19
  • 2.7.27
  • 2.6.44
  • 2.5.51
  • 2.4.51
  • 2.2.57

These versions do contain security fixes and for this reason we strongly recommend upgrading. Each release also includes bug fixes and improvements. Thanks to the following people for their contributions to this release:

  • Kineo UK - TL-13931, TL-14241
Cheers, David

Package Information
SHA1 Checksum
Package
c91d169b5a9ab15cab1a6584dbd494bf7a55fd9f evergreen-20170522.tar.gz
6e625fa143d42e8d1c51616492cebf2da589a3b4 totaralms-9.7.tar.gz
0a5e2bb1fa55b7c7382e4c46603791d574527659 totaralms-2.9.19.tar.gz
4becd3464912b2e91e294dd9b2c9a3ca61080fc9 totaralms-2.7.27.tar.gz
b7fe358aeeced24740d61eac9441f82496c49478 totaralms-2.6.44.tar.gz
8841f1d50f1ed648194a8def17945985e2464a0f totaralms-2.5.51.tar.gz
afac88fe37c19c3dff1fba039efcc6d734aa1ec1 totaralms-2.4.51.tar.gz
e8154daad17b0be691d64e7f70693e0d173132ae totaralms-2.2.57.tar.gz

Evergreen 20170522 (22nd May 2017):

Important:

    TL-12803       Ensured the default run times for scheduled tasks are set correctly

                   The default run times for several scheduled tasks were incorrectly configured
                   to run every minute during the specified hour, rather than just once per day.
                   To schedule a task to run once per day at a specific time, both the hour and
                   minute must be specified. The defaults have now been fixed by changing the
                   'minutes' from '*' to '0'. Any scheduled tasks that were using the default
                   schedule have been updated to use the new default. If any of your scheduled
                   tasks intentionally needed to use the old default schedule, or are not using
                   the default schedule, you should manually check that they are configured correctly
                   after running the upgrade.

    TL-14327       "Fileinfo" php extension is now required

                   This was previously required but not enforced by environment checks

    TL-14278       Changed mathjax content delivery network (CDN) from cdn.mathjax.org to cdnjs.cloudflare.com

                   cdn.mathjax.org is being shut down

Security issues:

    TL-14332       Capability moodle/blog:search is checked when blog search is applied in browser url request
    TL-14331       Users are prevented from editing external blog links.
    TL-14333       Added sesskey checks to the course overview block
    TL-14273       Fixed array key and object property name cleaning in fix_utf8() function
    TL-14258       Improved access control of files used in custom fields

                   Previously inconsistent checks were made when accessing files used in custom fields.
                   A brand new segment of API has been added to allow each area to accurately validate
                   access to files used within it, and all custom field areas have been updated to use the new API.

New features:

    TL-13154       New Modal library added
    TL-13417       User tours can now be created within Totara.

                   These tours are experienced by users upon meeting certain criteria such as
                   logging in or holding a certain role, and when browsing specific areas of
                   the site. When encountered they feed the user with information and direct
                   them through elements on the site, or basic navigation.

Improvements:

    TL-12347       Added a Red-amber-green status column and filter to the certifications report sources
    TL-12732       Added accessible text to Seminar Room and Asset availability filter types
    TL-9217        Updated Completion Import tool to use core csv_import_reader class
    TL-6766        Added a new column to the Appraisal status report source to show roles that haven't completed the current active stage
    TL-14277       totara_core\jsend now automatically removes invalid utf-8 characters and null bytes from received data
    TL-14260       Behat no longer gives false failures when text appears in a hidden element and its visible parent element
    TL-14169       Improved display when installing Totara through the web interface
    TL-14112       Forced themes in categories will now apply to programs and certifications
    TL-8318        Added an Enrolment Types column and filter to the Course Completion report source
    TL-12964       Updated the standard course catalog search to allow single character searches

Bug fixes:

    TL-12786       Fixed error when selecting objectives to review in an appraisal

                   When selecting Objectives to review in an appraisal, there is no longer an
                   error when there are only objectives from completed Learning Plans. Objectives
                   from both complete and incomplete Learning Plans are now shown, providing
                   the objectives are assigned to the learner and approved.

    TL-12609       Refactoring and fixing of custom user profile fields and filters in Reportbuilder
    TL-12467       Fixed validation when viewing a course as a guest with self enrolment enabled and
    TL-12415       Fixed the iCalendar cancellation email settings message for Seminars
    TL-9279        Fixed the display of images in Seminar Room and Asset textarea customfields
    TL-14342       Ensured Atto drag & drop content images are responsive by default
    TL-14305       Fixed saving user reports after filtering by position
    TL-14329       Fixed debugging warning when editing forum post
    TL-14284       Fixed missing set_url calls within Appraisal review question AJAX scripts
    TL-14290       Fixed invalid Program due dates in Learning Plans

                   The due date would sometimes show "01/01/1970" rather than being empty. The cause,
                   and existing data, have been fixed.

    TL-14292       Fixed typo in certificate module
    TL-14257       Fix report with graph when Enable report builder graphs is disabled
    TL-14261       Fixed program completion editor not working in some circumstances
    TL-14264       Fixed RTL CSS inheritance in non-less themes

                   Prior to TL-13909, RTL wasn't being inherited correctly in themes that used LESS
                   to compile CSS (such as Roots and Basis). TL-13909 introduced a regression where
                   RTL CSS was not being inherited correctly (as used in Standard Totara Responsive).
                   The theme stack now checks for a stylesheet with a suffix -rtl.css, and if it exists,
                   includes it, otherwise includes the standard stylesheet.
                   (which can use the .dir-rtl body class to specify any RTL specific css)

    TL-14167       Featured Links Block: Fixed spelling of Colour
    TL-14177       Adding an activity to a course uses font icons
    TL-14101       Fixed Report builder saved searches for job assignment filters

                   Previously on upgrade to T9 or higher, saved searches using old position assignment
                   filters were not upgraded, they are now mapped to the corresponding job assignment
                   filter. There was also an issue creating new saved searches based on some job
                   assignment fields which has been fixed as part of this patch.

    TL-14046       Made the course list in user profiles take audience visibility into account
    TL-13931       Fixed JavaScript issue where activity self completion may not work
    TL-14029       Fixed issues with caching requests using the same CURL connection
    TL-14241       Fixed the inline help for course and audience options on the Totara Connect add client form
    TL-13968       Ensured that userids are unique when getting enrolled users

                   This was causing a debugging error when checking permissions of users with multiple roles

    TL-14240       Fixed search tab in appraiser/manager dialog boxes for job assignments report builder filters

Contributions:

    * Kineo UK - TL-14241

Release 9.7 (22nd May 2017):

Important:

    TL-12803        Ensured the default run times for scheduled tasks are set correctly

                   The default run times for several scheduled tasks were incorrectly
                   configured to run every minute during the specified hour, rather than just
                   once per day. To schedule a task to run once per day at a specific time,
                   both the hour and minute must be specified. The defaults have now been
                   fixed by changing the 'minutes' from '*' to '0'. Any scheduled tasks that
                   were using the default schedule have been updated to use the new default.
                   If any of your scheduled tasks intentionally needed to use the old default
                   schedule, or are not using the default schedule, you should manually check
                   that they are configured correctly after running the upgrade.

    TL-14278        Changed mathjax content delivery network (CDN) from cdn.mathjax.org to cdnjs.cloudflare.com

                   cdn.mathjax.org is being shut down

    TL-14327        "Fileinfo" php extension is now required

                   This was previously required but not enforced by environment checks

    TL-14353        Merged Moodle 3.0.10

Security issues:

    TL-14258        Improved access control of files used in custom fields

                   Previously inconsistent checks were made when accessing files used in
                   custom fields. A brand new segment of API has been added to allow each area
                   to accurately validate access to files used within it, and all custom field
                   areas have been updated to use the new API.

    TL-14273        Fixed array key and object property name cleaning in fix_utf8() function
    TL-14331        Users are prevented from editing external blog links.
    TL-14332        Capability moodle/blog:search is checked when blog search is applied in browser url request
    TL-14333        Added sesskey checks to the course overview block

Improvements:

    TL-12732        Added accessible text to Seminar Room and Asset availability filter types
    TL-12964        Updated the standard course catalog search to allow single character searches
    TL-14242        Backported TL-12276 making learning enrolment/assignment instant for self-registered users

                   Self registered users are now added to audiences, courses, programs, and
                   certifications on confirmation.

    TL-14277        totara_core\jsend now automatically removes invalid utf-8 characters and null bytes from received data

Bug fixes:

    TL-9279        Fixed the display of images in Seminar Room and Asset textarea customfields
    TL-12415        Fixed the iCalendar cancellation email settings message for Seminars
    TL-12786        Fixed error when selecting objectives to review in an appraisal

                   When selecting Objectives to review in an appraisal, there is no longer an
                   error when there are only objectives from completed Learning Plans.
                   Objectives from both complete and incomplete Learning Plans are now shown,
                   providing the objectives are assigned to the learner and approved.

    TL-13931        Fixed JavaScript issue where activity self completion may not work
    TL-13968        Ensured that userids are unique when getting enrolled users

                   This was causing a debugging error when checking permissions of users with
                   multiple roles

    TL-14029        Fixed issues with caching requests using the same CURL connection
    TL-14046        Made the course list in user profiles take audience visibility into account
    TL-14101        Fixed Report builder saved searches for job assignment filters

                   Previously on upgrade to T9 or higher, saved searches using old position
                   assignment filters were not upgraded, they are now mapped to the
                   corresponding job assignment filter. There was also an issue creating new
                   saved searches based on some job assignment fields which has been fixed as
                   part of this patch.

    TL-14240        Fixed search tab in appraiser/manager dialog boxes for job assignments report builder filters
    TL-14241        Fixed the inline help for course and audience options on the Totara Connect add client form
    TL-14261        Fixed program completion editor not working in some circumstances
    TL-14264        Fixed RTL CSS inheritance in non-less themes

                   Prior to TL-13909, RTL wasn't being inherited correctly in themes that used
                   LESS to compile CSS (such as Roots and Basis). TL-13909 introduced a
                   regression where RTL CSS was not being inherited correctly (as used in
                   Standard Totara Responsive).
                   
                   The theme stack now checks for a stylesheet with a suffix -rtl.css, and if
                   it exists, includes it, otherwise includes the standard stylesheet (which
                   can use the .dir-rtl body class to specify any RTL specific css)

    TL-14284        Fixed missing set_url calls within Appraisal review question AJAX scripts
    TL-14290        Fixed invalid Program due dates in Learning Plans

                   The due date would sometimes show "01/01/1970" rather than being empty. The
                   cause, and existing data, have been fixed.

    TL-14292        Fixed typo in certificate module
    TL-14305        Fixed saving user reports after filtering by position
    TL-14329        Fixed debugging warning when editing forum post
    TL-14342        Ensured Atto drag & drop content images are responsive by default

Contributions:

    * Kineo UK - TL-13931, TL-14241


Release 2.9.19 (22nd May 2017):

Important:

    TL-14278        Changed mathjax content delivery network (CDN) from cdn.mathjax.org to cdnjs.cloudflare.com

                   cdn.mathjax.org is being shut down

    TL-14327        "Fileinfo" php extension is now required

                   This was previously required but not enforced by environment checks


Security issues:

    TL-14273        Fixed array key and object property name cleaning in fix_utf8() function
    TL-14331        Users are prevented from editing external blog links.
    TL-14332        Capability moodle/blog:search is checked when blog search is applied in browser url request
    TL-14333        Added sesskey checks to the course overview block

Bug fixes:

    TL-12785        Contrained the width of images in Appraisal snapshot print dialogs
    TL-12786        Fixed error when selecting objectives to review in an appraisal

                   When selecting Objectives to review in an appraisal, there is no longer an
                   error when there are only objectives from completed Learning Plans.
                   Objectives from both complete and incomplete Learning Plans are now shown,
                   providing the objectives are assigned to the learner and approved.

    TL-12950        Corrected content for plan status column and filter.
    TL-13968        Ensured that userids are unique when getting enrolled users

                   This was causing a debugging error when checking permissions of users with
                   multiple roles

    TL-14029        Fixed issues with caching requests using the same CURL connection
    TL-14046        Made the course list in user profiles take audience visibility into account
    TL-14128        Fixed duplicate values in location session custom field
    TL-14241        Fixed the inline help for course and audience options on the Totara Connect add client form
    TL-14284        Fixed missing set_url calls within Appraisal review question AJAX scripts
    TL-14292        Fixed typo in certificate module
    TL-14342        Ensured Atto drag & drop content images are responsive by default

Contributions:

    * Kineo UK - TL-14241



Release 2.7.27 (22nd May 2017):

Important:

    TL-14278        Changed mathjax content delivery network (CDN) from cdn.mathjax.org to cdnjs.cloudflare.com

                   cdn.mathjax.org is being shut down

    TL-14327        "Fileinfo" php extension is now required

                   This was previously required but not enforced by environment checks

    TL-14352        Merged Moodle 2.7.20

Security issues:

    TL-14273        Fixed array key and object property name cleaning in fix_utf8() function
    TL-14331        Users are prevented from editing external blog links.
    TL-14332        Capability moodle/blog:search is checked when blog search is applied in browser url request
    TL-14333        Added sesskey checks to the course overview block

Bug fixes:

    TL-12950        Corrected content for plan status column and filter.
    TL-14128        Fixed duplicate values in location session custom field
    TL-14241        Fixed the inline help for course and audience options on the Totara Connect add client form
    TL-14284        Fixed missing set_url calls within Appraisal review question AJAX scripts
    TL-14292        Fixed typo in certificate module

Contributions:

    * Kineo UK - TL-14241


Release 2.6.44 (22nd May 2017):

Security issues:

    TL-14273        Fixed array key and object property name cleaning in fix_utf8() function
    TL-14331        Users are prevented from editing external blog links.
    TL-14332        Capability moodle/blog:search is checked when blog search is applied in browser url request
    TL-14333        Added sesskey checks to the course overview block

Bug fixes:

    TL-14284        Fixed missing set_url calls within Appraisal review question AJAX scripts


Release 2.5.51 (22nd May 2017):

Security issues:

    TL-14273        Fixed array key and object property name cleaning in fix_utf8() function
    TL-14331        Users are prevented from editing external blog links.
    TL-14332        Capability moodle/blog:search is checked when blog search is applied in browser url request
    TL-14333        Added sesskey checks to the course overview block

Bug fixes:

    TL-14284        Fixed missing set_url calls within Appraisal review question AJAX scripts


Release 2.4.51 (22nd May 2017):

Security issues:

    TL-14273        Fixed array key and object property name cleaning in fix_utf8() function
    TL-14331        Users are prevented from editing external blog links.
    TL-14332        Capability moodle/blog:search is checked when blog search is applied in browser url request
    TL-14333        Added sesskey checks to the course overview block


Release 2.2.57 (22nd May 2017):

Security issues:

    TL-14273        Fixed array key and object property name cleaning in fix_utf8() function
    TL-14331        Users are prevented from editing external blog links.
    TL-14332        Capability moodle/blog:search is checked when blog search is applied in browser url request