Hello everyone,
The following versions of Totara Learn have now been released:
These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes bug fixes and improvements.
Kind regards,
Dave Curry
Release 16.3 (28th July 2022):
Security issues:
TL-34908 Increased sanitisation for question upload in the lesson module
Previously users with the necessary capability to upload questions for the
lesson module (teachers, managers, and admins by default), could potentially
upload a malformed package resulting in an arbitrary file read risk.
TL-34909 Fixed XSS and blind SSRF vulnerability in SCORM activities
Insufficient sanitising of SCORM track details caused XSS and SSRF risks. This
has now been fixed.
Improvements:
TL-34296 Added client side "alphanumeric" validation and help text for custom field short names to improve user experience
TL-34570 Added Totara 17 to the Environment Checks page
Added the new server requirements for Totara 17 to the Admin -> Server ->
Environment Checks page. Totara 17 requires a minimum PHP version of 7.4.3.
TL-34767 Files larger than 5gb can now be uploaded when using cloud file storage with AWS S3
TL-34844 Cherry-picked MDL-46542 to allow restricting duration units menu to a subset of the available units
Bug fixes:
TL-16199 Added a new capability to allow staff members to change a personal goal that was assigned by their manager
This new capability 'managemanagerassignedgoal' is intended to be used in the
user context. It is recommended to apply this capability to the Authenticated
user role, if you want to allow staff members to change personal goals that were
assigned by their manager
TL-33319 Fixed restoring a course backup on another installation with a different system context id
TL-34268 Deprecated workaround_max_input_vars() function
Because PHP 8.0 defaults to warning when max_input_vars is exceeded, we have
deprecated the function used to rebuild input vars from stdin when they exceed
the PHP limit. System administrators are recommended to set max_input_vars
greater than 5000 in php.ini.
TL-34367 Prevented ical attachments being sent in seminar notifications for requests that have not been approved
TL-34391 Added validation for the MySQL database name during the installations without a config.php file
TL-34461 Fixed the button alignment in the image modal of the Atto editor
TL-34478 Fixed the current_coursets field in the mobile GraphQL program resolver
Previously when the current courseset for a program fetched via the mobile
graphql calls contained 2 sets joined by an "and" condition, if the second set
was completed before the first set then subsequent fetches would return the
current courseset as empty. Subsequent queries will now return the first set
allowing further progress in the program.
TL-34538 Ensured Program and Certification notification placeholders display correctly when editing a notification after upgrade from T13
TL-34546 Fixed the incorrect notification type being displayed
Notifications will now display as Factory (meaning that it is a built-in
notification provided by Totara), Amended (meaning that some property has been
overridden from the default) or Custom (meaning that it was manually created in
this context) when in the system context. Or as Inherited, Amended or Custom in
other contexts.
TL-34548 Fixed hiding draft responses for 'hide incomplete responses' setting
TL-34676 Fixed overridden titles in user profile blocks not being visible
TL-34689 Fixed seminar sessions placeholder replacement when the opening tag is at the start of the message
TL-34692 Fixed the use of an undefined subject_instance table alias
TL-34740 Ensured the notification upgrade script from TL-34108 works properly for MySQL/MariaDB
TL-34741 Fixed backup_nested_element for notifications (mod_facetoface)
TL-34795 Increased the column length for course section titles to better support the multiple language filter
TL-34806 Fixed custom field multi checkboxes alignment
TL-34815 Fixed string to float conversion in the quiz module
TL-34822 Removed container_perform and container_workspace from course backup searches
TL-34837 Fixed an error when adding a date filter with the 'between dates' option disabled to a report
TL-34869 Fixed the "member added" string in workspace notifications
Tui front end framework:
TL-34086 Updated webpack and other packages to support Node 18
If you have previously customised webpack builds using the hooks
in {{build.config.js}} or by modifying the core webpack configuration, you may
have to update these to be compatible with webpack 5. If you have not made any
customisations to the webpack builds, you shouldn't need to take any action
here.
Library updates:
TL-34375 Updated the SVGGraph library to improve support for PHP 8.1
TL-34383 Updated the SCSSSPHP library to improve support for PHP 8.1
Release 15.9 (28th July 2022):
Security issues:
TL-34908 Increased sanitisation for question upload in the lesson module
Previously users with the necessary capability to upload questions for the
lesson module (teachers, managers, and admins by default), could potentially
upload a malformed package resulting in an arbitrary file read risk.
TL-34909 Fixed XSS and blind SSRF vulnerability in SCORM activities
Insufficient sanitising of SCORM track details caused XSS and SSRF risks. This
has now been fixed.
Improvements:
TL-34296 Added client side "alphanumeric" validation and help text for custom field short names to improve user experience
TL-34570 Added Totara 17 to the Environment Checks page
Added the new server requirements for Totara 17 to the Admin -> Server ->
Environment Checks page. Totara 17 requires a minimum PHP version of 7.4.3.
TL-34767 Files larger than 5gb can now be uploaded when using cloud file storage with AWS S3
TL-34844 Cherry-picked MDL-46542 to allow restricting duration units menu to a subset of the available units
Bug fixes:
TL-16199 Added a new capability to allow staff members to change a personal goal that was assigned by their manager
This new capability 'managemanagerassignedgoal' is intended to be used in the
user context. It is recommended to apply this capability to the Authenticated
user role, if you want to allow staff members to change personal goals that were
assigned by their manager
TL-33319 Fixed restoring a course backup on another installation with a different system context id
TL-34268 Deprecated workaround_max_input_vars() function
Because PHP 8.0 defaults to warning when max_input_vars is exceeded, we have
deprecated the function used to rebuild input vars from stdin when they exceed
the PHP limit. System administrators are recommended to set max_input_vars
greater than 5000 in php.ini.
TL-34367 Prevented ical attachments being sent in seminar notifications for requests that have not been approved
TL-34391 Added validation for the MySQL database name during the installations without a config.php file
TL-34538 Ensured Program and Certification notification placeholders display correctly when editing a notification after upgrade from T13
TL-34546 Fixed the incorrect notification type being displayed
Notifications will now display as Factory (meaning that it is a built-in
notification provided by Totara), Amended (meaning that some property has been
overridden from the default) or Custom (meaning that it was manually created in
this context) when in the system context. Or as Inherited, Amended or Custom in
other contexts.
TL-34692 Fixed the use of an undefined subject_instance table alias
TL-34740 Ensured the notification upgrade script from TL-34108 works properly for MySQL/MariaDB
TL-34741 Fixed backup_nested_element for notifications (mod_facetoface)
TL-34795 Increased the column length for course section titles to better support the multiple language filter
TL-34806 Fixed custom field multi checkboxes alignment
TL-34815 Fixed string to float conversion in the quiz module
TL-34822 Removed container_perform and container_workspace from course backup searches
TL-34837 Fixed an error when adding a date filter with the 'between dates' option disabled to a report
TL-34869 Fixed the "member added" string in workspace notifications
Tui front end framework:
TL-34086 Updated webpack and other packages to support Node 18
If you have previously customised webpack builds using the hooks
in {{build.config.js}} or by modifying the core webpack configuration, you may
have to update these to be compatible with webpack 5. If you have not made any
customisations to the webpack builds, you shouldn't need to take any action
here.
Release 14.14 (28th July 2022):
Security issues:
TL-34908 Increased sanitisation for question upload in the lesson module
Previously users with the necessary capability to upload questions for the
lesson module (teachers, managers, and admins by default), could potentially
upload a malformed package resulting in an arbitrary file read risk.
TL-34909 Fixed XSS and blind SSRF vulnerability in SCORM activities
Insufficient sanitising of SCORM track details caused XSS and SSRF risks. This
has now been fixed.
Improvements:
TL-34296 Added client side "alphanumeric" validation and help text for custom field short names to improve user experience
TL-34570 Added Totara 17 to the Environment Checks page
Added the new server requirements for Totara 17 to the Admin -> Server ->
Environment Checks page. Totara 17 requires a minimum PHP version of 7.4.3.
TL-34767 Files larger than 5gb can now be uploaded when using cloud file storage with AWS S3
TL-34844 Cherry-picked MDL-46542 to allow restricting duration units menu to a subset of the available units
Bug fixes:
TL-16199 Added a new capability to allow staff members to change a personal goal that was assigned by their manager
This new capability 'managemanagerassignedgoal' is intended to be used in the
user context. It is recommended to apply this capability to the Authenticated
user role, if you want to allow staff members to change personal goals that were
assigned by their manager
TL-33319 Fixed restoring a course backup on another installation with a different system context id
TL-34268 Deprecated workaround_max_input_vars() function
Because PHP 8.0 defaults to warning when max_input_vars is exceeded, we have
deprecated the function used to rebuild input vars from stdin when they exceed
the PHP limit. System administrators are recommended to set max_input_vars
greater than 5000 in php.ini.
TL-34367 Prevented ical attachments being sent in seminar notifications for requests that have not been approved
TL-34391 Added validation for the MySQL database name during the installations without a config.php file
TL-34538 Ensured Program and Certification notification placeholders display correctly when editing a notification after upgrade from T13
TL-34546 Fixed the incorrect notification type being displayed
Notifications will now display as Factory (meaning that it is a built-in
notification provided by Totara), Amended (meaning that some property has been
overridden from the default) or Custom (meaning that it was manually created in
this context) when in the system context. Or as Inherited, Amended or Custom in
other contexts.
TL-34692 Fixed the use of an undefined subject_instance table alias
TL-34741 Fixed backup_nested_element for notifications (mod_facetoface)
TL-34822 Removed container_perform and container_workspace from course backup searches
TL-34837 Fixed an error when adding a date filter with the 'between dates' option disabled to a report
Tui front end framework:
TL-34086 Updated webpack and other packages to support Node 18
If you have previously customised webpack builds using the hooks
in {{build.config.js}} or by modifying the core webpack configuration, you may
have to update these to be compatible with webpack 5. If you have not made any
customisations to the webpack builds, you shouldn't need to take any action
here.
Release 13.22 (28th July 2022):
Security issues:
TL-34908 Increased sanitisation for question upload in the lesson module
Previously users with the necessary capability to upload questions for the
lesson module (teachers, managers, and admins by default), could potentially
upload a malformed package resulting in an arbitrary file read risk.
TL-34909 Fixed XSS and blind SSRF vulnerability in SCORM activities
Insufficient sanitising of SCORM track details caused XSS and SSRF risks. This
has now been fixed.
Improvements:
TL-34570 Added Totara 17 to the Environment Checks page
Added the new server requirements for Totara 17 to the Admin -> Server ->
Environment Checks page. Totara 17 requires a minimum PHP version of 7.4.3.
TL-34767 Files larger than 5gb can now be uploaded when using cloud file storage with AWS S3
TL-34844 Cherry-picked MDL-46542 to allow restricting duration units menu to a subset of the available units
Bug fixes:
TL-16199 Added a new capability to allow staff members to change a personal goal that was assigned by their manager
This new capability 'managemanagerassignedgoal' is intended to be used in the
user context. It is recommended to apply this capability to the Authenticated
user role, if you want to allow staff members to change personal goals that were
assigned by their manager
TL-33319 Fixed restoring a course backup on another installation with a different system context id
TL-34268 Deprecated workaround_max_input_vars() function
Because PHP 8.0 defaults to warning when max_input_vars is exceeded, we have
deprecated the function used to rebuild input vars from stdin when they exceed
the PHP limit. System administrators are recommended to set max_input_vars
greater than 5000 in php.ini.
TL-34367 Prevented ical attachments being sent in seminar notifications for requests that have not been approved
TL-34391 Added validation for the MySQL database name during the installations without a config.php file
TL-34692 Fixed the use of an undefined subject_instance table alias
TL-34837 Fixed an error when adding a date filter with the 'between dates' option disabled to a report
Tui front end framework:
TL-34086 Updated webpack and other packages to support Node 18
If you have previously customised webpack builds using the hooks
in {{build.config.js}} or by modifying the core webpack configuration, you may
have to update these to be compatible with webpack 5. If you have not made any
customisations to the webpack builds, you shouldn't need to take any action
here.
Release 12.45 (28th July 2022):
Security issues:
TL-34908 Increased sanitisation for question upload in the lesson module
Previously users with the necessary capability to upload questions for the
lesson module (teachers, managers, and admins by default), could potentially
upload a malformed package resulting in an arbitrary file read risk.
TL-34909 Fixed XSS and blind SSRF vulnerability in SCORM activities
Insufficient sanitising of SCORM track details caused XSS and SSRF risks. This
has now been fixed.