Totara Release Notes

Totara TXP 14.3, 13.11; Totara Learn 12.34, 11.43, 10.47, 9.56, 2.9.57, 2.7.63, 2.6.80, 2.5.84, 2.4.79 and 2.2.80 are now available

 
Sam Hemelryk
Totara TXP 14.3, 13.11; Totara Learn 12.34, 11.43, 10.47, 9.56, 2.9.57, 2.7.63, 2.6.80, 2.5.84, 2.4.79 and 2.2.80 are now available
par Sam Hemelryk, Friday 6 August 2021, 03:15
Groupe Totara

Hello everyone,

The following versions of Totara Learn have now been released:

These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes bug fixes and improvements.

Kind regards
Sam Hemelryk

Release 14.3 (6th August 2021):

Security issues:

    TL-31873       Improved the security of the shibboleth logout functionality
    TL-31886       Fixed an uncontrolled recursion vulnerability in URL downloader plugin

                   An uncontrolled recursion weakness was fixed in the 'URL downloader'
                   plugin. This posed a risk of recursion denial of service.

    TL-31893       Bulk user download now correctly sanitises data when exporting to the HTML format
    TL-31894       Removed firstname argument from emailconfirmation string to prevent a self-registration phishing risk
    TL-31895       Improved the sanitisation of emails triggered for user to user messages

Improvements:

    TL-31763       The information shown when viewing a goal now includes the type

Bug fixes:

    TL-30988       The @mention selector now disappears completely when there are no results
    TL-31369       Temporary managers are now correctly notified when a user signs up to a seminar event

                   Prior to this patch, when a user signed up to a seminar event requiring
                   both the selection of a job assignment, and manager approval and selected a
                   job assignment referencing an active temporary manager, that temporary
                   manager would not be correctly notified of the signup.
                   
                   This has been fixed, and the temporary manager will now be correctly
                   notified at the time of signup.

    TL-31427       Fixed capability check for selecting audience restrictions when editing settings of an existing course activity
    TL-31467       Seminar messages created using Weka editor are now correctly formatted when being sent
    TL-31469       Fixed HR import field mapping when the original field name also exists in import CSV
    TL-31475       Guest users no longer experience an exception when viewing the comments tab for resources

                   This patch refactors capability checks for all Engage interactions
                   (comments, bookmark, like, share) for resources and playlists to ensure
                   consistent read-only behaviour for guests.

    TL-31591       Fixed the handling of special characters used within the custom css theme setting

                   Prior to fix any special characters appearing within the custom CSS theme
                   setting would be incorrectly HTML encoded when being injected into the CSS
                   for the site, leading to invalid CSS.
                   
                   This would affect are any non alpha numeric characters, such as those used
                   in CSS3 selectors, for example the child combinator (>).

    TL-31610       Pressing escape to close a dropdown no longer closes the containing modal
    TL-31654       Seminar cancellation notifications now correctly inform if a manager was also notified
    TL-31728       Fixed the 'Recently viewed' block to use a courses custom image when one has been set
    TL-31757       Ensured user name report builder display classes process html entities correctly for export
    TL-31855       Fixed wrong relationship being preselected as Selection participant in certain circumstances

                   When relationships listed as "Selection participants" in a Linked review
                   question had ids higher than 10 than it resulted in the wrong participant
                   being preselected when editing the question. This has been fixed.

    TL-31901       Ensured progress is displayed for programs and certification in the 'Recently viewed' block
    TL-31902       Fixed error when editing user course completion for course containing URL resource

                   Note this only affects courses that are restored from an older version of
                   Totara into version 13 or above.


API changes:

    TL-31067       Changed the architecture of the mobile plugin to allow subplugins

                   This will allow for greater extensibility of the back-end of the mobile
                   app, along with increased ease of customisation for clients interested in
                   doing so.  The current learning queries have been moved to the first
                   sub-plugin, class stubs have been left in place in case any thing has been
                   extended and persisted queries remain the same place pointing to the moved
                   revolvers to avoid any conflicts with existing customisations.
                   
                   The totara_mobile_me query has also been updated to return version
                   information on any enabled mobile sub-plugins, for now this is limited to
                   the current learning plugin but it allows further flexibility going
                   forwards.


Tui front end framework:

    TL-31560       Improved handling for invalid date formats within the Tui date selector component
    TL-31789       Added closeOnClick prop to TagList component

Release 13.11 (6th August 2021):

Security issues:

    TL-31873       Improved the security of the shibboleth logout functionality
    TL-31886       Fixed an uncontrolled recursion vulnerability in URL downloader plugin

                   An uncontrolled recursion weakness was fixed in the 'URL downloader'
                   plugin. This posed a risk of recursion denial of service.

    TL-31893       Bulk user download now correctly sanitises data when exporting to the HTML format
    TL-31894       Removed firstname argument from emailconfirmation string to prevent a self-registration phishing risk
    TL-31895       Improved the sanitisation of emails triggered for user to user messages

Bug fixes:

    TL-30988       The @mention selector now disappears completely when there are no results
    TL-31369       Temporary managers are now correctly notified when a user signs up to a seminar event

                   Prior to this patch, when a user signed up to a seminar event requiring
                   both the selection of a job assignment, and manager approval and selected a
                   job assignment referencing an active temporary manager, that temporary
                   manager would not be correctly notified of the signup.
                   
                   This has been fixed, and the temporary manager will now be correctly
                   notified at the time of signup.

    TL-31427       Fixed capability check for selecting audience restrictions when editing settings of an existing course activity
    TL-31467       Seminar messages created using Weka editor are now correctly formatted when being sent
    TL-31469       Fixed HR import field mapping when the original field name also exists in import CSV
    TL-31475       Guest users no longer experience an exception when viewing the comments tab for resources

                   This patch refactors capability checks for all Engage interactions
                   (comments, bookmark, like, share) for resources and playlists to ensure
                   consistent read-only behaviour for guests.

    TL-31654       Seminar cancellation notifications now correctly inform if a manager was also notified
    TL-31728       Fixed the 'Recently viewed' block to use a courses custom image when one has been set
    TL-31757       Ensured user name report builder display classes process html entities correctly for export
    TL-31902       Fixed error when editing user course completion for course containing URL resource

                   Note this only affects courses that are restored from an older version of
                   Totara into version 13 or above.


API changes:

    TL-31067       Changed the architecture of the mobile plugin to allow subplugins

                   This will allow for greater extensibility of the back-end of the mobile
                   app, along with increased ease of customisation for clients interested in
                   doing so.  The current learning queries have been moved to the first
                   sub-plugin, class stubs have been left in place in case any thing has been
                   extended and persisted queries remain the same place pointing to the moved
                   revolvers to avoid any conflicts with existing customisations.
                   
                   The totara_mobile_me query has also been updated to return version
                   information on any enabled mobile sub-plugins, for now this is limited to
                   the current learning plugin but it allows further flexibility going
                   forwards.


Tui front end framework:

    TL-31560       Improved handling for invalid date formats within the Tui date selector component

Release 12.34 (6th August 2021):

Security issues:

    TL-31873       Improved the security of the shibboleth logout functionality
    TL-31886       Fixed an uncontrolled recursion vulnerability in URL downloader plugin

                   An uncontrolled recursion weakness was fixed in the 'URL downloader'
                   plugin. This posed a risk of recursion denial of service.

    TL-31893       Bulk user download now correctly sanitises data when exporting to the HTML format
    TL-31894       Removed firstname argument from emailconfirmation string to prevent a self-registration phishing risk
    TL-31895       Improved the sanitisation of emails triggered for user to user messages

Bug fixes:

    TL-31369       Temporary managers are now correctly notified when a user signs up to a seminar event

                   Prior to this patch, when a user signed up to a seminar event requiring
                   both the selection of a job assignment, and manager approval and selected a
                   job assignment referencing an active temporary manager, that temporary
                   manager would not be correctly notified of the signup.
                   
                   This has been fixed, and the temporary manager will now be correctly
                   notified at the time of signup.

    TL-31801       Fixed issue in deprecated trait in report builder causing fatal error

                   If one of the deprecated functions was used a report source a fatal error
                   would occur instead of the expected deprecated message. This only effect
                   sites that have extra report sources that use functions that are deprecated
                   and would make report builder impossible to use.


Release 11.43 (6th August 2021):

Security issues:

    TL-31873       Improved the security of the shibboleth logout functionality
    TL-31886       Fixed an uncontrolled recursion vulnerability in URL downloader plugin

                   An uncontrolled recursion weakness was fixed in the 'URL downloader'
                   plugin. This posed a risk of recursion denial of service.

    TL-31893       Bulk user download now correctly sanitises data when exporting to the HTML format
    TL-31894       Removed firstname argument from emailconfirmation string to prevent a self-registration phishing risk
    TL-31895       Improved the sanitisation of emails triggered for user to user messages

Release 10.47 (6th August 2021):

Security issues:

    TL-31873       Improved the security of the shibboleth logout functionality
    TL-31886       Fixed an uncontrolled recursion vulnerability in URL downloader plugin

                   An uncontrolled recursion weakness was fixed in the 'URL downloader'
                   plugin. This posed a risk of recursion denial of service.

    TL-31893       Bulk user download now correctly sanitises data when exporting to the HTML format
    TL-31894       Removed firstname argument from emailconfirmation string to prevent a self-registration phishing risk
    TL-31895       Improved the sanitisation of emails triggered for user to user messages

Release 9.56 (6th August 2021):

Security issues:

    TL-31873       Improved the security of the shibboleth logout functionality
    TL-31886       Fixed an uncontrolled recursion vulnerability in URL downloader plugin

                   An uncontrolled recursion weakness was fixed in the 'URL downloader'
                   plugin. This posed a risk of recursion denial of service.

    TL-31894       Removed firstname argument from emailconfirmation string to prevent a self-registration phishing risk
    TL-31895       Improved the sanitisation of emails triggered for user to user messages

Release 2.9.57 (6th August 2021):

Security issues:

    TL-31873       Improved the security of the shibboleth logout functionality
    TL-31886       Fixed an uncontrolled recursion vulnerability in URL downloader plugin

                   An uncontrolled recursion weakness was fixed in the 'URL downloader'
                   plugin. This posed a risk of recursion denial of service.

    TL-31894       Removed firstname argument from emailconfirmation string to prevent a self-registration phishing risk
    TL-31895       Improved the sanitisation of emails triggered for user to user messages

Release 2.7.63 (6th August 2021):

Security issues:

    TL-31873       Improved the security of the shibboleth logout functionality
    TL-31886       Fixed an uncontrolled recursion vulnerability in URL downloader plugin

                   An uncontrolled recursion weakness was fixed in the 'URL downloader'
                   plugin. This posed a risk of recursion denial of service.

    TL-31894       Removed firstname argument from emailconfirmation string to prevent a self-registration phishing risk
    TL-31895       Improved the sanitisation of emails triggered for user to user messages

Release 2.6.80 (6th August 2021):

Security issues:

    TL-31873       Improved the security of the shibboleth logout functionality
    TL-31886       Fixed an uncontrolled recursion vulnerability in URL downloader plugin

                   An uncontrolled recursion weakness was fixed in the 'URL downloader'
                   plugin. This posed a risk of recursion denial of service.

    TL-31894       Removed firstname argument from emailconfirmation string to prevent a self-registration phishing risk
    TL-31895       Improved the sanitisation of emails triggered for user to user messages

Release 2.5.84 (6th August 2021):

Security issues:

    TL-31873       Improved the security of the shibboleth logout functionality
    TL-31886       Fixed an uncontrolled recursion vulnerability in URL downloader plugin

                   An uncontrolled recursion weakness was fixed in the 'URL downloader'
                   plugin. This posed a risk of recursion denial of service.

    TL-31894       Removed firstname argument from emailconfirmation string to prevent a self-registration phishing risk
    TL-31895       Improved the sanitisation of emails triggered for user to user messages

Release 2.4.79 (6th August 2021):

Security issues:

    TL-31873       Improved the security of the shibboleth logout functionality
    TL-31886       Fixed an uncontrolled recursion vulnerability in URL downloader plugin

                   An uncontrolled recursion weakness was fixed in the 'URL downloader'
                   plugin. This posed a risk of recursion denial of service.

    TL-31894       Removed firstname argument from emailconfirmation string to prevent a self-registration phishing risk
    TL-31895       Improved the sanitisation of emails triggered for user to user messages

Release 2.2.80 (6th August 2021):

Security issues:

    TL-31873       Improved the security of the shibboleth logout functionality
    TL-31894       Removed firstname argument from emailconfirmation string to prevent a self-registration phishing risk
    TL-31895       Improved the sanitisation of emails triggered for user to user messages