Totara Release Notes

Security releases for Totara 1.1.29, 2.2.34, 2.4.26, 2.5.23 and 2.6.16 Released 22nd January 2015

 
??
Security releases for Totara 1.1.29, 2.2.34, 2.4.26, 2.5.23 and 2.6.16 Released 22nd January 2015
?? 发表于 2015年01月21日 Wednesday 12:54
 
Totara 1.1.29, Totara 2.2.34, Totara 2.4.26, Totara 2.5.23 and Totara 2.6.16 are all "security” releases because they include security fixes from Moodle. We recommend upgrading to these versions. These versions also contain bug fixes and improvements.
 
Thanks to the team at Kineo UK for contributing to T-13477 Improved scalability for the program cron and reports
 
Here are the changelogs:
 
Release 2.6.16 (21st January 2015):
==================================================

Security issues:
    MoodleHQ       Security fixes from MoodleHQ http://docs.moodle.org/dev/Moodle_2.6.7_release_notes

Improvements:
    T-12100        Added the ability to assign a certification to an audience under enrolled learning
    T-13477        Improved scalability for the program cron and reports

                   Thanks to Kineo UK for providing the core of this patch

    T-11141        Added the ability to use spaces in field names in a CSV file for Totara Sync
    T-13653        Improved behaviour of Facetoface session duration in relation to session date/time

                   The session duration field is now disabled when session date/time is known,
                   and is automatically recalculated (as before) when the session is saved

API Changes:
    T-13636        Fixed "from" address in Face-to-face waitlist emails when a user cancels their booking

                   The optional param $fromuser has been added to several
                   facetoface_user_signup and several Face-to-face notification functions.

Bug Fixes:
    T-13647        Fixed Overall Total columns in Appraisal Detail report source
    T-13552        Fixed duplicate records in Program Completion reports

                   This patch removes duplicate records from tables prog_completion and
                   prog_user_assignment. Deleted program completion records are archived in
                   prog_completion_history. Indexes are added to these tables to prevent
                   future duplication of records and discrepancies in the record of learning
                   and required learning reports.

    T-13880        Fixed missing language string in Facetoface notifications
    T-12679        Fixed completion date on a course with multiple Facetoface sessions

                   If a course contained a Facetoface session with multiple sessions where a
                   user could complete the activity multiple times (for example a course used
                   as part of a recurring certification) the course completion date would
                   always use the date of the earliest session the user completed, not their
                   most recent completion

    T-13422        Fixed archiving of completion on certifications containing a Facetoface

                   In some circumstances if a certification path contained a course with a
                   Facetoface activity, course and activity completions would not be reset
                   properly when the recertification window opened, making it impossible to
                   recertify.

    T-13819        Changed course completion criteria unlocking - no records are changed until save changes is clicked

                   Existing course completion records were being removed immediately upon
                   clicking the "Unlock criteria and delete existing completion data" button.
                   This change causes the deletion of data to be delayed until the Save
                   changes button is clicked. If the users changes their mind, they can click
                   Cancel to abort the data reset.

    T-13835        Fixed SCORM retriggering course completion during certification archive

                   In some circumstances if a certification contained a course with a SCORM
                   activity, when the certification window opened course completion would not
                   be archived and reset properly.

    T-13725        Fixed incorrect check when unassigning users from a program/certification

                   When removing users from certifications that were uploaded via the upload
                   completion tool, the role_assignments table was being checked, when the
                   correct check should be on prog_user_assignment.

    T-13794        Fixed Face-to-face session dialog search for pre-defined rooms
    T-13612        Made program position completion criteria consistent with audience rules

                   The existing Position Start Date program completion criteria was being
                   calculated using the time that the position was saved to the database, not
                   the Start Date field. Existing Position Start Date completion criteria have
                   been renamed to Position Assigned Date to reflect the actual behaviour. New
                   Position Start Date completion criteria will be calculated from the Start
                   Date field (which must be set, otherwise a "Completion time unknown"
                   exception will occur).

    T-11643        Fixed display of error message if a program extension request fails
    T-13822        Fixed additional name fields error on Learning Plan tab of Audiences
    T-13756        Fixed email filters on User report source

                   Added a filter "User's Email (Ignoring user display setting)" and fixed
                   filtering on email addresses where the search term contained the @ symbol

    T-13877        Fixed highlighting of signed-up sessions in Facetoface
    T-13748        Fixed alert block visibility if configured to display when no alerts exist
    T-13723        Fixed deletion of program categories

                   When managing the program catalog, trying to delete a program category
                   would not actually delete the category, and would also not give any error
                   message.
 
Release 2.5.23 (21st January 2015):
==================================================

Security issues:
    MDL-47920      mod/lti/ajax.php security problems
    MDL-48368      XSS in course request pending approval page
    MDL-48329      Messages external functions doesn't check if messaging is enabled
    MDL-48106      Multiple CSRF in mod glossary
    MDL-48017      calendar/externallib.php lacks self::validate_context($context);
    MDL-47964      Forced logout via auth/shibboleth/logout.php
    MDL-48546      ReDOS in the multimedia filter
    MDL-48748      Import fixed English strings (en_fix) into the main English pack

Improvements:
    T-12100        Added the ability to assign a certification to an audience under enrolled learning
    T-13477        Improved scalability for the program cron and reports

                   Thanks to Kineo UK for providing the core of this patch

    T-11141        Added the ability to use spaces in field names in a CSV file for Totara Sync
    T-13653        Improved behaviour of Facetoface session duration in relation to session date/time

                   The session duration field is now disabled when session date/time is known,
                   and is automatically recalculated (as before) when the session is saved

API Changes:
    T-13636        Fixed "from" address in Face-to-face waitlist emails when a user cancels their booking

                   The optional param $fromuser has been added to several
                   facetoface_user_signup and several Face-to-face notification functions.

Bug Fixes:
    T-13647        Fixed Overall Total columns in Appraisal Detail report source
    T-13552        Fixed duplicate records in Program Completion reports

                   This patch removes duplicate records from tables prog_completion and
                   prog_user_assignment. Deleted program completion records are archived in
                   prog_completion_history. Indexes are added to these tables to prevent
                   future duplication of records and discrepancies in the record of learning
                   and required learning reports.

    T-13880        Fixed missing language string in Facetoface notifications
    T-12679        Fixed completion date on a course with multiple Facetoface sessions

                   If a course contained a Facetoface session with multiple sessions where a
                   user could complete the activity multiple times (for example a course used
                   as part of a recurring certification) the course completion date would
                   always use the date of the earliest session the user completed, not their
                   most recent completion

    T-13422        Fixed archiving of completion on certifications containing a Facetoface

                   In some circumstances if a certification path contained a course with a
                   Facetoface activity, course and activity completions would not be reset
                   properly when the recertification window opened, making it impossible to
                   recertify.

    T-13819        Changed course completion criteria unlocking - no records are changed until save changes is clicked

                   Existing course completion records were being removed immediately upon
                   clicking the "Unlock criteria and delete existing completion data" button.
                   This change causes the deletion of data to be delayed until the Save
                   changes button is clicked. If the users changes their mind, they can click
                   Cancel to abort the data reset.

    T-13835        Fixed SCORM retriggering course completion during certification archive

                   In some circumstances if a certification contained a course with a SCORM
                   activity, when the certification window opened course completion would not
                   be archived and reset properly.

    T-13725        Fixed incorrect check when unassigning users from a program/certification

                   When removing users from certifications that were uploaded via the upload
                   completion tool, the role_assignments table was being checked, when the
                   correct check should be on prog_user_assignment.

    T-11643        Fixed display of error message if a program extension request fails
    T-13756        Fixed email filters on User report source

                   Added a filter "User's Email (Ignoring user display setting)" and fixed
                   filtering on email addresses where the search term contained the @ symbol
 
Release 2.4.26 (21st January 2015):
==================================================

Security issues:

    MDL-47920      mod/lti/ajax.php security problems
    MDL-48106      Multiple CSRF in mod glossary
    MDL-47964      Forced logout via auth/shibboleth/logout.php
    MDL-48748      Import fixed English strings (en_fix) into the main English pack
    MDL-48546      ReDOS in the multimedia filter
    MDL-48368      XSS in course request pending approval page

API Changes:
    T-13636        Fixed "from" address in Face-to-face waitlist emails when a user cancels their booking

                   The optional param $fromuser has been added to several
                   facetoface_user_signup and several Face-to-face notification functions.

Bug Fixes:
    T-13552        Fixed duplicate records in Program Completion reports

                   This patch removes duplicate records from tables prog_completion and
                   prog_user_assignment. Deleted program completion records are archived in
                   prog_completion_history. Indexes are added to these tables to prevent
                   future duplication of records and discrepancies in the record of learning
                   and required learning reports.

    T-13880        Fixed missing language string in Facetoface notifications
    T-11643        Fixed display of error message if a program extension request fails
 
Release 2.2.34 (21st January 2015):
==================================================

Security Fixes:

    MDL-47920      mod/lti/ajax.php security problems
    MDL-48106      Multiple CSRF in mod glossary
    MDL-47964      Forced logout via auth/shibboleth/logout.php
    MDL-48748      Import fixed English strings (en_fix) into the main English pack
    MDL-48368      XSS in course request pending approval page

Bug Fixes:
    T-13552        Fixed duplicate records in Program Completion reports

                   This patch removes duplicate records from tables prog_completion and
                   prog_user_assignment. Deleted program completion records are archived in
                   prog_completion_history. Indexes are added to these tables to prevent
                   future duplication of records and discrepancies in the record of learning
                   and required learning reports.
 
Release 1.1.29 (21st January 2015):
==================================================

Security Fixes:

    MDL-48106      Multiple CSRF in mod glossary
    MDL-47964      Forced logout via auth/shibboleth/logout.php