Totara Release Notes

Totara TXP 17.13, 16.19, 15.25, 14.30, 13.38, 12.59, 11.59, 10.61, and Totara Learn 9.67 are now available

 
David Curry (Core Developer)
Totara TXP 17.13, 16.19, 15.25, 14.30, 13.38, 12.59, 11.59, 10.61, and Totara Learn 9.67 are now available
di David Curry (Core Developer) - Monday, 27 November 2023, 18:54
Gruppo Totara

Hello everyone,

The following versions of Totara Learn have now been released:

These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.

Kind regards Release Team

Release 17.13 (28th November 2023):

Security issues:

    TL-34338       Prevented content author information display to non-privileged users in global search

                   Previously, it was possible for global search users to see the author of
                   documents, even if they did not have the appropriate capabilities. Now users
                   need the 'moodle/user:viewdetails' or 'moodle/course:viewparticipants'
                   capability to see the author.

                   Fixes CVE-2022-30598

    TL-35830       Fixed trending content block showing items across tenant boundaries

                   With this change trending content from different tenants can no longer show
                   across tenants.

    TL-38845       Fixed an XSS vulnerability in activity names when restoring courses
    TL-39092       Fixed possible XSS vulnerability in course activity headings on some pages

Performance improvements:

    TL-38548       Reduced number of database queries on the course and category management page

                   When multitenancy is enabled an additional database query was triggered for each
                   category to check whether the category is a tenant category or not. This is now
                   being cached to avoid the unnecessary queries and to improve the performance of
                   the page load.

    TL-38606       Improved the performance of the notification event queue task

                   The performance of the task `\totara_notification\task\process_event_queue_task`
                   has been improved by caching data which is loaded repeatedly. In addition the
                   theme is not reset for each notification anymore which had quite an impact on
                   performance. This has been addressed.
                   
                   To improve performance of the task further we recommend reviewing the setting
                   'SMTP session limit' (smtpmaxbulk) and consider increasing it. It defaults to 1
                   which means the task will create a new SMTP connection for each email it sends
                   out and will not use an existing connection.


Improvements:

    TL-38734       Prevented notification processing warnings if the event context they relate to no longer exists
    TL-38767       Prevent users from running more than one report simultaneously

                   Recently we introduced a change which allows a user to continue using the site
                   while a report loads in another tab/window. This inadvertently allowed a user to
                   run more than one report at once. With this change, only one user report or
                   report export (user or embedded) can be run at once. Viewing embedded reports
                   are excluded, so that pages which render embedded reports will continue to work
                   as normal.

    TL-38897       Improved warning message in the performance tab of reports when caching is not available

Bug fixes:

    TL-36933       Fixed SCORM player not terminating correctly in some scenarios when exiting the content
    TL-36934       Fixed the full text search for MySQL binary mode to prevent wildcard character errors
    TL-37205       Fixed the UTF-8 encoding of embedded calendar blocks in emails for foreign characters
    TL-37292       Removed confusing help text from the Virtual Meeting Provider Connect button
    TL-37602       Created correct supersede submission after rejecting approval workflow application
    TL-37683       Fixed visibility map query causing database crash on MariaDB 10.8

                   Only on MariaDB 10.8 the visibility map query causes the database to crash. This
                   has been addressed now.

    TL-38098       Added a legacy Moodle constant back into Totara, so the Big Blue Button plugin can still operate
    TL-38653       Ensured content marketplace course activity visible if completed_initial_sync_learning_asset was failed to set

                   LinkedIn Learning's initial sync task should set the
                   completed_initial_sync_learning_asset flag to true. If the initial process is
                   interrupted LinkedIn Learning courses can be used but they are not available in
                   the list when adding activities to an existing course. After the patch, you can
                   add available courses as activities even if the initial sync task has not
                   finished successfully.

    TL-38670       Restored missing headings in the External API documentation
    TL-38704       Removed the ability to select a system user using the user_reference_record class as a tenant API user

                   As part of this change, the behaviour of user_record_reference::get_record()
                   (released in Totara 17) will no longer check the acting user's ability to see
                   the target user. Please use user_record_reference::load_for_viewer() in custom
                   GraphQL resolvers instead.

    TL-38829       Added language strings for machine learning, JSON editor and multi-factor authentication on the plugins page
    TL-39064       Prevented user list queries being triggered on initial load on the performance activity participant select page

                   Previously, each user selector on the participant selection page for performance
                   activities triggered a GraphQL query on page load to fetch the initial set of
                   users. The more activities are listed on the page the longer it took for all
                   initial queries to finish. During this time the user could not search in any of
                   the user selectors. This patch ensures that GraphQL queries are only triggered
                   when interacting with a user selector.

    TL-39104       Fixed the environment check for Totara 18 and MariaDB reporting incorrect incompatible versions

Release 16.19 (28th November 2023):

Security issues:

    TL-34338       Prevented content author information display to non-privileged users in global search

                   Previously, it was possible for global search users to see the author of
                   documents, even if they did not have the appropriate capabilities. Now users
                   need the 'moodle/user:viewdetails' or 'moodle/course:viewparticipants'
                   capability to see the author.

                   Fixes CVE-2022-30598

    TL-35830       Fixed trending content block showing items across tenant boundaries

                   With this change trending content from different tenants can no longer show
                   across tenants.

    TL-38845       Fixed an XSS vulnerability in activity names when restoring courses
    TL-39092       Fixed possible XSS vulnerability in course activity headings on some pages

Performance improvements:

    TL-38548       Reduced number of database queries on the course and category management page

                   When multitenancy is enabled an additional database query was triggered for each
                   category to check whether the category is a tenant category or not. This is now
                   being cached to avoid the unnecessary queries and to improve the performance of
                   the page load.


Improvements:

    TL-38734       Prevented notification processing warnings if the event context they relate to no longer exists
    TL-38767       Prevent users from running more than one report simultaneously

                   Recently we introduced a change which allows a user to continue using the site
                   while a report loads in another tab/window. This inadvertently allowed a user to
                   run more than one report at once. With this change, only one user report or
                   report export (user or embedded) can be run at once. Viewing embedded reports
                   are excluded, so that pages which render embedded reports will continue to work
                   as normal.

    TL-38897       Improved warning message in the performance tab of reports when caching is not available

Bug fixes:

    TL-36933       Fixed SCORM player not terminating correctly in some scenarios when exiting the content
    TL-36934       Fixed the full text search for MySQL binary mode to prevent wildcard character errors
    TL-38098       Added a legacy Moodle constant back into Totara, so the Big Blue Button plugin can still operate
    TL-39064       Prevented user list queries being triggered on initial load on the performance activity participant select page

                   Previously, each user selector on the participant selection page for performance
                   activities triggered a GraphQL query on page load to fetch the initial set of
                   users. The more activities are listed on the page the longer it took for all
                   initial queries to finish. During this time the user could not search in any of
                   the user selectors. This patch ensures that GraphQL queries are only triggered
                   when interacting with a user selector.

    TL-39104       Fixed the environment check for Totara 18 and MariaDB reporting incorrect incompatible versions

Release 15.25 (28th November 2023):

Security issues:

    TL-34338       Prevented content author information display to non-privileged users in global search

                   Previously, it was possible for global search users to see the author of
                   documents, even if they did not have the appropriate capabilities. Now users
                   need the 'moodle/user:viewdetails' or 'moodle/course:viewparticipants'
                   capability to see the author.

                   Fixes CVE-2022-30598

    TL-35830       Fixed trending content block showing items across tenant boundaries

                   With this change trending content from different tenants can no longer show
                   across tenants.

    TL-38845       Fixed an XSS vulnerability in activity names when restoring courses
    TL-39092       Fixed possible XSS vulnerability in course activity headings on some pages

Improvements:

    TL-38734       Prevented notification processing warnings if the event context they relate to no longer exists
    TL-38767       Prevent users from running more than one report simultaneously

                   Recently we introduced a change which allows a user to continue using the site
                   while a report loads in another tab/window. This inadvertently allowed a user to
                   run more than one report at once. With this change, only one user report or
                   report export (user or embedded) can be run at once. Viewing embedded reports
                   are excluded, so that pages which render embedded reports will continue to work
                   as normal.

    TL-38897       Improved warning message in the performance tab of reports when caching is not available

Bug fixes:

    TL-36933       Fixed SCORM player not terminating correctly in some scenarios when exiting the content
    TL-36934       Fixed the full text search for MySQL binary mode to prevent wildcard character errors
    TL-39064       Prevented user list queries being triggered on initial load on the performance activity participant select page

                   Previously, each user selector on the participant selection page for performance
                   activities triggered a GraphQL query on page load to fetch the initial set of
                   users. The more activities are listed on the page the longer it took for all
                   initial queries to finish. During this time the user could not search in any of
                   the user selectors. This patch ensures that GraphQL queries are only triggered
                   when interacting with a user selector.

    TL-39104       Fixed the environment check for Totara 18 and MariaDB reporting incorrect incompatible versions

Release 14.30 (28th November 2023):

Security issues:

    TL-34338       Prevented content author information display to non-privileged users in global search

                   Previously, it was possible for global search users to see the author of
                   documents, even if they did not have the appropriate capabilities. Now users
                   need the 'moodle/user:viewdetails' or 'moodle/course:viewparticipants'
                   capability to see the author.

                   Fixes CVE-2022-30598

    TL-35830       Fixed trending content block showing items across tenant boundaries

                   With this change trending content from different tenants can no longer show
                   across tenants.

    TL-38845       Fixed an XSS vulnerability in activity names when restoring courses
    TL-39092       Fixed possible XSS vulnerability in course activity headings on some pages

Improvements:

    TL-38734       Prevented notification processing warnings if the event context they relate to no longer exists
    TL-38767       Prevent users from running more than one report simultaneously

                   Recently we introduced a change which allows a user to continue using the site
                   while a report loads in another tab/window. This inadvertently allowed a user to
                   run more than one report at once. With this change, only one user report or
                   report export (user or embedded) can be run at once. Viewing embedded reports
                   are excluded, so that pages which render embedded reports will continue to work
                   as normal.

    TL-38897       Improved warning message in the performance tab of reports when caching is not available

Bug fixes:

    TL-36933       Fixed SCORM player not terminating correctly in some scenarios when exiting the content
    TL-36934       Fixed the full text search for MySQL binary mode to prevent wildcard character errors
    TL-39104       Fixed the environment check for Totara 18 and MariaDB reporting incorrect incompatible versions

Release 13.38 (28th November 2023):

Security issues:

    TL-34338       Prevented content author information display to non-privileged users in global search

                   Previously, it was possible for global search users to see the author of
                   documents, even if they did not have the appropriate capabilities. Now users
                   need the 'moodle/user:viewdetails' or 'moodle/course:viewparticipants'
                   capability to see the author.

                   Fixes CVE-2022-30598

    TL-35830       Fixed trending content block showing items across tenant boundaries

                   With this change trending content from different tenants can no longer show
                   across tenants.

    TL-38845       Fixed an XSS vulnerability in activity names when restoring courses
    TL-39092       Fixed possible XSS vulnerability in course activity headings on some pages

Improvements:

    TL-38767       Prevent users from running more than one report simultaneously

                   Recently we introduced a change which allows a user to continue using the site
                   while a report loads in another tab/window. This inadvertently allowed a user to
                   run more than one report at once. With this change, only one user report or
                   report export (user or embedded) can be run at once. Viewing embedded reports
                   are excluded, so that pages which render embedded reports will continue to work
                   as normal.

    TL-38897       Improved warning message in the performance tab of reports when caching is not available

Bug fixes:

    TL-36933       Fixed SCORM player not terminating correctly in some scenarios when exiting the content
    TL-36934       Fixed the full text search for MySQL binary mode to prevent wildcard character errors
    TL-39104       Fixed the environment check for Totara 18 and MariaDB reporting incorrect incompatible versions

Release 12.59 (28th November 2023):

Security issues:

    TL-34338       Prevented content author information display to non-privileged users in global search

                   Previously, it was possible for global search users to see the author of
                   documents, even if they did not have the appropriate capabilities. Now users
                   need the 'moodle/user:viewdetails' or 'moodle/course:viewparticipants'
                   capability to see the author.

                   Fixes CVE-2022-30598

    TL-38845       Fixed an XSS vulnerability in activity names when restoring courses

Release 11.59 (28th November 2023):

Security issues:

    TL-38845       Fixed an XSS vulnerability in activity names when restoring courses

Release 10.61 (28th November 2023):

Security issues:

    TL-38845       Fixed an XSS vulnerability in activity names when restoring courses

Release 9.67 (28th November 2023):

Security issues:

    TL-38845       Fixed an XSS vulnerability in activity names when restoring courses