Totara Release Notes

Security release for Totara Learn 11.9, 10.15, 9.26, 2.9.38, 2.7.46, 2.6.63, 2.5.69, 2.4.66, and 2.2.70

 
Sam Hemelryk
Security release for Totara Learn 11.9, 10.15, 9.26, 2.9.38, 2.7.46, 2.6.63, 2.5.69, 2.4.66, and 2.2.70
by Sam Hemelryk - Monday, 3 December 2018, 7:57 PM
Group Totara

Hello everyone,

The following versions of Totara Learn have now been released:

These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes bug fixes and improvements.

Kind regards
Sam Hemelryk

Release 11.9 (4th December 2018):

Security issues:
TL-19028SCORM package download protection is now on by default

Previously this setting was off by default.
Turning it on ensures that sites are more secure by default.
TL-19365CSRF protection was added to the login page, and HTML blocks on user pages now prevent self-XSS

Cross-site request forgery is now prevented on the login page. This means that alternate login pages cannot be supported anymore and as such this feature was deprecated. The change may also interfere with incorrectly designed custom authentication plugins.

Previously configured alternate login pages would not work after upgrade; if attempting to log in on the alternate page, users would be directed to the regular login page and presented with an error message asking them to retry log in, where it will be successful. To keep using vulnerable alternate login pages, the administrator would need to disable CSRF protection on the login page in config.php.
TL-19669Backported MDL-64222 security fix for badges

New features:
TL-18859Add Totara content marketplace and GO1 marketplace

Totara content marketplace provides support for browsing and importing external content from content providers directly into your site.

Content providers can implement a new "marketplace" plugin type to integrate their content into Totara Learn. The release includes a marketplace plugin for GO1 ([https://totara.go1.com/]), which provides direct access to search and include GO1 aggregated content.

When first installed the content marketplace plugin will send an internal notification to site administrators and site managers on the next cron run, letting them know that content marketplaces are available. To prevent this notification and completely disable marketplaces add $CFG->enablecontentmarketplaces = false; in your site's config.php *before* you upgrade your site.
Improvements:
TL-18963Improved the help text for the 'Enable messaging system' setting on the advanced settings page

TL-19145Improved terminology for non-graded assignment strings

Bug fixes:
TL-16529Fixed Global Search to accept the parameter type of either 'string' or 'array'

Prior to this patch: when user was trying to perform global search, the system would throw an error. It happened because the query from request was a string instead of an array and the global search handler was expecting array data type only.

After this patch: the issue has been resolved, global search handler is now accepting either 'string' or 'array' parameter.
TL-16788Fixed audience visible learning report's javascript

Prior to this patch, with a report using source 'Audience: visible learning', when changing the visibility of an audience, the system would update nothing. This happened because the javascript for the report was looking into the wrong elements and it would not trigger any update to the server side when event triggered.

With this patch, given the same scenario, audience visibility of course/program will be updated.
TL-17804Fixed certification expiry date not being updated when a user is granted an extension

Additional changes include:
* new baseline expiry field in the completion editor which is used to calculate subsequent expiry dates
* preventing users from requesting extension after the certification expiry
TL-18558Fixed display activity restrictions for editing teachers.

Editing teachers can see activity restrictions whether they match them or not.
TL-18806Prevented prog_write_completion from being used with certification data

TL-18821Fixed the rendering of course's topic restriction when using the 'Restriction Set'

TL-18895Added warning text to the audience's rules if there are any rules that are referencing a deleted item

Prior to the patch: when an item (for example: program, course, position and so on) that was referenced in an audience rule got deleted, there were no obvious way to tell the user that this item had been deleted.

With this patch: there will be a warning text, when user is viewing the rule that is still referencing a deleted item.
TL-18932Added an ability to detect the broken audience rules when scheduled task starts running to update the audience's members

Prior to this patch, when the scheduled task (\totara_cohort\task\update_cohort_task) was running, there was no way that it could detect whether the rules were still referencing to the invalid instance records or not (for example: course, program, user's position, and so on). Therefore, if the rule had a reference to an invalid instance record, audience will not be able update its members correctly.

With this patch, it will start checking whether the referenced instance records are valid or not before the process of updating members. If there are any invalid instance records, then the system will send an email out to notify the site administrator.
TL-19000Changed Seminar event approver notification type from alert to task so that dashboard task block is created

TL-19122Fixed an issue in the recurring courses where after the course restarts the enrolment date remained the date from the original course

TL-19124Internal implementation and performance of organisation and position based report restrictions

This is a backport of TL-19086, which was included in October evergreen release.
TL-19149Made sure completion editor form is submitted correctly when the site is running non-English language

TL-19155Fixed Google maps Ok button failure in Behat tests

TL-19158Fixed 'Hide/Show' actions on the course/program custom fields page

TL-19160Clarified date filter label that 'today' means 'start of today'

TL-19190Fixed duplicate rows in the Program Completion report when "Is user assigned?" column is included

TL-19196Backported TL-15368 to fix user tours initialisation on the front page

TL-19215Improved handling of text in autocomplete forms

Previously when adding HTML tags to an autocomplete field, they would be interpreted by the browser. This issue ensures that they are displayed as plain text, with offending content being removed when the form being reloaded.

This is not a security fix as the only person who could be affected is the person who is entering the data, when they are first entering the data (and not on subsequent visits).
TL-19247Fixed race condition when adding programs to the program completion block

TL-19248Report builder filters supply the report id when changing

Previously there were some filters that did not supply the report id when changing the filter. This issue ensures the access checks are done correctly for the report
TL-19249Fixed cancel button not working in switch role form in course

Previously the cancel button had the same functionality as the 'Save changes' button, changing the users role.

With this patch, the cancel button now just redirects back to the course view page.
TL-19250Fixed Totara forms file manager element with disabled subdirectories bug when uploading one file only

TL-19256Ensured enrolment messages are send correctly after user assignment exceptions have been resolved

TL-19297Fixed errors when changing course format to different format on course's editing page

TL-19374Removed a trailing space on the output of the certif_status Report Builder display

TL-19439Fixed select all checkbox not working in comments report in IE11/Edge

TL-19472Fixed temporary manager expiry checkbox not being unchecked when temporary manager removed

TL-19495Ensured the course shortname and category fields export correctly on the 'Program overview' Report Builder source

TL-19508Removed duplicated options in the 'Show with backdrop' selector on the add new step form in user tours

Within a user tour, a moodle form can get 2 selected "default" items. This causes the last item ("No") in chrome to be selected (whereas the first option should be selected).

Replication steps (done on Chrome):
# Ensure user tours are enabled
# Set up a tour with "show backdrop" set to "Yes"
# Go to the add step screen
# Expand the "Options" step
# Inspect element on the "Show with backdrop" select

Currently there are 2 options with the selected attribute set - there should only be one.
TL-19512In-page confirmation boxes no longer display above menu's

When deleting a block from a page, the confirmation box previously displayed on top the menus. The menu now displays on top of the confirmation box.

This will require themes using less inheritance to re-compile their CSS.
TL-19598Fixed SQL error when updating dynamic audience which includes Job Assignments Manager rule

When a dynamic audience which included the job assignments Managers rule was updated an SQL error would be generated if any of the selected Managers had multiple job assignments. This would lead to the dynamic audience members not being updated when the scheduled task was run.
TL-19599Fixed deletion of filters and columns in the "All User's Job Assignments" section

TL-19623Fixed layout on Assignment's Grade to not collapse each other.

Release 10.15 (4th December 2018):

Security issues:
TL-19028SCORM package download protection is now on by default

Previously this setting was off by default.
Turning it on ensures that sites are more secure by default.
TL-19365CSRF protection was added to the login page, and HTML blocks on user pages now prevent self-XSS

Cross-site request forgery is now prevented on the login page. This means that alternate login pages cannot be supported anymore and as such this feature was deprecated. The change may also interfere with incorrectly designed custom authentication plugins.

Previously configured alternate login pages would not work after upgrade; if attempting to log in on the alternate page, users would be directed to the regular login page and presented with an error message asking them to retry log in, where it will be successful. To keep using vulnerable alternate login pages, the administrator would need to disable CSRF protection on the login page in config.php.
TL-19669Backported MDL-64222 security fix for badges

New features:
TL-18859Add Totara content marketplace and GO1 marketplace

Totara content marketplace provides support for browsing and importing external content from content providers directly into your site.

Content providers can implement a new "marketplace" plugin type to integrate their content into Totara Learn. The release includes a marketplace plugin for GO1 ([https://totara.go1.com/]), which provides direct access to search and include GO1 aggregated content.

When first installed the content marketplace plugin will send an internal notification to site administrators and site managers on the next cron run, letting them know that content marketplaces are available. To prevent this notification and completely disable marketplaces add $CFG->enablecontentmarketplaces = false; in your site's config.php *before* you upgrade your site.
Improvements:
TL-18963Improved the help text for the 'Enable messaging system' setting on the advanced settings page

TL-19145Improved terminology for non-graded assignment strings

Bug fixes:
TL-16529Fixed Global Search to accept the parameter type of either 'string' or 'array'

Prior to this patch: when user was trying to perform global search, the system would throw an error. It happened because the query from request was a string instead of an array and the global search handler was expecting array data type only.

After this patch: the issue has been resolved, global search handler is now accepting either 'string' or 'array' parameter.
TL-17804Fixed certification expiry date not being updated when a user is granted an extension

Additional changes include:
* new baseline expiry field in the completion editor which is used to calculate subsequent expiry dates
* preventing users from requesting extension after the certification expiry
TL-18558Fixed display activity restrictions for editing teachers.

Editing teachers can see activity restrictions whether they match them or not.
TL-18806Prevented prog_write_completion from being used with certification data

TL-18895Added warning text to the audience's rules if there are any rules that are referencing a deleted item

Prior to the patch: when an item (for example: program, course, position and so on) that was referenced in an audience rule got deleted, there were no obvious way to tell the user that this item had been deleted.

With this patch: there will be a warning text, when user is viewing the rule that is still referencing a deleted item.
TL-18932Added an ability to detect the broken audience rules when scheduled task starts running to update the audience's members

Prior to this patch, when the scheduled task (\totara_cohort\task\update_cohort_task) was running, there was no way that it could detect whether the rules were still referencing to the invalid instance records or not (for example: course, program, user's position, and so on). Therefore, if the rule had a reference to an invalid instance record, audience will not be able update its members correctly.

With this patch, it will start checking whether the referenced instance records are valid or not before the process of updating members. If there are any invalid instance records, then the system will send an email out to notify the site administrator.
TL-19000Changed Seminar event approver notification type from alert to task so that dashboard task block is created

TL-19122Fixed an issue in the recurring courses where after the course restarts the enrolment date remained the date from the original course

TL-19124Internal implementation and performance of organisation and position based report restrictions

This is a backport of TL-19086, which was included in October evergreen release.
TL-19149Made sure completion editor form is submitted correctly when the site is running non-English language

TL-19155Fixed Google maps Ok button failure in Behat tests

TL-19160Clarified date filter label that 'today' means 'start of today'

TL-19190Fixed duplicate rows in the Program Completion report when "Is user assigned?" column is included

TL-19215Improved handling of text in autocomplete forms

Previously when adding HTML tags to an autocomplete field, they would be interpreted by the browser. This issue ensures that they are displayed as plain text, with offending content being removed when the form being reloaded.

This is not a security fix as the only person who could be affected is the person who is entering the data, when they are first entering the data (and not on subsequent visits).
TL-19247Fixed race condition when adding programs to the program completion block

TL-19248Report builder filters supply the report id when changing

Previously there were some filters that did not supply the report id when changing the filter. This issue ensures the access checks are done correctly for the report
TL-19250Fixed Totara forms file manager element with disabled subdirectories bug when uploading one file only

TL-19256Ensured enrolment messages are send correctly after user assignment exceptions have been resolved

TL-19312Added the 'readonlyemptyfield' string that was missing from customfields

TL-19374Removed a trailing space on the output of the certif_status Report Builder display

TL-19472Fixed temporary manager expiry checkbox not being unchecked when temporary manager removed

TL-19495Ensured the course shortname and category fields export correctly on the 'Program overview' Report Builder source

TL-19512In-page confirmation boxes no longer display above menu's

When deleting a block from a page, the confirmation box previously displayed on top the menus. The menu now displays on top of the confirmation box.

This will require themes using less inheritance to re-compile their CSS.
TL-19598Fixed SQL error when updating dynamic audience which includes Job Assignments Manager rule

When a dynamic audience which included the job assignments Managers rule was updated an SQL error would be generated if any of the selected Managers had multiple job assignments. This would lead to the dynamic audience members not being updated when the scheduled task was run.

Release 9.26 (4th December 2018):

Security issues:
TL-19028SCORM package download protection is now on by default

Previously this setting was off by default.
Turning it on ensures that sites are more secure by default.
TL-19365CSRF protection was added to the login page, and HTML blocks on user pages now prevent self-XSS

Cross-site request forgery is now prevented on the login page. This means that alternate login pages cannot be supported anymore and as such this feature was deprecated. The change may also interfere with incorrectly designed custom authentication plugins.

Previously configured alternate login pages would not work after upgrade; if attempting to log in on the alternate page, users would be directed to the regular login page and presented with an error message asking them to retry log in, where it will be successful. To keep using vulnerable alternate login pages, the administrator would need to disable CSRF protection on the login page in config.php.
TL-19669Backported MDL-64222 security fix for badges

Improvements:
TL-18963Improved the help text for the 'Enable messaging system' setting on the advanced settings page

Bug fixes:
TL-17804Fixed certification expiry date not being updated when a user is granted an extension

Additional changes include:
* new baseline expiry field in the completion editor which is used to calculate subsequent expiry dates
* preventing users from requesting extension after the certification expiry
TL-18558Fixed display activity restrictions for editing teachers.

Editing teachers can see activity restrictions whether they match them or not.
TL-18806Prevented prog_write_completion from being used with certification data

TL-18895Added warning text to the audience's rules if there are any rules that are referencing a deleted item

Prior to the patch: when an item (for example: program, course, position and so on) that was referenced in an audience rule got deleted, there were no obvious way to tell the user that this item had been deleted.

With this patch: there will be a warning text, when user is viewing the rule that is still referencing a deleted item.
TL-18932Added an ability to detect the broken audience rules when scheduled task starts running to update the audience's members

Prior to this patch, when the scheduled task (\totara_cohort\task\update_cohort_task) was running, there was no way that it could detect whether the rules were still referencing to the invalid instance records or not (for example: course, program, user's position, and so on). Therefore, if the rule had a reference to an invalid instance record, audience will not be able update its members correctly.

With this patch, it will start checking whether the referenced instance records are valid or not before the process of updating members. If there are any invalid instance records, then the system will send an email out to notify the site administrator.
TL-19000Changed Seminar event approver notification type from alert to task so that dashboard task block is created

TL-19122Fixed an issue in the recurring courses where after the course restarts the enrolment date remained the date from the original course

TL-19124Internal implementation and performance of organisation and position based report restrictions

This is a backport of TL-19086, which was included in October evergreen release.
TL-19155Fixed Google maps Ok button failure in Behat tests

TL-19195Fixed display issue when using "Hide if there is nothing to display" setting in the report table block

If the setting "Hide if there is nothing to display" was set for the report table block then the block would hide even if there was data. The setting now works correctly and only hides the block if the report contains no data.
TL-19215Improved handling of text in autocomplete forms

Previously when adding HTML tags to an autocomplete field, they would be interpreted by the browser. This issue ensures that they are displayed as plain text, with offending content being removed when the form being reloaded.

This is not a security fix as the only person who could be affected is the person who is entering the data, when they are first entering the data (and not on subsequent visits).
TL-19248Report builder filters supply the report id when changing

Previously there were some filters that did not supply the report id when changing the filter. This issue ensures the access checks are done correctly for the report
TL-19250Fixed Totara forms file manager element with disabled subdirectories bug when uploading one file only

TL-19312Added the 'readonlyemptyfield' string that was missing from customfields

Release 2.9.38 (4th December 2018):

Security issues:
TL-19365CSRF protection was added to the login page, and HTML blocks on user pages now prevent self-XSS

Cross-site request forgery is now prevented on the login page. This means that alternate login pages cannot be supported anymore and as such this feature was deprecated. The change may also interfere with incorrectly designed custom authentication plugins.

Previously configured alternate login pages would not work after upgrade; if attempting to log in on the alternate page, users would be directed to the regular login page and presented with an error message asking them to retry log in, where it will be successful. To keep using vulnerable alternate login pages, the administrator would need to disable CSRF protection on the login page in config.php.
TL-19669Backported MDL-64222 security fix for badges

Bug fixes:
TL-17804Fixed certification expiry date not being updated when a user is granted an extension

Additional changes include:
* new baseline expiry field in the completion editor which is used to calculate subsequent expiry dates
* preventing users from requesting extension after the certification expiry
TL-18806Prevented prog_write_completion from being used with certification data

Release 2.7.46 (4th December 2018):

Security issues:
TL-19365CSRF protection was added to the login page, and HTML blocks on user pages now prevent self-XSS

Cross-site request forgery is now prevented on the login page. This means that alternate login pages cannot be supported anymore and as such this feature was deprecated. The change may also interfere with incorrectly designed custom authentication plugins.

Previously configured alternate login pages would not work after upgrade; if attempting to log in on the alternate page, users would be directed to the regular login page and presented with an error message asking them to retry log in, where it will be successful. To keep using vulnerable alternate login pages, the administrator would need to disable CSRF protection on the login page in config.php.
TL-19669Backported MDL-64222 security fix for badges

Bug fixes:
TL-17804Fixed certification expiry date not being updated when a user is granted an extension

Additional changes include:
* new baseline expiry field in the completion editor which is used to calculate subsequent expiry dates
* preventing users from requesting extension after the certification expiry
TL-18806Prevented prog_write_completion from being used with certification data

Release 2.6.63 (4th December 2018):

Security issues:
TL-19365CSRF protection was added to the login page, and HTML blocks on user pages now prevent self-XSS

Cross-site request forgery is now prevented on the login page. This means that alternate login pages cannot be supported anymore and as such this feature was deprecated. The change may also interfere with incorrectly designed custom authentication plugins.

Previously configured alternate login pages would not work after upgrade; if attempting to log in on the alternate page, users would be directed to the regular login page and presented with an error message asking them to retry log in, where it will be successful. To keep using vulnerable alternate login pages, the administrator would need to disable CSRF protection on the login page in config.php.
TL-19669Backported MDL-64222 security fix for badges

Release 2.5.69 (4th December 2018):

Security issues:
TL-19365CSRF protection was added to the login page, and HTML blocks on user pages now prevent self-XSS

Cross-site request forgery is now prevented on the login page. This means that alternate login pages cannot be supported anymore and as such this feature was deprecated. The change may also interfere with incorrectly designed custom authentication plugins.

Previously configured alternate login pages would not work after upgrade; if attempting to log in on the alternate page, users would be directed to the regular login page and presented with an error message asking them to retry log in, where it will be successful. To keep using vulnerable alternate login pages, the administrator would need to disable CSRF protection on the login page in config.php.
TL-19669Backported MDL-64222 security fix for badges

Release 2.4.66 (4th December 2018):

Security issues:
TL-19365CSRF protection was added to the login page, and HTML blocks on user pages now prevent self-XSS

Cross-site request forgery is now prevented on the login page. This means that alternate login pages cannot be supported anymore and as such this feature was deprecated. The change may also interfere with incorrectly designed custom authentication plugins.

Previously configured alternate login pages would not work after upgrade; if attempting to log in on the alternate page, users would be directed to the regular login page and presented with an error message asking them to retry log in, where it will be successful. To keep using vulnerable alternate login pages, the administrator would need to disable CSRF protection on the login page in config.php.

Release 2.2.70 (4th December 2018):

Security issues:
TL-19365CSRF protection was added to the login page, and HTML blocks on user pages now prevent self-XSS

Cross-site request forgery is now prevented on the login page. This means that alternate login pages cannot be supported anymore and as such this feature was deprecated. The change may also interfere with incorrectly designed custom authentication plugins.

Previously configured alternate login pages would not work after upgrade; if attempting to log in on the alternate page, users would be directed to the regular login page and presented with an error message asking them to retry log in, where it will be successful. To keep using vulnerable alternate login pages, the administrator would need to disable CSRF protection on the login page in config.php.