Hi everyone!
We have just published security releases: Totara Social 2.18 and 1.0.20! The security issue is a backported fix from the Mahara project related to the way event logs are stored in the database. In some cases (like new user creation, password reset), user passwords were stored in the database as a part of the event log data. The fix makes sure password data will not be stored in the future, updates existing event logs to remove sensitive data, and forces password reset on every affected user.
Here are the changelogs for today's Totara Social releases:
Release 2.18 (9th June 2017) ================================================== Backported security fix from Mahara: Stop event log having plain text passwords (Bug #1692749) Bug fixes: TS-1335 Fixed "Comments" block not working when the page has tags TS-1330 Added validation for maximum supported version of PHP TS-1330 Fixed MySQL 5.7 backwards compatibility issue
Release 1.0.20 (9th June 2017) ================================================== Backported security fix from Mahara: Stop event log having plain text passwords (Bug #1692749)