Totara Release Notes

Totara TXP 16.3, 15.9, 14.14, 13.22 and Totara learn 12.45 are now available

 
David Curry (Core Developer)
Totara TXP 16.3, 15.9, 14.14, 13.22 and Totara learn 12.45 are now available
par David Curry (Core Developer), Wednesday 27 July 2022, 19:49
Groupe Totara

Hello everyone,

The following versions of Totara Learn have now been released:

These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes bug fixes and improvements.

Kind regards,
Dave Curry

Release 16.3 (28th July 2022):

Security issues:

    TL-34908       Increased sanitisation for question upload in the lesson module 

                   Previously users with the necessary capability to upload questions for the
                   lesson module (teachers, managers, and admins by default), could potentially
                   upload a malformed package resulting in an arbitrary file read risk.

    TL-34909       Fixed XSS and blind SSRF vulnerability in SCORM activities

                   Insufficient sanitising of SCORM track details caused XSS and SSRF risks. This
                   has now been fixed.


Improvements:

    TL-34296       Added client side "alphanumeric" validation and help text for custom field short names  to improve user experience
    TL-34570       Added Totara 17 to the Environment Checks page

                   Added the new server requirements for Totara 17 to the Admin -> Server ->
                   Environment Checks page. Totara 17 requires a minimum PHP version of 7.4.3.

    TL-34767       Files larger than 5gb can now be uploaded when using cloud file storage with AWS S3
    TL-34844       Cherry-picked MDL-46542 to allow restricting duration units menu to a subset of the available units

Bug fixes:

    TL-16199       Added a new capability to allow staff members to change a personal goal that was assigned by their manager

                   This new capability 'managemanagerassignedgoal' is intended to be used in the
                   user context.  It is recommended to apply this capability to the Authenticated
                   user role, if you want to allow staff members to change personal goals that were
                   assigned by their manager

    TL-33319       Fixed restoring a course backup on another installation with a different system context id
    TL-34268       Deprecated workaround_max_input_vars() function

                   Because PHP 8.0 defaults to warning when max_input_vars is exceeded, we have
                   deprecated the function used to rebuild input vars from stdin when they exceed
                   the PHP limit. System administrators are recommended to set max_input_vars
                   greater than 5000 in php.ini.

    TL-34367       Prevented ical attachments being sent in seminar notifications for requests that have not been approved
    TL-34391       Added validation for the MySQL database name during the installations without a config.php file
    TL-34461       Fixed the button alignment in the image modal of the Atto editor
    TL-34478       Fixed the current_coursets field in the mobile GraphQL program resolver

                   Previously when the current courseset for a program fetched via the mobile
                   graphql calls contained 2 sets joined by an "and" condition, if the second set
                   was completed before the first set then subsequent fetches would return the
                   current courseset as empty. Subsequent queries will now return the first set
                   allowing further progress in the program.

    TL-34538       Ensured Program and Certification notification placeholders display correctly when editing a notification after upgrade from T13
    TL-34546       Fixed the incorrect notification type being displayed

                   Notifications will now display as Factory (meaning that it is a built-in
                   notification provided by Totara), Amended (meaning that some property has been
                   overridden from the default) or Custom (meaning that it was manually created in
                   this context) when in the system context. Or as Inherited, Amended or Custom in
                   other contexts.

    TL-34548       Fixed hiding draft responses for 'hide incomplete responses' setting
    TL-34676       Fixed overridden titles in user profile blocks not being visible
    TL-34689       Fixed seminar sessions placeholder replacement when the opening tag is at the start of the message
    TL-34692       Fixed the use of an undefined subject_instance table alias
    TL-34740       Ensured the notification upgrade script from TL-34108 works properly for MySQL/MariaDB
    TL-34741       Fixed backup_nested_element for notifications (mod_facetoface)
    TL-34795       Increased the column length for course section titles to better support the multiple language filter
    TL-34806       Fixed custom field multi checkboxes alignment
    TL-34815       Fixed string to float conversion in the quiz module
    TL-34822       Removed container_perform and container_workspace from course backup searches
    TL-34837       Fixed an error when adding a date filter with the 'between dates' option disabled to a report
    TL-34869       Fixed the "member added" string in workspace notifications

Tui front end framework:

    TL-34086       Updated webpack and other packages to support Node 18

                   If you have previously customised webpack builds using the hooks
                   in {{build.config.js}} or by modifying the core webpack configuration, you may
                   have to update these to be compatible with webpack 5. If you have not made any
                   customisations to the webpack builds, you shouldn't need to take any action
                   here.


Library updates:

    TL-34375       Updated the SVGGraph library to improve support for PHP 8.1
    TL-34383       Updated the SCSSSPHP library to improve support for PHP 8.1

Release 15.9 (28th July 2022):

Security issues:

    TL-34908       Increased sanitisation for question upload in the lesson module 

                   Previously users with the necessary capability to upload questions for the
                   lesson module (teachers, managers, and admins by default), could potentially
                   upload a malformed package resulting in an arbitrary file read risk.

    TL-34909       Fixed XSS and blind SSRF vulnerability in SCORM activities

                   Insufficient sanitising of SCORM track details caused XSS and SSRF risks. This
                   has now been fixed.


Improvements:

    TL-34296       Added client side "alphanumeric" validation and help text for custom field short names  to improve user experience
    TL-34570       Added Totara 17 to the Environment Checks page

                   Added the new server requirements for Totara 17 to the Admin -> Server ->
                   Environment Checks page. Totara 17 requires a minimum PHP version of 7.4.3.

    TL-34767       Files larger than 5gb can now be uploaded when using cloud file storage with AWS S3
    TL-34844       Cherry-picked MDL-46542 to allow restricting duration units menu to a subset of the available units

Bug fixes:

    TL-16199       Added a new capability to allow staff members to change a personal goal that was assigned by their manager

                   This new capability 'managemanagerassignedgoal' is intended to be used in the
                   user context.  It is recommended to apply this capability to the Authenticated
                   user role, if you want to allow staff members to change personal goals that were
                   assigned by their manager

    TL-33319       Fixed restoring a course backup on another installation with a different system context id
    TL-34268       Deprecated workaround_max_input_vars() function

                   Because PHP 8.0 defaults to warning when max_input_vars is exceeded, we have
                   deprecated the function used to rebuild input vars from stdin when they exceed
                   the PHP limit. System administrators are recommended to set max_input_vars
                   greater than 5000 in php.ini.

    TL-34367       Prevented ical attachments being sent in seminar notifications for requests that have not been approved
    TL-34391       Added validation for the MySQL database name during the installations without a config.php file
    TL-34538       Ensured Program and Certification notification placeholders display correctly when editing a notification after upgrade from T13
    TL-34546       Fixed the incorrect notification type being displayed

                   Notifications will now display as Factory (meaning that it is a built-in
                   notification provided by Totara), Amended (meaning that some property has been
                   overridden from the default) or Custom (meaning that it was manually created in
                   this context) when in the system context. Or as Inherited, Amended or Custom in
                   other contexts.

    TL-34692       Fixed the use of an undefined subject_instance table alias
    TL-34740       Ensured the notification upgrade script from TL-34108 works properly for MySQL/MariaDB
    TL-34741       Fixed backup_nested_element for notifications (mod_facetoface)
    TL-34795       Increased the column length for course section titles to better support the multiple language filter
    TL-34806       Fixed custom field multi checkboxes alignment
    TL-34815       Fixed string to float conversion in the quiz module
    TL-34822       Removed container_perform and container_workspace from course backup searches
    TL-34837       Fixed an error when adding a date filter with the 'between dates' option disabled to a report
    TL-34869       Fixed the "member added" string in workspace notifications

Tui front end framework:

    TL-34086       Updated webpack and other packages to support Node 18

                   If you have previously customised webpack builds using the hooks
                   in {{build.config.js}} or by modifying the core webpack configuration, you may
                   have to update these to be compatible with webpack 5. If you have not made any
                   customisations to the webpack builds, you shouldn't need to take any action
                   here.


Release 14.14 (28th July 2022):

Security issues:

    TL-34908       Increased sanitisation for question upload in the lesson module 

                   Previously users with the necessary capability to upload questions for the
                   lesson module (teachers, managers, and admins by default), could potentially
                   upload a malformed package resulting in an arbitrary file read risk.

    TL-34909       Fixed XSS and blind SSRF vulnerability in SCORM activities

                   Insufficient sanitising of SCORM track details caused XSS and SSRF risks. This
                   has now been fixed.


Improvements:

    TL-34296       Added client side "alphanumeric" validation and help text for custom field short names  to improve user experience
    TL-34570       Added Totara 17 to the Environment Checks page

                   Added the new server requirements for Totara 17 to the Admin -> Server ->
                   Environment Checks page. Totara 17 requires a minimum PHP version of 7.4.3.

    TL-34767       Files larger than 5gb can now be uploaded when using cloud file storage with AWS S3
    TL-34844       Cherry-picked MDL-46542 to allow restricting duration units menu to a subset of the available units

Bug fixes:

    TL-16199       Added a new capability to allow staff members to change a personal goal that was assigned by their manager

                   This new capability 'managemanagerassignedgoal' is intended to be used in the
                   user context.  It is recommended to apply this capability to the Authenticated
                   user role, if you want to allow staff members to change personal goals that were
                   assigned by their manager

    TL-33319       Fixed restoring a course backup on another installation with a different system context id
    TL-34268       Deprecated workaround_max_input_vars() function

                   Because PHP 8.0 defaults to warning when max_input_vars is exceeded, we have
                   deprecated the function used to rebuild input vars from stdin when they exceed
                   the PHP limit. System administrators are recommended to set max_input_vars
                   greater than 5000 in php.ini.

    TL-34367       Prevented ical attachments being sent in seminar notifications for requests that have not been approved
    TL-34391       Added validation for the MySQL database name during the installations without a config.php file
    TL-34538       Ensured Program and Certification notification placeholders display correctly when editing a notification after upgrade from T13
    TL-34546       Fixed the incorrect notification type being displayed

                   Notifications will now display as Factory (meaning that it is a built-in
                   notification provided by Totara), Amended (meaning that some property has been
                   overridden from the default) or Custom (meaning that it was manually created in
                   this context) when in the system context. Or as Inherited, Amended or Custom in
                   other contexts.

    TL-34692       Fixed the use of an undefined subject_instance table alias
    TL-34741       Fixed backup_nested_element for notifications (mod_facetoface)
    TL-34822       Removed container_perform and container_workspace from course backup searches
    TL-34837       Fixed an error when adding a date filter with the 'between dates' option disabled to a report

Tui front end framework:

    TL-34086       Updated webpack and other packages to support Node 18

                   If you have previously customised webpack builds using the hooks
                   in {{build.config.js}} or by modifying the core webpack configuration, you may
                   have to update these to be compatible with webpack 5. If you have not made any
                   customisations to the webpack builds, you shouldn't need to take any action
                   here.


Release 13.22 (28th July 2022):

Security issues:

    TL-34908       Increased sanitisation for question upload in the lesson module 

                   Previously users with the necessary capability to upload questions for the
                   lesson module (teachers, managers, and admins by default), could potentially
                   upload a malformed package resulting in an arbitrary file read risk.

    TL-34909       Fixed XSS and blind SSRF vulnerability in SCORM activities

                   Insufficient sanitising of SCORM track details caused XSS and SSRF risks. This
                   has now been fixed.


Improvements:

    TL-34570       Added Totara 17 to the Environment Checks page

                   Added the new server requirements for Totara 17 to the Admin -> Server ->
                   Environment Checks page. Totara 17 requires a minimum PHP version of 7.4.3.

    TL-34767       Files larger than 5gb can now be uploaded when using cloud file storage with AWS S3
    TL-34844       Cherry-picked MDL-46542 to allow restricting duration units menu to a subset of the available units

Bug fixes:

    TL-16199       Added a new capability to allow staff members to change a personal goal that was assigned by their manager

                   This new capability 'managemanagerassignedgoal' is intended to be used in the
                   user context.  It is recommended to apply this capability to the Authenticated
                   user role, if you want to allow staff members to change personal goals that were
                   assigned by their manager

    TL-33319       Fixed restoring a course backup on another installation with a different system context id
    TL-34268       Deprecated workaround_max_input_vars() function

                   Because PHP 8.0 defaults to warning when max_input_vars is exceeded, we have
                   deprecated the function used to rebuild input vars from stdin when they exceed
                   the PHP limit. System administrators are recommended to set max_input_vars
                   greater than 5000 in php.ini.

    TL-34367       Prevented ical attachments being sent in seminar notifications for requests that have not been approved
    TL-34391       Added validation for the MySQL database name during the installations without a config.php file
    TL-34692       Fixed the use of an undefined subject_instance table alias
    TL-34837       Fixed an error when adding a date filter with the 'between dates' option disabled to a report

Tui front end framework:

    TL-34086       Updated webpack and other packages to support Node 18

                   If you have previously customised webpack builds using the hooks
                   in {{build.config.js}} or by modifying the core webpack configuration, you may
                   have to update these to be compatible with webpack 5. If you have not made any
                   customisations to the webpack builds, you shouldn't need to take any action
                   here.


Release 12.45 (28th July 2022):

Security issues:

    TL-34908       Increased sanitisation for question upload in the lesson module 

                   Previously users with the necessary capability to upload questions for the
                   lesson module (teachers, managers, and admins by default), could potentially
                   upload a malformed package resulting in an arbitrary file read risk.

    TL-34909       Fixed XSS and blind SSRF vulnerability in SCORM activities

                   Insufficient sanitising of SCORM track details caused XSS and SSRF risks. This
                   has now been fixed.