Hello everyone,
The following versions of Totara Learn have now been released:
Some of these versions do contain security fixes, and for this reason we strongly recommend upgrading. Each release also includes various bug fixes and improvements.
It is also recommended to read the TL-36400 changelog directly below, which introduces a config setting that will affect users installing and upgrading to versions 17.4 or higher
Kind regards
Release Team
Release 17.4 (28th February 2023):
Important:
TL-36400 Fixed that unauthenticated users can view upgrade pages and trigger upgrade
This patch disables web upgrade on sites that do not have an upgrade key
configured.
In order to upgrade to this and future versions of Totara, please use the CLI
upgrade script (php server/admin/cli/upgrade.php) or set a value for
`$CFG->upgradekey` in config.php. You will need to enter the same key in the web
upgrade form.
Note: This upgrade key will also be required for new installs run via the web
interface.
Security issues:
TL-35501 Limited the amount of results for message area user search external function
To mitigate the risk of denial of service, changes have been made to the
external function 'core_message_data_for_messagearea_search_users' regarding the
validation of the optional 'limitnum' parameter:
- The maximum possible value for the parameter is set to a default of 20, but
can be overridden by setting a different value in config.php for
$CFG->message_area_search_max_limitnum. Please make use of this if you need to
call this external function with a 'limitnum' parameter greater than 20.
- A value of integer zero (the default when the parameter was omitted) will not
return unlimited results anymore. It will return up to the configured maximum
amount.
- Null value, negative values and values above the configured maximum amount
will lead to an error.
TL-36120 Fixed Self-XSS possibility when dragging and dropping files in the file upload dialogue
Improvements:
TL-36327 Improved the gap between course multi-select custom fields
Bug fixes:
TL-35226 Fixed an issue where changes to language strings in countries.php were not being saved if the key contained upper-case letters
TL-35259 Fixed the 'Time to complete (since start date)' column in the 'Course Completion' report source not being calculated correctly
TL-35521 Fixed being able to bypass sequential navigation in quizzes using web services
TL-35706 Allowed user with 'addattendees' capability, but not 'signup' capability, to add seminar attendees
Previously both capabilities were required to book or waitlist other users on
seminars.
TL-35728 Prevented notification event processing task from blocking other tasks
Previously, the 'Queue event scheduled task'
(\totara_notification\task\process_event_queue_task) was marked as a blocking
task. This meant that it would need to complete before other scheduled or adhoc
tasks could run.
It is safe to run other tasks while processing notifiable events, so we have
removed the blocking flag from this task.
TL-35859 Fixed SCORM activity allowing more than the maximum number of attempts in some cases
The way that the number of attempts is counted when a learner opens a SCORM
activity is determined by the 'Force new attempt' setting.
If 'Force new attempt' is set to 'Always', or if 'Force new attempt' is set to
'No' and the user tries a new attempt, the number of attempts that have been
made is simply the learner's total number of attempts to date.
However, if 'Force new attempt' is set to 'When previous attempt completed,
passed or failed', then only completed attempts should count as attempts that
have been made. Previously, all attempts were counted in this case.
Also, the displayed number of attempts remaining in the table of contents was
computed incorrectly when 'Force new attempt' was set to 'Always' or 'No',
because only completed attempts were counted. All attempts are counted now.
Finally, the method of determining completed attempts has been refactored to
work correctly for SCORM 2004. Previously, failed attempts did not count as
completed.
TL-36168 Fixed the format not being applied to Weka content on bold, hashtags, mentions, or placeholders
TL-36169 Fixed tenant users with job assignment capabilities being able to see members of other tenants
TL-36246 Decreased the memory usage by send_messages_task script to avoid out-of-memory errors
If the send_messages_task script was failing due to out-of-memory before, it
will send all previously-queued notifications at once after this fix.
TL-36402 Fixed formatting (including multi lang compatibility) for notification placeholders
The formatting (including multi lang compatibility) of the following
placeholders have been fixed:
* Workspace full_name
* Course name
* Activity name (including Seminar)
* Seminar event details
* Performance activity name
* User description
TL-36431 Fixed inline seminar editing updating calendar entries for all seminar events
TL-36476 Fixed incorrect formatting of the [all_sessions] placeholder in seminar notifications
TL-36528 Made sure new job relationship upgrade steps are applied if missed previously
A previous ticket, TL-33602, increased the version number for the totara_job
plugin incorrectly to the same version on all affected branches (11 and higher).
This can result in some upgrade steps (adding new perform relationships) being
skipped during upgrade to Totara 13 or 16.
This patch ensures the missing upgrade steps are run and the missing
relationships are added in all cases.
TL-36554 Fixed redis caching issue when using Redis with read-only replication and no compression
A bug was introduced in 17.3 with the addition of the compression option which
affects sites making use of Redis read-only replicas. Sites configured in this
way will receive fatal errors due to a lack of serialization on the replicas.
TL-36631 Fixed issue with program message paragraph formatting not being maintained during the upgrade
When the message contains line breaks, it must be considered a separate
paragraph. Otherwise, the line break won't work with the weka editor after the
migration.
Technical changes:
TL-36430 Added a new hook 'auth_enable' to allow watchers to interrupt the enabling of a specific auth plugin
Adds a new core hook which can be used by third party plugins to prevent
specific auth plugins from being enabled, and optionally provide a reason which
will be displayed to the user if they try to enable one.
Library updates:
TL-35875 Upgraded library Video.js to 7.21.1
Release 16.10 (28th February 2023):
Security issues:
TL-35501 Limited the amount of results for message area user search external function
To mitigate the risk of denial of service, changes have been made to the
external function 'core_message_data_for_messagearea_search_users' regarding the
validation of the optional 'limitnum' parameter:
- The maximum possible value for the parameter is set to a default of 20, but
can be overridden by setting a different value in config.php for
$CFG->message_area_search_max_limitnum. Please make use of this if you need to
call this external function with a 'limitnum' parameter greater than 20.
- A value of integer zero (the default when the parameter was omitted) will not
return unlimited results anymore. It will return up to the configured maximum
amount.
- Null value, negative values and values above the configured maximum amount
will lead to an error.
TL-36120 Fixed Self-XSS possibility when dragging and dropping files in the file upload dialogue
Improvements:
TL-36327 Improved the gap between course multi-select custom fields
Bug fixes:
TL-35226 Fixed an issue where changes to language strings in countries.php were not being saved if the key contained upper-case letters
TL-35259 Fixed the 'Time to complete (since start date)' column in the 'Course Completion' report source not being calculated correctly
TL-35521 Fixed being able to bypass sequential navigation in quizzes using web services
TL-35706 Allowed user with 'addattendees' capability, but not 'signup' capability, to add seminar attendees
Previously both capabilities were required to book or waitlist other users on
seminars.
TL-35728 Prevented notification event processing task from blocking other tasks
Previously, the 'Queue event scheduled task'
(\totara_notification\task\process_event_queue_task) was marked as a blocking
task. This meant that it would need to complete before other scheduled or adhoc
tasks could run.
It is safe to run other tasks while processing notifiable events, so we have
removed the blocking flag from this task.
TL-35859 Fixed SCORM activity allowing more than the maximum number of attempts in some cases
The way that the number of attempts is counted when a learner opens a SCORM
activity is determined by the 'Force new attempt' setting.
If 'Force new attempt' is set to 'Always', or if 'Force new attempt' is set to
'No' and the user tries a new attempt, the number of attempts that have been
made is simply the learner's total number of attempts to date.
However, if 'Force new attempt' is set to 'When previous attempt completed,
passed or failed', then only completed attempts should count as attempts that
have been made. Previously, all attempts were counted in this case.
Also, the displayed number of attempts remaining in the table of contents was
computed incorrectly when 'Force new attempt' was set to 'Always' or 'No',
because only completed attempts were counted. All attempts are counted now.
Finally, the method of determining completed attempts has been refactored to
work correctly for SCORM 2004. Previously, failed attempts did not count as
completed.
TL-36168 Fixed the format not being applied to Weka content on bold, hashtags, mentions, or placeholders
TL-36246 Decreased the memory usage by send_messages_task script to avoid out-of-memory errors
If the send_messages_task script was failing due to out-of-memory before, it
will send all previously-queued notifications at once after this fix.
TL-36402 Fixed formatting (including multi lang compatibility) for notification placeholders
The formatting (including multi lang compatibility) of the following
placeholders have been fixed:
* Workspace full_name
* Course name
* Activity name (including Seminar)
* Seminar event details
* Performance activity name
* User description
TL-36431 Fixed inline seminar editing updating calendar entries for all seminar events
TL-36476 Fixed incorrect formatting of the [all_sessions] placeholder in seminar notifications
TL-36528 Made sure new job relationship upgrade steps are applied if missed previously
A previous ticket, TL-33602, increased the version number for the totara_job
plugin incorrectly to the same version on all affected branches (11 and higher).
This can result in some upgrade steps (adding new perform relationships) being
skipped during upgrade to Totara 13 or 16.
This patch ensures the missing upgrade steps are run and the missing
relationships are added in all cases.
TL-36631 Fixed issue with program message paragraph formatting not being maintained during the upgrade
When the message contains line breaks, it must be considered a separate
paragraph. Otherwise, the line break won't work with the weka editor after the
migration.
Library updates:
TL-35875 Upgraded library Video.js to 7.21.1
Release 15.16 (28th February 2023):
Security issues:
TL-36120 Fixed Self-XSS possibility when dragging and dropping files in the file upload dialogue
Improvements:
TL-36327 Improved the gap between course multi-select custom fields
Bug fixes:
TL-35226 Fixed an issue where changes to language strings in countries.php were not being saved if the key contained upper-case letters
TL-35521 Fixed being able to bypass sequential navigation in quizzes using web services
TL-35706 Allowed user with 'addattendees' capability, but not 'signup' capability, to add seminar attendees
Previously both capabilities were required to book or waitlist other users on
seminars.
TL-35728 Prevented notification event processing task from blocking other tasks
Previously, the 'Queue event scheduled task'
(\totara_notification\task\process_event_queue_task) was marked as a blocking
task. This meant that it would need to complete before other scheduled or adhoc
tasks could run.
It is safe to run other tasks while processing notifiable events, so we have
removed the blocking flag from this task.
TL-35859 Fixed SCORM activity allowing more than the maximum number of attempts in some cases
The way that the number of attempts is counted when a learner opens a SCORM
activity is determined by the 'Force new attempt' setting.
If 'Force new attempt' is set to 'Always', or if 'Force new attempt' is set to
'No' and the user tries a new attempt, the number of attempts that have been
made is simply the learner's total number of attempts to date.
However, if 'Force new attempt' is set to 'When previous attempt completed,
passed or failed', then only completed attempts should count as attempts that
have been made. Previously, all attempts were counted in this case.
Also, the displayed number of attempts remaining in the table of contents was
computed incorrectly when 'Force new attempt' was set to 'Always' or 'No',
because only completed attempts were counted. All attempts are counted now.
Finally, the method of determining completed attempts has been refactored to
work correctly for SCORM 2004. Previously, failed attempts did not count as
completed.
TL-36246 Decreased the memory usage by send_messages_task script to avoid out-of-memory errors
If the send_messages_task script was failing due to out-of-memory before, it
will send all previously-queued notifications at once after this fix.
TL-36402 Fixed formatting (including multi lang compatibility) for notification placeholders
The formatting (including multi lang compatibility) of the following
placeholders have been fixed:
* Workspace full_name
* Course name
* Activity name (including Seminar)
* Seminar event details
* Performance activity name
* User description
TL-36528 Made sure new job relationship upgrade steps are applied if missed previously
A previous ticket, TL-33602, increased the version number for the totara_job
plugin incorrectly to the same version on all affected branches (11 and higher).
This can result in some upgrade steps (adding new perform relationships) being
skipped during upgrade to Totara 13 or 16.
This patch ensures the missing upgrade steps are run and the missing
relationships are added in all cases.
TL-36631 Fixed issue with program message paragraph formatting not being maintained during the upgrade
When the message contains line breaks, it must be considered a separate
paragraph. Otherwise, the line break won't work with the weka editor after the
migration.
Library updates:
TL-35875 Upgraded library Video.js to 7.21.1
Release 14.21 (28th February 2023):
Security issues:
TL-36120 Fixed Self-XSS possibility when dragging and dropping files in the file upload dialogue
Bug fixes:
TL-35226 Fixed an issue where changes to language strings in countries.php were not being saved if the key contained upper-case letters
TL-35521 Fixed being able to bypass sequential navigation in quizzes using web services
TL-35706 Allowed user with 'addattendees' capability, but not 'signup' capability, to add seminar attendees
Previously both capabilities were required to book or waitlist other users on
seminars.
TL-35728 Prevented notification event processing task from blocking other tasks
Previously, the 'Queue event scheduled task'
(\totara_notification\task\process_event_queue_task) was marked as a blocking
task. This meant that it would need to complete before other scheduled or adhoc
tasks could run.
It is safe to run other tasks while processing notifiable events, so we have
removed the blocking flag from this task.
TL-35859 Fixed SCORM activity allowing more than the maximum number of attempts in some cases
The way that the number of attempts is counted when a learner opens a SCORM
activity is determined by the 'Force new attempt' setting.
If 'Force new attempt' is set to 'Always', or if 'Force new attempt' is set to
'No' and the user tries a new attempt, the number of attempts that have been
made is simply the learner's total number of attempts to date.
However, if 'Force new attempt' is set to 'When previous attempt completed,
passed or failed', then only completed attempts should count as attempts that
have been made. Previously, all attempts were counted in this case.
Also, the displayed number of attempts remaining in the table of contents was
computed incorrectly when 'Force new attempt' was set to 'Always' or 'No',
because only completed attempts were counted. All attempts are counted now.
Finally, the method of determining completed attempts has been refactored to
work correctly for SCORM 2004. Previously, failed attempts did not count as
completed.
TL-36246 Decreased the memory usage by send_messages_task script to avoid out-of-memory errors
If the send_messages_task script was failing due to out-of-memory before, it
will send all previously-queued notifications at once after this fix.
TL-36402 Fixed formatting (including multi lang compatibility) for notification placeholders
The formatting (including multi lang compatibility) of the following
placeholders have been fixed:
* Workspace full_name
* Course name
* Activity name (including Seminar)
* Seminar event details
* Performance activity name
* User description
TL-36528 Made sure new job relationship upgrade steps are applied if missed previously
A previous ticket, TL-33602, increased the version number for the totara_job
plugin incorrectly to the same version on all affected branches (11 and higher).
This can result in some upgrade steps (adding new perform relationships) being
skipped during upgrade to Totara 13 or 16.
This patch ensures the missing upgrade steps are run and the missing
relationships are added in all cases.
TL-36631 Fixed issue with program message paragraph formatting not being maintained during the upgrade
When the message contains line breaks, it must be considered a separate
paragraph. Otherwise, the line break won't work with the weka editor after the
migration.
Library updates:
TL-35875 Upgraded library Video.js to 7.21.1
Release 13.29 (28th February 2023):
Security issues:
TL-36120 Fixed Self-XSS possibility when dragging and dropping files in the file upload dialogue
Bug fixes:
TL-35226 Fixed an issue where changes to language strings in countries.php were not being saved if the key contained upper-case letters
TL-35521 Fixed being able to bypass sequential navigation in quizzes using web services
TL-36246 Decreased the memory usage by send_messages_task script to avoid out-of-memory errors
If the send_messages_task script was failing due to out-of-memory before, it
will send all previously-queued notifications at once after this fix.
TL-36528 Made sure new job relationship upgrade steps are applied if missed previously
A previous ticket, TL-33602, increased the version number for the totara_job
plugin incorrectly to the same version on all affected branches (11 and higher).
This can result in some upgrade steps (adding new perform relationships) being
skipped during upgrade to Totara 13 or 16.
This patch ensures the missing upgrade steps are run and the missing
relationships are added in all cases.
Release 12.51 (28th February 2023):
Bug fixes:
TL-36246 Decreased the memory usage by send_messages_task script to avoid out-of-memory errors
If the send_messages_task script was failing due to out-of-memory before, it
will send all previously-queued notifications at once after this fix.
TL-36528 Made sure new job relationship upgrade steps are applied if missed previously
A previous ticket, TL-33602, increased the version number for the totara_job
plugin incorrectly to the same version on all affected branches (11 and higher).
This can result in some upgrade steps (adding new perform relationships) being
skipped during upgrade to Totara 13 or 16.
This patch ensures the missing upgrade steps are run and the missing
relationships are added in all cases.