Hello everyone,
The following versions of Totara TXP/Learn have now been released:
Release 15.5
Release 14.10
Release 13.18
Release 12.41
Release 11.50
Release 10.54
Release 9.62
Release 2.9.62
Release 2.7.67
Release 2.6.84
Release 2.5.88
Release 2.4.83
These releases do contain security fixes, and for this reason we strongly recommend upgrading.
Each release also includes bug fixes and improvements.
Kind regards
Dave Curry
Release 15.5 (24th March 2022):
Security issues:
TL-33486 Cherry-picked MDL-61114 to ensure that assignment overrides observe group membership in the assignment module
Previously teachers in an assignment group could modify group overrides for
other groups in the same assignment. This has now been fixed.
TL-33838 Fixed issue with grade report capability not being respected
In some cases, a learner was still able to view grades even if the
capability had been removed. This has been fixed such that the capability
is always checked.
Improvements:
TL-31790 Install/Upgrade environment check added for MariaDB versions 10.6 and later
A new environment check for mariadb database configuration was added for
the install & upgrade process
TL-33547 Improved layout of labels in legacy course activity adders
TL-33550 Added support for completion archiving to lesson modules
Previously the lesson module did not support completion archiving, this
meant that if you used the "Reset completions" functionality under "Course
administration" that lesson data persisted. Support for this has been added
and now if you reset completions for a course it will also remove lesson
timing data, lesson attempt data, and lesson overrides for completed users
in the course.
Bug fixes:
TL-33158 Fixed the handling of incorrect course enrolment timestamps when creating course completion records
Previously, the course completion module set the enrolment date to the
current time when there were no user enrolment records. This led to the
problem where reports that used the completion data showed the wrong
enrolment dates.
This patch changes this; now the enrolment time is zero when the course
completion record is created for unenrolled users. It is only when the user
actually enrols in a course that the timeenrolled value in the completion
record is updated.
TL-33173 Fixed database queries failing depending on the locale of the webserver
Due to the fact that float conversion to strings is locale dependent on PHP
this can lead to failing database queries if the locale is set to one which
uses a different decimal separator (i.e. German uses the comma instead of
the dot). Floats like 123.456 would be converted to 123,456.
This patch fixes this issue by converting floats to locale-independent
strings before using them in database operations.
This has been an issue in MySQL and MSSQL.
TL-33208 Prevented language strings from being HTML-escaped in the search results template
Previously, the matchingfilename language string was being HTML-escaped in
search results, causing raw HTML to display on the page. The included
filename itself is already escaped before being inserted in the language
string.
TL-33403 Fixed a bug that was causing notifications to be sent for closed performance activities
TL-33430 Fixed due date not immediately updating upon creation of completion records during assignment
TL-33595 Fixed goals not working when multi tenancy was enabled
Previously, goals functionality was not fully working when multi tenancy
was enabled, especially if isolation mode was enabled. With this patch
goals are now working within the restrictions of multi tenancy. This means
that management of company goals can only be done with system permissions
by system users. Company goal assignment and personal goals management can
be done by tenant users or their managers (depending on how the permissions
are set up). There are some restrictions if isolation is enabled, the
viewing of company goals or goal frameworks is not possible as tenant users
and the links to these pages are not shown in this case.
TL-33621 Fixed error when showing menu item sortorder event in the logs
TL-33635 Fixed a JavaScript error on the competencies tab for learning plans
Previously if a user could view but not edit competencies within a learning
plan, there was a JavaScript error on the page.
TL-33638 Fixed minor JavaScript issue when changing drop zones on a drag and drop question
TL-33706 Fixed the room link placeholder for Seminar notifications
Previously if you added the [session:room:link] placeholder to a seminar
notification the link it displayed was incorrect for virtual rooms. This
has been fixed to match the correct output used by the [session:rooms]
placeholder.
TL-33726 Fixed missing details in seminar session facilitator confirmation notification
Initialised the details field before sending any notification.
TL-33780 Fixed notifications not inheriting from immediate natural parent context
A bug meant that notification preferences that were created in the
immediate parent "natural" context of an "extended" context were not being
considered when determining notifications that apply in the extended
context. This bug did not affect any core Totara functionality, because the
existing notifications were not configured in this way, but may have
affected third-party development.
TL-33782 Fixed SCORM modules not being loaded in mobile browsers and in the mobile app
Tui front end framework:
TL-31967 Fixed issue where collapsing the tables on the 'manually rate competencies' page would remove the table header
TL-33497 Fixed error modal "copy all" in IE 11
TL-33572 Fixed visual clipping on the ParticipantGeneralInformation TUI component
Recommendations engine:
TL-33600 Fixed the headers of exported `item_data_x.csv` files for the recommendation engine
The headers that related to the course tags and engage topics were being
prefixed with 'topic_' string. This would cause buggy computations in the
recommendation engine when some tags and labels shared the same name. This
bug is fixed so tags and labels will have relevant prefixes 'tag_' and
'topic_', respectively.
TL-33681 The warning issue with the new APScheduler package is resolved
TL-33682 Fixed the favicon issue after Flask upgrade
TL-33696 Updated the requirements file with specific library versions
Prior to this change only directly added libraries were recorded in the
requirements.txt. Any dependencies for these libraries would load the most
recent version it could, which could result in things breaking if a new
version introduced a breaking change and did not report it correctly.
With this patch, we have pinned all dependencies to specific versions that
we have tested works with the recommendations engine.
Contributions:
* Brad Simpson at Kineo USA - TL-33547
Release 14.10 (24th March 2022):
Security issues:
TL-33486 Cherry-picked MDL-61114 to ensure that assignment overrides observe group membership in the assignment module
Previously teachers in an assignment group could modify group overrides for
other groups in the same assignment. This has now been fixed.
TL-33838 Fixed issue with grade report capability not being respected
In some cases, a learner was still able to view grades even if the
capability had been removed. This has been fixed such that the capability
is always checked.
Improvements:
TL-31790 Install/Upgrade environment check added for MariaDB versions 10.6 and later
A new environment check for mariadb database configuration was added for
the install & upgrade process
TL-33547 Improved layout of labels in legacy course activity adders
TL-33550 Added support for completion archiving to lesson modules
Previously the lesson module did not support completion archiving, this
meant that if you used the "Reset completions" functionality under "Course
administration" that lesson data persisted. Support for this has been added
and now if you reset completions for a course it will also remove lesson
timing data, lesson attempt data, and lesson overrides for completed users
in the course.
Bug fixes:
TL-33158 Fixed the handling of incorrect course enrolment timestamps when creating course completion records
Previously, the course completion module set the enrolment date to the
current time when there were no user enrolment records. This led to the
problem where reports that used the completion data showed the wrong
enrolment dates.
This patch changes this; now the enrolment time is zero when the course
completion record is created for unenrolled users. It is only when the user
actually enrols in a course that the timeenrolled value in the completion
record is updated.
TL-33173 Fixed database queries failing depending on the locale of the webserver
Due to the fact that float conversion to strings is locale dependent on PHP
this can lead to failing database queries if the locale is set to one which
uses a different decimal separator (i.e. German uses the comma instead of
the dot). Floats like 123.456 would be converted to 123,456.
This patch fixes this issue by converting floats to locale-independent
strings before using them in database operations.
This has been an issue in MySQL and MSSQL.
TL-33208 Prevented language strings from being HTML-escaped in the search results template
Previously, the matchingfilename language string was being HTML-escaped in
search results, causing raw HTML to display on the page. The included
filename itself is already escaped before being inserted in the language
string.
TL-33403 Fixed a bug that was causing notifications to be sent for closed performance activities
TL-33430 Fixed due date not immediately updating upon creation of completion records during assignment
TL-33595 Fixed goals not working when multi tenancy was enabled
Previously, goals functionality was not fully working when multi tenancy
was enabled, especially if isolation mode was enabled. With this patch
goals are now working within the restrictions of multi tenancy. This means
that management of company goals can only be done with system permissions
by system users. Company goal assignment and personal goals management can
be done by tenant users or their managers (depending on how the permissions
are set up). There are some restrictions if isolation is enabled, the
viewing of company goals or goal frameworks is not possible as tenant users
and the links to these pages are not shown in this case.
TL-33621 Fixed error when showing menu item sortorder event in the logs
TL-33706 Fixed the room link placeholder for Seminar notifications
Previously if you added the [session:room:link] placeholder to a seminar
notification the link it displayed was incorrect for virtual rooms. This
has been fixed to match the correct output used by the [session:rooms]
placeholder.
TL-33726 Fixed missing details in seminar session facilitator confirmation notification
Initialised the details field before sending any notification.
TL-33780 Fixed notifications not inheriting from immediate natural parent context
A bug meant that notification preferences that were created in the
immediate parent "natural" context of an "extended" context were not being
considered when determining notifications that apply in the extended
context. This bug did not affect any core Totara functionality, because the
existing notifications were not configured in this way, but may have
affected third-party development.
Tui front end framework:
TL-31967 Fixed issue where collapsing the tables on the 'manually rate competencies' page would remove the table header
TL-33497 Fixed error modal "copy all" in IE 11
TL-33572 Fixed visual clipping on the ParticipantGeneralInformation TUI component
Recommendations engine:
TL-33600 Fixed the headers of exported `item_data_x.csv` files for the recommendation engine
The headers that related to the course tags and engage topics were being
prefixed with 'topic_' string. This would cause buggy computations in the
recommendation engine when some tags and labels shared the same name. This
bug is fixed so tags and labels will have relevant prefixes 'tag_' and
'topic_', respectively.
TL-33696 Updated the requirements file with specific library versions
Prior to this change only directly added libraries were recorded in the
requirements.txt. Any dependencies for these libraries would load the most
recent version it could, which could result in things breaking if a new
version introduced a breaking change and did not report it correctly.
With this patch, we have pinned all dependencies to specific versions that
we have tested works with the recommendations engine.
Contributions:
* Brad Simpson at Kineo USA - TL-33547
Release 13.18 (24th March 2022):
Security issues:
TL-33486 Cherry-picked MDL-61114 to ensure that assignment overrides observe group membership in the assignment module
Previously teachers in an assignment group could modify group overrides for
other groups in the same assignment. This has now been fixed.
TL-33838 Fixed issue with grade report capability not being respected
In some cases, a learner was still able to view grades even if the
capability had been removed. This has been fixed such that the capability
is always checked.
Improvements:
TL-31790 Install/Upgrade environment check added for MariaDB versions 10.6 and later
A new environment check for mariadb database configuration was added for
the install & upgrade process
TL-33547 Improved layout of labels in legacy course activity adders
Bug fixes:
TL-33158 Fixed the handling of incorrect course enrolment timestamps when creating course completion records
Previously, the course completion module set the enrolment date to the
current time when there were no user enrolment records. This led to the
problem where reports that used the completion data showed the wrong
enrolment dates.
This patch changes this; now the enrolment time is zero when the course
completion record is created for unenrolled users. It is only when the user
actually enrols in a course that the timeenrolled value in the completion
record is updated.
TL-33208 Prevented language strings from being HTML-escaped in the search results template
Previously, the matchingfilename language string was being HTML-escaped in
search results, causing raw HTML to display on the page. The included
filename itself is already escaped before being inserted in the language
string.
TL-33595 Fixed goals not working when multi tenancy was enabled
Previously, goals functionality was not fully working when multi tenancy
was enabled, especially if isolation mode was enabled. With this patch
goals are now working within the restrictions of multi tenancy. This means
that management of company goals can only be done with system permissions
by system users. Company goal assignment and personal goals management can
be done by tenant users or their managers (depending on how the permissions
are set up). There are some restrictions if isolation is enabled, the
viewing of company goals or goal frameworks is not possible as tenant users
and the links to these pages are not shown in this case.
TL-33706 Fixed the room link placeholder for Seminar notifications
Previously if you added the [session:room:link] placeholder to a seminar
notification the link it displayed was incorrect for virtual rooms. This
has been fixed to match the correct output used by the [session:rooms]
placeholder.
TL-33755 Fixed a bug that was causing overdue notifications to be sent for close performance activities
Tui front end framework:
TL-31967 Fixed issue where collapsing the tables on the 'manually rate competencies' page would remove the table header
TL-33497 Fixed error modal "copy all" in IE 11
TL-33572 Fixed visual clipping on the ParticipantGeneralInformation TUI component
Recommendations engine:
TL-33696 Updated the requirements file with specific library versions
Prior to this change only directly added libraries were recorded in the
requirements.txt. Any dependencies for these libraries would load the most
recent version it could, which could result in things breaking if a new
version introduced a breaking change and did not report it correctly.
With this patch, we have pinned all dependencies to specific versions that
we have tested works with the recommendations engine.
Contributions:
* Brad Simpson at Kineo USA - TL-33547
Release 12.41 (24th March 2022):
Security issues:
TL-33486 Cherry-picked MDL-61114 to ensure that assignment overrides observe group membership in the assignment module
Previously teachers in an assignment group could modify group overrides for
other groups in the same assignment. This has now been fixed.
TL-33756 Improved validation of badge criteria to prevent SQL injection
The profile completion criteria for course badges was vulnerable to SQL
injection. The attacker was required to be logged in as a user
with a role that has the `moodle/badges:configurecriteria` capability. The
Editing Trainer role includes this capability.
This vulnerability has been fixed.
To check for indicators of compromise, search for "Badge criteria created"
and "Badge criteria updated" events in Totara's site logs and then review
the corresponding badges. If an exploit has been attempted, error messages
around invalid strings will be shown on the Criteria tab for affected
badges.
TL-33838 Fixed issue with grade report capability not being respected
In some cases, a learner was still able to view grades even if the
capability had been removed. This has been fixed such that the capability
is always checked.
Bug fixes:
TL-28557 Backported TL-32970 to make sure no error message appears when expanding categories in navigation block
TL-33158 Fixed the handling of incorrect course enrolment timestamps when creating course completion records
Previously, the course completion module set the enrolment date to the
current time when there were no user enrolment records. This led to the
problem where reports that used the completion data showed the wrong
enrolment dates.
This patch changes this; now the enrolment time is zero when the course
completion record is created for unenrolled users. It is only when the user
actually enrols in a course that the timeenrolled value in the completion
record is updated.
TL-33208 Prevented language strings from being HTML-escaped in the search results template
Previously, the matchingfilename language string was being HTML-escaped in
search results, causing raw HTML to display on the page. The included
filename itself is already escaped before being inserted in the language
string.
Release 11.50 (24th March 2022):
Security issues:
TL-33486 Cherry-picked MDL-61114 to ensure that assignment overrides observe group membership in the assignment module
Previously teachers in an assignment group could modify group overrides for
other groups in the same assignment. This has now been fixed.
TL-33756 Improved validation of badge criteria to prevent SQL injection
The profile completion criteria for course badges was vulnerable to SQL
injection. The attacker was required to be logged in as a user
with a role that has the `moodle/badges:configurecriteria` capability. The
Editing Trainer role includes this capability.
This vulnerability has been fixed.
To check for indicators of compromise, search for "Badge criteria created"
and "Badge criteria updated" events in Totara's site logs and then review
the corresponding badges. If an exploit has been attempted, error messages
around invalid strings will be shown on the Criteria tab for affected
badges.
Release 10.54 (24th March 2022):
Security issues:
TL-33486 Cherry-picked MDL-61114 to ensure that assignment overrides observe group membership in the assignment module
Previously teachers in an assignment group could modify group overrides for
other groups in the same assignment. This has now been fixed.
TL-33756 Improved validation of badge criteria to prevent SQL injection
The profile completion criteria for course badges was vulnerable to SQL
injection. The attacker was required to be logged in as a user
with a role that has the `moodle/badges:configurecriteria` capability. The
Editing Trainer role includes this capability.
This vulnerability has been fixed.
To check for indicators of compromise, search for "Badge criteria created"
and "Badge criteria updated" events in Totara's site logs and then review
the corresponding badges. If an exploit has been attempted, error messages
around invalid strings will be shown on the Criteria tab for affected
badges.
Release 9.62 (24th March 2022):
Security issues:
TL-33756 Improved validation of badge criteria to prevent SQL injection
The profile completion criteria for course badges was vulnerable to SQL
injection. The attacker was required to be logged in as a user
with a role that has the `moodle/badges:configurecriteria` capability. The
Editing Trainer role includes this capability.
This vulnerability has been fixed.
To check for indicators of compromise, search for "Badge criteria created"
and "Badge criteria updated" events in Totara's site logs and then review
the corresponding badges. If an exploit has been attempted, error messages
around invalid strings will be shown on the Criteria tab for affected
badges.
Release 2.9.62 (24th March 2022):
Security issues:
TL-33756 Improved validation of badge criteria to prevent SQL injection
The profile completion criteria for course badges was vulnerable to SQL
injection. The attacker was required to be logged in as a user
with a role that has the `moodle/badges:configurecriteria` capability. The
Editing Trainer role includes this capability.
This vulnerability has been fixed.
To check for indicators of compromise, search for "Badge criteria created"
and "Badge criteria updated" events in Totara's site logs and then review
the corresponding badges. If an exploit has been attempted, error messages
around invalid strings will be shown on the Criteria tab for affected
badges.
Release 2.7.67 (24th March 2022):
Security issues:
TL-33756 Improved validation of badge criteria to prevent SQL injection
The profile completion criteria for course badges was vulnerable to SQL
injection. The attacker was required to be logged in as a user
with a role that has the `moodle/badges:configurecriteria` capability. The
Editing Trainer role includes this capability.
This vulnerability has been fixed.
To check for indicators of compromise, search for "Badge criteria created"
and "Badge criteria updated" events in Totara's site logs and then review
the corresponding badges. If an exploit has been attempted, error messages
around invalid strings will be shown on the Criteria tab for affected
badges.
Release 2.6.84 (24th March 2022):
Security issues:
TL-33756 Improved validation of badge criteria to prevent SQL injection
The profile completion criteria for course badges was vulnerable to SQL
injection. The attacker was required to be logged in as a user
with a role that has the `moodle/badges:configurecriteria` capability. The
Editing Trainer role includes this capability.
This vulnerability has been fixed.
To check for indicators of compromise, search for "Badge criteria created"
and "Badge criteria updated" events in Totara's site logs and then review
the corresponding badges. If an exploit has been attempted, error messages
around invalid strings will be shown on the Criteria tab for affected
badges.
Release 2.5.88 (24th March 2022):
Security issues:
TL-33756 Improved validation of badge criteria to prevent SQL injection
The profile completion criteria for course badges was vulnerable to SQL
injection. The attacker was required to be logged in as a user
with a role that has the `moodle/badges:configurecriteria` capability. The
Editing Trainer role includes this capability.
This vulnerability has been fixed.
To check for indicators of compromise, search for "Badge criteria created"
and "Badge criteria updated" events in Totara's site logs and then review
the corresponding badges. If an exploit has been attempted, error messages
around invalid strings will be shown on the Criteria tab for affected
badges.
Release 2.4.83 (24th March 2022):
Security issues:
TL-33756 Improved validation of badge criteria to prevent SQL injection
The profile completion criteria for course badges was vulnerable to SQL
injection. The attacker was required to be logged in as a user
with a role that has the `moodle/badges:configurecriteria` capability. The
Editing Trainer role includes this capability.
This vulnerability has been fixed.
To check for indicators of compromise, search for "Badge criteria created"
and "Badge criteria updated" events in Totara's site logs and then review
the corresponding badges. If an exploit has been attempted, error messages
around invalid strings will be shown on the Criteria tab for affected
badges.
