Hello everyone,
The following versions of Totara Learn have now been released:
- Release 17.13
- Release 16.19
- Release 15.25
- Release 14.30
- Release 13.38
- Release 12.59
- Release 11.59
- Release 10.61
- Release 9.67
These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.
Kind regards Release Team
Release 17.13 (28th November 2023):
Security issues:
TL-34338 Prevented content author information display to non-privileged users in global search
Previously, it was possible for global search users to see the author of
documents, even if they did not have the appropriate capabilities. Now users
need the 'moodle/user:viewdetails' or 'moodle/course:viewparticipants'
capability to see the author.
Fixes CVE-2022-30598
TL-35830 Fixed trending content block showing items across tenant boundaries
With this change trending content from different tenants can no longer show
across tenants.
TL-38845 Fixed an XSS vulnerability in activity names when restoring courses
TL-39092 Fixed possible XSS vulnerability in course activity headings on some pages
Performance improvements:
TL-38548 Reduced number of database queries on the course and category management page
When multitenancy is enabled an additional database query was triggered for each
category to check whether the category is a tenant category or not. This is now
being cached to avoid the unnecessary queries and to improve the performance of
the page load.
TL-38606 Improved the performance of the notification event queue task
The performance of the task `\totara_notification\task\process_event_queue_task`
has been improved by caching data which is loaded repeatedly. In addition the
theme is not reset for each notification anymore which had quite an impact on
performance. This has been addressed.
To improve performance of the task further we recommend reviewing the setting
'SMTP session limit' (smtpmaxbulk) and consider increasing it. It defaults to 1
which means the task will create a new SMTP connection for each email it sends
out and will not use an existing connection.
Improvements:
TL-38734 Prevented notification processing warnings if the event context they relate to no longer exists
TL-38767 Prevent users from running more than one report simultaneously
Recently we introduced a change which allows a user to continue using the site
while a report loads in another tab/window. This inadvertently allowed a user to
run more than one report at once. With this change, only one user report or
report export (user or embedded) can be run at once. Viewing embedded reports
are excluded, so that pages which render embedded reports will continue to work
as normal.
TL-38897 Improved warning message in the performance tab of reports when caching is not available
Bug fixes:
TL-36933 Fixed SCORM player not terminating correctly in some scenarios when exiting the content
TL-36934 Fixed the full text search for MySQL binary mode to prevent wildcard character errors
TL-37205 Fixed the UTF-8 encoding of embedded calendar blocks in emails for foreign characters
TL-37292 Removed confusing help text from the Virtual Meeting Provider Connect button
TL-37602 Created correct supersede submission after rejecting approval workflow application
TL-37683 Fixed visibility map query causing database crash on MariaDB 10.8
Only on MariaDB 10.8 the visibility map query causes the database to crash. This
has been addressed now.
TL-38098 Added a legacy Moodle constant back into Totara, so the Big Blue Button plugin can still operate
TL-38653 Ensured content marketplace course activity visible if completed_initial_sync_learning_asset was failed to set
LinkedIn Learning's initial sync task should set the
completed_initial_sync_learning_asset flag to true. If the initial process is
interrupted LinkedIn Learning courses can be used but they are not available in
the list when adding activities to an existing course. After the patch, you can
add available courses as activities even if the initial sync task has not
finished successfully.
TL-38670 Restored missing headings in the External API documentation
TL-38704 Removed the ability to select a system user using the user_reference_record class as a tenant API user
As part of this change, the behaviour of user_record_reference::get_record()
(released in Totara 17) will no longer check the acting user's ability to see
the target user. Please use user_record_reference::load_for_viewer() in custom
GraphQL resolvers instead.
TL-38829 Added language strings for machine learning, JSON editor and multi-factor authentication on the plugins page
TL-39064 Prevented user list queries being triggered on initial load on the performance activity participant select page
Previously, each user selector on the participant selection page for performance
activities triggered a GraphQL query on page load to fetch the initial set of
users. The more activities are listed on the page the longer it took for all
initial queries to finish. During this time the user could not search in any of
the user selectors. This patch ensures that GraphQL queries are only triggered
when interacting with a user selector.
TL-39104 Fixed the environment check for Totara 18 and MariaDB reporting incorrect incompatible versions
Release 16.19 (28th November 2023):
Security issues:
TL-34338 Prevented content author information display to non-privileged users in global search
Previously, it was possible for global search users to see the author of
documents, even if they did not have the appropriate capabilities. Now users
need the 'moodle/user:viewdetails' or 'moodle/course:viewparticipants'
capability to see the author.
Fixes CVE-2022-30598
TL-35830 Fixed trending content block showing items across tenant boundaries
With this change trending content from different tenants can no longer show
across tenants.
TL-38845 Fixed an XSS vulnerability in activity names when restoring courses
TL-39092 Fixed possible XSS vulnerability in course activity headings on some pages
Performance improvements:
TL-38548 Reduced number of database queries on the course and category management page
When multitenancy is enabled an additional database query was triggered for each
category to check whether the category is a tenant category or not. This is now
being cached to avoid the unnecessary queries and to improve the performance of
the page load.
Improvements:
TL-38734 Prevented notification processing warnings if the event context they relate to no longer exists
TL-38767 Prevent users from running more than one report simultaneously
Recently we introduced a change which allows a user to continue using the site
while a report loads in another tab/window. This inadvertently allowed a user to
run more than one report at once. With this change, only one user report or
report export (user or embedded) can be run at once. Viewing embedded reports
are excluded, so that pages which render embedded reports will continue to work
as normal.
TL-38897 Improved warning message in the performance tab of reports when caching is not available
Bug fixes:
TL-36933 Fixed SCORM player not terminating correctly in some scenarios when exiting the content
TL-36934 Fixed the full text search for MySQL binary mode to prevent wildcard character errors
TL-38098 Added a legacy Moodle constant back into Totara, so the Big Blue Button plugin can still operate
TL-39064 Prevented user list queries being triggered on initial load on the performance activity participant select page
Previously, each user selector on the participant selection page for performance
activities triggered a GraphQL query on page load to fetch the initial set of
users. The more activities are listed on the page the longer it took for all
initial queries to finish. During this time the user could not search in any of
the user selectors. This patch ensures that GraphQL queries are only triggered
when interacting with a user selector.
TL-39104 Fixed the environment check for Totara 18 and MariaDB reporting incorrect incompatible versions
Release 15.25 (28th November 2023):
Security issues:
TL-34338 Prevented content author information display to non-privileged users in global search
Previously, it was possible for global search users to see the author of
documents, even if they did not have the appropriate capabilities. Now users
need the 'moodle/user:viewdetails' or 'moodle/course:viewparticipants'
capability to see the author.
Fixes CVE-2022-30598
TL-35830 Fixed trending content block showing items across tenant boundaries
With this change trending content from different tenants can no longer show
across tenants.
TL-38845 Fixed an XSS vulnerability in activity names when restoring courses
TL-39092 Fixed possible XSS vulnerability in course activity headings on some pages
Improvements:
TL-38734 Prevented notification processing warnings if the event context they relate to no longer exists
TL-38767 Prevent users from running more than one report simultaneously
Recently we introduced a change which allows a user to continue using the site
while a report loads in another tab/window. This inadvertently allowed a user to
run more than one report at once. With this change, only one user report or
report export (user or embedded) can be run at once. Viewing embedded reports
are excluded, so that pages which render embedded reports will continue to work
as normal.
TL-38897 Improved warning message in the performance tab of reports when caching is not available
Bug fixes:
TL-36933 Fixed SCORM player not terminating correctly in some scenarios when exiting the content
TL-36934 Fixed the full text search for MySQL binary mode to prevent wildcard character errors
TL-39064 Prevented user list queries being triggered on initial load on the performance activity participant select page
Previously, each user selector on the participant selection page for performance
activities triggered a GraphQL query on page load to fetch the initial set of
users. The more activities are listed on the page the longer it took for all
initial queries to finish. During this time the user could not search in any of
the user selectors. This patch ensures that GraphQL queries are only triggered
when interacting with a user selector.
TL-39104 Fixed the environment check for Totara 18 and MariaDB reporting incorrect incompatible versions
Release 14.30 (28th November 2023):
Security issues:
TL-34338 Prevented content author information display to non-privileged users in global search
Previously, it was possible for global search users to see the author of
documents, even if they did not have the appropriate capabilities. Now users
need the 'moodle/user:viewdetails' or 'moodle/course:viewparticipants'
capability to see the author.
Fixes CVE-2022-30598
TL-35830 Fixed trending content block showing items across tenant boundaries
With this change trending content from different tenants can no longer show
across tenants.
TL-38845 Fixed an XSS vulnerability in activity names when restoring courses
TL-39092 Fixed possible XSS vulnerability in course activity headings on some pages
Improvements:
TL-38734 Prevented notification processing warnings if the event context they relate to no longer exists
TL-38767 Prevent users from running more than one report simultaneously
Recently we introduced a change which allows a user to continue using the site
while a report loads in another tab/window. This inadvertently allowed a user to
run more than one report at once. With this change, only one user report or
report export (user or embedded) can be run at once. Viewing embedded reports
are excluded, so that pages which render embedded reports will continue to work
as normal.
TL-38897 Improved warning message in the performance tab of reports when caching is not available
Bug fixes:
TL-36933 Fixed SCORM player not terminating correctly in some scenarios when exiting the content
TL-36934 Fixed the full text search for MySQL binary mode to prevent wildcard character errors
TL-39104 Fixed the environment check for Totara 18 and MariaDB reporting incorrect incompatible versions
Release 13.38 (28th November 2023):
Security issues:
TL-34338 Prevented content author information display to non-privileged users in global search
Previously, it was possible for global search users to see the author of
documents, even if they did not have the appropriate capabilities. Now users
need the 'moodle/user:viewdetails' or 'moodle/course:viewparticipants'
capability to see the author.
Fixes CVE-2022-30598
TL-35830 Fixed trending content block showing items across tenant boundaries
With this change trending content from different tenants can no longer show
across tenants.
TL-38845 Fixed an XSS vulnerability in activity names when restoring courses
TL-39092 Fixed possible XSS vulnerability in course activity headings on some pages
Improvements:
TL-38767 Prevent users from running more than one report simultaneously
Recently we introduced a change which allows a user to continue using the site
while a report loads in another tab/window. This inadvertently allowed a user to
run more than one report at once. With this change, only one user report or
report export (user or embedded) can be run at once. Viewing embedded reports
are excluded, so that pages which render embedded reports will continue to work
as normal.
TL-38897 Improved warning message in the performance tab of reports when caching is not available
Bug fixes:
TL-36933 Fixed SCORM player not terminating correctly in some scenarios when exiting the content
TL-36934 Fixed the full text search for MySQL binary mode to prevent wildcard character errors
TL-39104 Fixed the environment check for Totara 18 and MariaDB reporting incorrect incompatible versions
Release 12.59 (28th November 2023):
Security issues:
TL-34338 Prevented content author information display to non-privileged users in global search
Previously, it was possible for global search users to see the author of
documents, even if they did not have the appropriate capabilities. Now users
need the 'moodle/user:viewdetails' or 'moodle/course:viewparticipants'
capability to see the author.
Fixes CVE-2022-30598
TL-38845 Fixed an XSS vulnerability in activity names when restoring courses
Release 11.59 (28th November 2023):
Security issues:
TL-38845 Fixed an XSS vulnerability in activity names when restoring courses
Release 10.61 (28th November 2023):
Security issues:
TL-38845 Fixed an XSS vulnerability in activity names when restoring courses
Release 9.67 (28th November 2023):
Security issues:
TL-38845 Fixed an XSS vulnerability in activity names when restoring courses