Hello everyone,
The following versions of Totara Learn have now been released:
- Release Evergreen
- Release 12.17
- Release 11.26
- Release 10.32
- Release 9.43
- Release 2.9.51
- Release 2.7.58
- Release 2.6.75
- Release 2.5.80
- Release 2.4.75
- Release 2.2.76
These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes bug fixes and improvements.
A big thanks to the following people for their contributions to this release:
- Mark Ward at Learning Pool - TL-5081
- Sergey Vidusov at Androgogic - TL-24779
Kind regards
Sam Hemelryk
Release Evergreen (29th April 2020):
Key: + Evergreen only
Security issues:
TL-23040 Added a check to the security overview report for poorly configured Oauth 2 issuers
A new check has been added to the security overview report that warns the
user if there are OAuth 2 issuers configured to not verify users email
addresses.
The warning is displayed as critical if in addition to this the site has
been configured to permit users to share email addresses.
TL-24490 Shibboleth attributes are now validated against a blacklist of common $_SERVER variables
Prior to this change Shibboleth attribute mapping could access any
variables stored in $_SERVER, allowing for malicious configurations to be
created.
All user attributes are now validated to ensure that they are not in a list
of commonly available $_SERVER variables that do not belong to Shibboleth.
TL-24587 HTML block no longer allows self-XSS
Prior to this change, users could perform XSS attacks on themselves by
adding an HTML block when customising their dashboard, giving it malicious
content, saving it, and then editing it again.
When customised, a dashboard is only visible to the owning user. However
admins could still experience the malicious block using the login as
functionality.
This has now been fixed, and when editing an HTML block on user pages the
content is cleaned before it is loaded into the editor.
TL-24618 Backported MDL-67861: IP addresses can be spoofed using X-Forwarded-For
If your server is behind multiple reverse proxies that append to
the X-Forwarded-For header then you will need to specify a comma
separated list of ip addresses or subnets of the reverse proxies to be
ignored in order to find the users correct IP address.
New features:
TL-5081 + Added a new 'Program Exceptions' report source
TL-24660 + Added a new 'Certification Exceptions' report source
Performance improvements:
TL-24573 Improved performance of lesson status filter in SCORM reports
TL-24574 Changed type of SCORM attempts filter to a number filter to improve performance by avoiding extra database calls
Improvements:
TL-5629 + Added temporary manager and expiry date to HR Import Job Assignment element
As part of this the pre-existing Job Assignment import field
'managerjobassignmentidnumber' has been renamed to 'managerjaidnumber'.
NOTE: CVS or Database sources that do not have field mappings will require
the source field name to be updated.
TL-22533 Improved the accessibility of PDF exports generated by report builder
The improvements made include ensuring the table uses correct markup,
contains a caption, row and column headers, and improving the use of
heading tags.
TL-23015 Improved accessibility of the full report link in the 'Report graph' block
TL-23991 Improved the use of wai-aria roles within the primary navigation template
TL-24173 Updated aria roles of notifications to more accurately reflect their importance
TL-24433 Improved confirmation dialog information when cloning audiences
TL-24555 The Redis cache store now warns against changing the serializer setting when in use
Added a new warning to the Redis cache store configuration to warn
administrators that the serializer setting must not be changed if there is
any data in the cache already
TL-24643 Improved the calculation of months when displaying relative date information
Previously, to calculate relative date in months (e.g. "A month ago", "4
months ago", etc.) an average number of days per month – 30.5 days –
was used in the calculations. As a result, shorter months like February did
not always produce the correct outcome. This has now been changed to use
date difference which returns more accurate results.
TL-24676 Added support for hiding of Totara forms elements based on 'value in array' and 'value not in array' conditions
TL-24825 CLI script admin/cli/cfg.php now logs all changes so that incorrect changes can be identified later
Bug fixes:
TL-17294 Fixed a reference to the wrong language string within the "Alerts" block
TL-18762 Learning plan comments now correctly respect the site wide setting to disable comments
TL-23157 + Fixed inconsistent sorting of enrolment methods on the course enrolment page
TL-23459 Made sure Quiz activity takes passing grade requirement into account when restoring from course backups made with Totara 2.7 or earlier
TL-24450 Prevented markup from showing in the course activity grouping toggle's alt text
When the grouping was toggled the name of the activity contained a span
tag. This is now correctly stripped out.
TL-24546 Improved the JavaScript validation for required user profile checkbox fields
TL-24558 Clarified seminar 'Add via list of IDs' error message
When one or more user IDs in a list of potential seminar attendees cannot
be found, none of the attendees are signed up to the seminar. The error
message displayed when this happens has been updated to make that clear.
TL-24624 Ensured that attendees created via seminar direct enrolment are always enrolled
Previously, when attendees enrolled themselves on a course by signing up to
a seminar that required 'Manager and Administrative' approval, and the
seminar was already at capacity, the attendees would be added to the
waitlist on approval, but not enrolled on the course.
This patch makes sure that they are enrolled when their attendance is
approved, even if they are added to a waitlist.
TL-24640 Clarified 'Send later' options for seminar notifications
Previously, the options for sending a seminar notification later were
'before start of session', 'after end of event', and 'before registration
closes'. The 'before start of session' string was accidentally left
unchanged when sessions became seminar events in Totara 9.
The option labels have been updated to make it clear when notifications
will be sent. The new options are:
* before event (opening session start time)
* after event (closing session end time)
* before end of Sign-up period (cut-off point)
The logic driving the notifications has not changed, only the strings for
the labels.
TL-24659 Added redirect to fix seminar manager approval links which were using the old endpoint
The mod/facetoface/attendees.php endpoint used by managers to approve or
deny seminar attendance was moved to mod/facetoface/attendees/approval.php
in Totara 12 without a redirect. This caused links in any notifications
generated before upgrade to lead to a page that no longer exists.
A redirect has been added to ensure that actions in old seminar
notifications continue to work.
TL-24687 Fixed completion date content filter not showing for course completion history report
TL-24779 Ensured "inlist" type audience rule SQL parameters use unique names
This occurred when multiple inlist rules were added to an audience and were
using the IS EMPTY operator.
If encountered a fatal error was produced.
The inlist rule has now been updated to ensure it uses unique parameter
names.
TL-24781 Fixed missing language string in course upload sanity check error
API changes:
TL-22910 Send filename* instead of filename in the Content-Disposition response header
This patch will particularly resolve the file name corruption (mojibake)
when downloading a file with name containing non-ASCII characters on
Microsoft Edge 18 or older, by sending the filename* field introduced in
RFC 6266.
On the other hand, the filename field (without asterisk) is no longer sent
to prevent a browser bug in Apple Safari.
TL-24579 No longer warn via debugging if the selected theme is not available during installation and upgrade
Contributions:
* Mark Ward at Learning Pool - TL-5081
* Sergey Vidusov at Androgogic - TL-24779
Release 12.17 (29th April 2020):
Security issues:
TL-23040 Added a check to the security overview report for poorly configured Oauth 2 issuers
A new check has been added to the security overview report that warns the
user if there are OAuth 2 issuers configured to not verify users email
addresses.
The warning is displayed as critical if in addition to this the site has
been configured to permit users to share email addresses.
TL-24490 Shibboleth attributes are now validated against a blacklist of common $_SERVER variables
Prior to this change Shibboleth attribute mapping could access any
variables stored in $_SERVER, allowing for malicious configurations to be
created.
All user attributes are now validated to ensure that they are not in a list
of commonly available $_SERVER variables that do not belong to Shibboleth.
TL-24587 HTML block no longer allows self-XSS
Prior to this change, users could perform XSS attacks on themselves by
adding an HTML block when customising their dashboard, giving it malicious
content, saving it, and then editing it again.
When customised, a dashboard is only visible to the owning user. However
admins could still experience the malicious block using the login as
functionality.
This has now been fixed, and when editing an HTML block on user pages the
content is cleaned before it is loaded into the editor.
TL-24618 Backported MDL-67861: IP addresses can be spoofed using X-Forwarded-For
If your server is behind multiple reverse proxies that append to
the X-Forwarded-For header then you will need to specify a comma
separated list of ip addresses or subnets of the reverse proxies to be
ignored in order to find the users correct IP address.
Performance improvements:
TL-24573 Improved performance of lesson status filter in SCORM reports
TL-24574 Changed type of SCORM attempts filter to a number filter to improve performance by avoiding extra database calls
Improvements:
TL-22533 Improved the accessibility of PDF exports generated by report builder
The improvements made include ensuring the table uses correct markup,
contains a caption, row and column headers, and improving the use of
heading tags.
TL-23015 Improved accessibility of the full report link in the 'Report graph' block
TL-23991 Improved the use of wai-aria roles within the primary navigation template
TL-24173 Updated aria roles of notifications to more accurately reflect their importance
TL-24433 Improved confirmation dialog information when cloning audiences
TL-24555 The Redis cache store now warns against changing the serializer setting when in use
Added a new warning to the Redis cache store configuration to warn
administrators that the serializer setting must not be changed if there is
any data in the cache already
TL-24643 Improved the calculation of months when displaying relative date information
Previously, to calculate relative date in months (e.g. "A month ago", "4
months ago", etc.) an average number of days per month – 30.5 days –
was used in the calculations. As a result, shorter months like February did
not always produce the correct outcome. This has now been changed to use
date difference which returns more accurate results.
TL-24676 Added support for hiding of Totara forms elements based on 'value in array' and 'value not in array' conditions
TL-24825 CLI script admin/cli/cfg.php now logs all changes so that incorrect changes can be identified later
Bug fixes:
TL-17294 Fixed a reference to the wrong language string within the "Alerts" block
TL-18762 Learning plan comments now correctly respect the site wide setting to disable comments
TL-23459 Made sure Quiz activity takes passing grade requirement into account when restoring from course backups made with Totara 2.7 or earlier
TL-24450 Prevented markup from showing in the course activity grouping toggle's alt text
When the grouping was toggled the name of the activity contained a span
tag. This is now correctly stripped out.
TL-24546 Improved the JavaScript validation for required user profile checkbox fields
TL-24558 Clarified seminar 'Add via list of IDs' error message
When one or more user IDs in a list of potential seminar attendees cannot
be found, none of the attendees are signed up to the seminar. The error
message displayed when this happens has been updated to make that clear.
TL-24624 Ensured that attendees created via seminar direct enrolment are always enrolled
Previously, when attendees enrolled themselves on a course by signing up to
a seminar that required 'Manager and Administrative' approval, and the
seminar was already at capacity, the attendees would be added to the
waitlist on approval, but not enrolled on the course.
This patch makes sure that they are enrolled when their attendance is
approved, even if they are added to a waitlist.
TL-24640 Clarified 'Send later' options for seminar notifications
Previously, the options for sending a seminar notification later were
'before start of session', 'after end of event', and 'before registration
closes'. The 'before start of session' string was accidentally left
unchanged when sessions became seminar events in Totara 9.
The option labels have been updated to make it clear when notifications
will be sent. The new options are:
* before event (opening session start time)
* after event (closing session end time)
* before end of Sign-up period (cut-off point)
The logic driving the notifications has not changed, only the strings for
the labels.
TL-24659 Added redirect to fix seminar manager approval links which were using the old endpoint
The mod/facetoface/attendees.php endpoint used by managers to approve or
deny seminar attendance was moved to mod/facetoface/attendees/approval.php
in Totara 12 without a redirect. This caused links in any notifications
generated before upgrade to lead to a page that no longer exists.
A redirect has been added to ensure that actions in old seminar
notifications continue to work.
TL-24687 Fixed completion date content filter not showing for course completion history report
TL-24779 Ensured "inlist" type audience rule SQL parameters use unique names
This occurred when multiple inlist rules were added to an audience and were
using the IS EMPTY operator.
If encountered a fatal error was produced.
The inlist rule has now been updated to ensure it uses unique parameter
names.
TL-24781 Fixed missing language string in course upload sanity check error
API changes:
TL-22910 Send filename* instead of filename in the Content-Disposition response header
This patch will particularly resolve the file name corruption (mojibake)
when downloading a file with name containing non-ASCII characters on
Microsoft Edge 18 or older, by sending the filename* field introduced in
RFC 6266.
On the other hand, the filename field (without asterisk) is no longer sent
to prevent a browser bug in Apple Safari.
TL-24579 No longer warn via debugging if the selected theme is not available during installation and upgrade
Contributions:
* Sergey Vidusov at Androgogic - TL-24779
Release 11.26 (29th April 2020):
Security issues:
TL-23040 Added a check to the security overview report for poorly configured Oauth 2 issuers
A new check has been added to the security overview report that warns the
user if there are OAuth 2 issuers configured to not verify users email
addresses.
The warning is displayed as critical if in addition to this the site has
been configured to permit users to share email addresses.
TL-24490 Shibboleth attributes are now validated against a blacklist of common $_SERVER variables
Prior to this change Shibboleth attribute mapping could access any
variables stored in $_SERVER, allowing for malicious configurations to be
created.
All user attributes are now validated to ensure that they are not in a list
of commonly available $_SERVER variables that do not belong to Shibboleth.
TL-24587 HTML block no longer allows self-XSS
Prior to this change, users could perform XSS attacks on themselves by
adding an HTML block when customising their dashboard, giving it malicious
content, saving it, and then editing it again.
When customised, a dashboard is only visible to the owning user. However
admins could still experience the malicious block using the login as
functionality.
This has now been fixed, and when editing an HTML block on user pages the
content is cleaned before it is loaded into the editor.
TL-24618 Backported MDL-67861: IP addresses can be spoofed using X-Forwarded-For
If your server is behind multiple reverse proxies that append to
the X-Forwarded-For header then you will need to specify a comma
separated list of ip addresses or subnets of the reverse proxies to be
ignored in order to find the users correct IP address.
Improvements:
TL-24433 Improved confirmation dialog information when cloning audiences
TL-24643 Improved the calculation of months when displaying relative date information
Previously, to calculate relative date in months (e.g. "A month ago", "4
months ago", etc.) an average number of days per month – 30.5 days –
was used in the calculations. As a result, shorter months like February did
not always produce the correct outcome. This has now been changed to use
date difference which returns more accurate results.
Bug fixes:
TL-17294 Fixed a reference to the wrong language string within the "Alerts" block
TL-18762 Learning plan comments now correctly respect the site wide setting to disable comments
TL-23459 Made sure Quiz activity takes passing grade requirement into account when restoring from course backups made with Totara 2.7 or earlier
TL-24779 Ensured "inlist" type audience rule SQL parameters use unique names
This occurred when multiple inlist rules were added to an audience and were
using the IS EMPTY operator.
If encountered a fatal error was produced.
The inlist rule has now been updated to ensure it uses unique parameter
names.
API changes:
TL-22910 Send filename* instead of filename in the Content-Disposition response header
This patch will particularly resolve the file name corruption (mojibake)
when downloading a file with name containing non-ASCII characters on
Microsoft Edge 18 or older, by sending the filename* field introduced in
RFC 6266.
On the other hand, the filename field (without asterisk) is no longer sent
to prevent a browser bug in Apple Safari.
TL-24579 No longer warn via debugging if the selected theme is not available during installation and upgrade
Contributions:
* Sergey Vidusov at Androgogic - TL-24779
Release 10.32 (29th April 2020):
Security issues:
TL-24490 Shibboleth attributes are now validated against a blacklist of common $_SERVER variables
Prior to this change Shibboleth attribute mapping could access any
variables stored in $_SERVER, allowing for malicious configurations to be
created.
All user attributes are now validated to ensure that they are not in a list
of commonly available $_SERVER variables that do not belong to Shibboleth.
TL-24587 HTML block no longer allows self-XSS
Prior to this change, users could perform XSS attacks on themselves by
adding an HTML block when customising their dashboard, giving it malicious
content, saving it, and then editing it again.
When customised, a dashboard is only visible to the owning user. However
admins could still experience the malicious block using the login as
functionality.
This has now been fixed, and when editing an HTML block on user pages the
content is cleaned before it is loaded into the editor.
TL-24618 Backported MDL-67861: IP addresses can be spoofed using X-Forwarded-For
If your server is behind multiple reverse proxies that append to
the X-Forwarded-For header then you will need to specify a comma
separated list of ip addresses or subnets of the reverse proxies to be
ignored in order to find the users correct IP address.
Improvements:
TL-24518 Removed redundant parameter from the full text search support lang string
Bug fixes:
TL-23459 Made sure Quiz activity takes passing grade requirement into account when restoring from course backups made with Totara 2.7 or earlier
TL-24779 Ensured "inlist" type audience rule SQL parameters use unique names
This occurred when multiple inlist rules were added to an audience and were
using the IS EMPTY operator.
If encountered a fatal error was produced.
The inlist rule has now been updated to ensure it uses unique parameter
names.
API changes:
TL-22910 Send filename* instead of filename in the Content-Disposition response header
This patch will particularly resolve the file name corruption (mojibake)
when downloading a file with name containing non-ASCII characters on
Microsoft Edge 18 or older, by sending the filename* field introduced in
RFC 6266.
On the other hand, the filename field (without asterisk) is no longer sent
to prevent a browser bug in Apple Safari.
TL-24579 No longer warn via debugging if the selected theme is not available during installation and upgrade
Contributions:
* Sergey Vidusov at Androgogic - TL-24779
Release 9.43 (29th April 2020):
Security issues:
TL-24490 Shibboleth attributes are now validated against a blacklist of common $_SERVER variables
Prior to this change Shibboleth attribute mapping could access any
variables stored in $_SERVER, allowing for malicious configurations to be
created.
All user attributes are now validated to ensure that they are not in a list
of commonly available $_SERVER variables that do not belong to Shibboleth.
TL-24587 HTML block no longer allows self-XSS
Prior to this change, users could perform XSS attacks on themselves by
adding an HTML block when customising their dashboard, giving it malicious
content, saving it, and then editing it again.
When customised, a dashboard is only visible to the owning user. However
admins could still experience the malicious block using the login as
functionality.
This has now been fixed, and when editing an HTML block on user pages the
content is cleaned before it is loaded into the editor.
TL-24618 Backported MDL-67861: IP addresses can be spoofed using X-Forwarded-For
If your server is behind multiple reverse proxies that append to
the X-Forwarded-For header then you will need to specify a comma
separated list of ip addresses or subnets of the reverse proxies to be
ignored in order to find the users correct IP address.
Bug fixes:
TL-23459 Made sure Quiz activity takes passing grade requirement into account when restoring from course backups made with Totara 2.7 or earlier
TL-24779 Ensured "inlist" type audience rule SQL parameters use unique names
This occurred when multiple inlist rules were added to an audience and were
using the IS EMPTY operator.
If encountered a fatal error was produced.
The inlist rule has now been updated to ensure it uses unique parameter
names.
API changes:
TL-22910 Send filename* instead of filename in the Content-Disposition response header
This patch will particularly resolve the file name corruption (mojibake)
when downloading a file with name containing non-ASCII characters on
Microsoft Edge 18 or older, by sending the filename* field introduced in
RFC 6266.
On the other hand, the filename field (without asterisk) is no longer sent
to prevent a browser bug in Apple Safari.
Contributions:
* Sergey Vidusov at Androgogic - TL-24779
Release 2.9.51 (29th April 2020):
Security issues:
TL-24587 HTML block no longer allows self-XSS
Prior to this change, users could perform XSS attacks on themselves by
adding an HTML block when customising their dashboard, giving it malicious
content, saving it, and then editing it again.
When customised, a dashboard is only visible to the owning user. However
admins could still experience the malicious block using the login as
functionality.
This has now been fixed, and when editing an HTML block on user pages the
content is cleaned before it is loaded into the editor.
Bug fixes:
TL-24779 Ensured "inlist" type audience rule SQL parameters use unique names
This occurred when multiple inlist rules were added to an audience and were
using the IS EMPTY operator.
If encountered a fatal error was produced.
The inlist rule has now been updated to ensure it uses unique parameter
names.
Contributions:
* Sergey Vidusov at Androgogic - TL-24779
Release 2.7.58 (29th April 2020):
Security issues:
TL-24587 HTML block no longer allows self-XSS
Prior to this change, users could perform XSS attacks on themselves by
adding an HTML block when customising their dashboard, giving it malicious
content, saving it, and then editing it again.
When customised, a dashboard is only visible to the owning user. However
admins could still experience the malicious block using the login as
functionality.
This has now been fixed, and when editing an HTML block on user pages the
content is cleaned before it is loaded into the editor.
Release 2.6.75 (29th April 2020):
Security issues:
TL-24587 HTML block no longer allows self-XSS
Prior to this change, users could perform XSS attacks on themselves by
adding an HTML block when customising their dashboard, giving it malicious
content, saving it, and then editing it again.
When customised, a dashboard is only visible to the owning user. However
admins could still experience the malicious block using the login as
functionality.
This has now been fixed, and when editing an HTML block on user pages the
content is cleaned before it is loaded into the editor.
Release 2.5.80 (29th April 2020):
Security issues:
TL-24587 HTML block no longer allows self-XSS
Prior to this change, users could perform XSS attacks on themselves by
adding an HTML block when customising their dashboard, giving it malicious
content, saving it, and then editing it again.
When customised, a dashboard is only visible to the owning user. However
admins could still experience the malicious block using the login as
functionality.
This has now been fixed, and when editing an HTML block on user pages the
content is cleaned before it is loaded into the editor.
Release 2.4.75 (29th April 2020):
Security issues:
TL-24587 HTML block no longer allows self-XSS
Prior to this change, users could perform XSS attacks on themselves by
adding an HTML block when customising their dashboard, giving it malicious
content, saving it, and then editing it again.
When customised, a dashboard is only visible to the owning user. However
admins could still experience the malicious block using the login as
functionality.
This has now been fixed, and when editing an HTML block on user pages the
content is cleaned before it is loaded into the editor.
API changes:
TL-24579 No longer warn via debugging if the selected theme is not available during installation and upgrade
Release 2.2.76 (29th April 2020):
Security issues:
TL-24587 HTML block no longer allows self-XSS
Prior to this change, users could perform XSS attacks on themselves by
adding an HTML block when customising their dashboard, giving it malicious
content, saving it, and then editing it again.
When customised, a dashboard is only visible to the owning user. However
admins could still experience the malicious block using the login as
functionality.
This has now been fixed, and when editing an HTML block on user pages the
content is cleaned before it is loaded into the editor.
API changes:
TL-24579 No longer warn via debugging if the selected theme is not available during installation and upgrade