Hello everyone,
The following versions of Totara have now been released:
- Release 18.6
- Release 17.19
- Release 16.25
- Release 15.31
- Release 14.36
- Release 13.44
- Release 12.63
- Release 11.63
- Release 10.65
- Release 9.71
- Release 2.9.68
- Release 2.7.73
These versions do contain security fixes, and for this reason we strongly recommend upgrading.
Each release also includes various bug fixes and improvements.
Kind regards,
Release Team
Release 18.6 (22nd May 2024):
Important:
TL-40161 Restored auto-login as guest for courses without guest enrolment enabled
Prior to Totara 18, when ‘Auto-login guests’ was enabled, unauthenticated
users would be automatically logged in as a guest when visiting any course page.
This was changed in 18.0 so that auto-login would only happen if guest enrolment
was enabled for the course.
This patch essentially reverts that change, restoring the pre-Totara-18
behaviour of guest auto-login on courses.
Sites which wish to have the newer behaviour can enable
`$CFG->autologinnoguestaccess` in config.php. This setting will cause
unauthenticated users to be redirected to the login page if they visit a course
that does not have guest enrolment enabled.
Security issues:
TL-38659 Improved the capability checks for updating the parent course category
Insufficient web service capability checks previously allowed users who had the
capability to manage a category, move it to a parent category they did not have
the capability to manage. This is now prevented, fixing CVE-2023-5549.
TL-39344 Fixed unsafe unserialize() calls in log_tool (CVE-2023-6661)
TL-40273 Fixed CVE-2024-32489 and CVE-2024-22640 security issues
* Fixed tcpdf vulnerable to Regular Expression Denial of Service. When parsing
an untrusted HTML page with a crafted colour.
* Fixed tcpdf Cross-site Scripting vulnerability.
Improvements:
TL-40131 Heading of results table in reports has changed to 'Results - [X] records'
Bug fixes:
TL-36587 Updated the 'Switch to the standard theme' option so it does not appear when the theme for the device is the same as the standard theme
TL-36737 Fixed an error being thrown when manually marking course completion with an expired session
TL-38518 Fixed various issues with the grade columns in Record of Learning reports
This patch has fixed the following 3 issues:
* The formatting of the ‘Grade and required grade’ column in the ‘Record
of learning: courses’ report, now matches the same column in the ‘course
completion’ report.
* The ‘Pass grade’ column in the ‘Record of learning: Courses’ report
now displays the correct data, matching the same column in the ‘course
completion’ report.
* The ‘Grade and required grade’ column now correctly handles RPL grades as
a percentage value in both the ‘Record of Learning’ and ‘Course
Completion’ reports.
TL-38635 Updated min and max grade strings to be sentence case
TL-39050 Fixed issue where random glossary entry block wasn't randomising the display entry
TL-39512 Fixed a page error when viewing the preview of a Quiz's 'missing words' question while using Weka editor
TL-39608 Fixed the notifications not always being generated when a learning plan is deleted
TL-39677 Fixed an error when viewing or printing a performance activity containing linked review responses for a disabled feature type.
TL-39764 Fixed legacy goals not showing in performance activities when Totara goals enabled
TL-39811 Fixed the action/export column for the "Performance activity response data" report when a new export format is added in the Export setting
TL-39815 Fixed an issue where the user ids in a "Quiz attempt reviewed" event description were incorrect
TL-39816 Fixed display of 'missing words' quiz question when the answer options contained a dollar sign followed by a number
TL-39819 Fixed file download after uploading to the wiki activity administration area
TL-39839 Fixed file unzip functionality when the file is uploaded to a file resource of a course.
Previously, when an uploaded zip file included a Windows system file
‘Thumbs.db’, an error was thrown in some cases when trying to unzip the file
within the file resource’s form element.
TL-39936 Made 'coursepageurl' placeholder in course reminders a clickable link
TL-39939 Use regex-safe string replacement for wildcards in lesson activity answers
TL-39962 Fixed a bug where the progress summary for linked courses in the competency profile were incorrect
TL-40079 The capability required for a user to change their own language no longer requires the ability to edit their own profile.
The user preferences page 'Preferred language' previously required the
capability 'moodle/user:editownprofile' to work. This capability is available by
default to Authenticated users, however if it is unavailable then there's no way
for a user to change their own active language in Totara 18 and above.
This change introduces a new capability, 'moodle/user:editownlanguage' which is
assigned to the User archetype. This capability allows a user to edit their own
language without having access to edit their entire profile for sites that have
limited that ability.
If you have customised your roles so they are not associated with the Archetype
anymore you may need to grant this capability to the correct roles manually.
TL-40132 Don't remove users with signupwaitlist permission when updating the attendees of a seminar event
TL-40148 Fixed an error when filtering for individuals in the assignment tab of certifications
TL-40206 Fixed an exception when viewing the programs tab in learning plan advanced workflow settings
TL-40259 Fixed an error that occurred when viewing items in an Engage playlist that included courses
TL-40319 Addressed an error triggered in completion_start_user_bulk() if more than 100000 enrolments records are present
In a previous version of Totara we made changes to completion_start_user_bulk
([TL-36115|https://totara.atlassian.net/browse/TL-36115]) in an attempt to
address a performance issue when creating missing course_completion records.
This change was released for 15.28, 16.22, 17.16, and 18.3. Unfortunately this
change caused a regression: If more than 100000 user_enrolment records were
present the processing of any subsequent batch, PHP Notices were generated and
not all course completion records were processed. However there are redundant
locations which process missing completion records (e.g.
{{core\task\completion_daily_task}}).
This patch reverts the batching as apart from the bug introduced we found it was
not necessarily producing the intended result. We are actively looking at
alternatives to address the original performance issue.
TL-40454 Fixed an issue on the competency profile where the progress summary of linked courses was not correctly displayed
Previously courses that a user had yet to start were being displayed as 'not
available', when they should have been displayed as 'not yet started', this has
been fixed.
Release 17.19 (22nd May 2024):
Security issues:
TL-38659 Improved the capability checks for updating the parent course category
Insufficient web service capability checks previously allowed users who had the
capability to manage a category, move it to a parent category they did not have
the capability to manage. This is now prevented, fixing CVE-2023-5549.
TL-39344 Fixed unsafe unserialize() calls in log_tool (CVE-2023-6661)
TL-40273 Fixed CVE-2024-32489 and CVE-2024-22640 security issues
* Fixed tcpdf vulnerable to Regular Expression Denial of Service. When parsing
an untrusted HTML page with a crafted colour.
* Fixed tcpdf Cross-site Scripting vulnerability.
Improvements:
TL-40131 Heading of results table in reports has changed to 'Results - [X] records'
Bug fixes:
TL-36587 Updated the 'Switch to the standard theme' option so it does not appear when the theme for the device is the same as the standard theme
TL-36737 Fixed an error being thrown when manually marking course completion with an expired session
TL-38518 Fixed various issues with the grade columns in Record of Learning reports
This patch has fixed the following 3 issues:
* The formatting of the ‘Grade and required grade’ column in the ‘Record
of learning: courses’ report, now matches the same column in the ‘course
completion’ report.
* The ‘Pass grade’ column in the ‘Record of learning: Courses’ report
now displays the correct data, matching the same column in the ‘course
completion’ report.
* The ‘Grade and required grade’ column now correctly handles RPL grades as
a percentage value in both the ‘Record of Learning’ and ‘Course
Completion’ reports.
TL-39050 Fixed issue where random glossary entry block wasn't randomising the display entry
TL-39466 Improved help text when editing a seminars settings
TL-39512 Fixed a page error when viewing the preview of a Quiz's 'missing words' question while using Weka editor
TL-39608 Fixed the notifications not always being generated when a learning plan is deleted
TL-39677 Fixed an error when viewing or printing a performance activity containing linked review responses for a disabled feature type.
TL-39811 Fixed the action/export column for the "Performance activity response data" report when a new export format is added in the Export setting
TL-39815 Fixed an issue where the user ids in a "Quiz attempt reviewed" event description were incorrect
TL-39816 Fixed display of 'missing words' quiz question when the answer options contained a dollar sign followed by a number
TL-39839 Fixed file unzip functionality when the file is uploaded to a file resource of a course.
Previously, when an uploaded zip file included a Windows system file
‘Thumbs.db’, an error was thrown in some cases when trying to unzip the file
within the file resource’s form element.
TL-39939 Use regex-safe string replacement for wildcards in lesson activity answers
TL-39962 Fixed a bug where the progress summary for linked courses in the competency profile were incorrect
TL-40132 Don't remove users with signupwaitlist permission when updating the attendees of a seminar event
TL-40319 Addressed an error triggered in completion_start_user_bulk() if more than 100000 enrolments records are present
In a previous version of Totara we made changes to completion_start_user_bulk
([TL-36115|https://totara.atlassian.net/browse/TL-36115]) in an attempt to
address a performance issue when creating missing course_completion records.
This change was released for 15.28, 16.22, 17.16, and 18.3. Unfortunately this
change caused a regression: If more than 100000 user_enrolment records were
present the processing of any subsequent batch, PHP Notices were generated and
not all course completion records were processed. However there are redundant
locations which process missing completion records (e.g.
{{core\task\completion_daily_task}}).
This patch reverts the batching as apart from the bug introduced we found it was
not necessarily producing the intended result. We are actively looking at
alternatives to address the original performance issue.
TL-40454 Fixed an issue on the competency profile where the progress summary of linked courses was not correctly displayed
Previously courses that a user had yet to start were being displayed as 'not
available', when they should have been displayed as 'not yet started', this has
been fixed.
Release 16.25 (22nd May 2024):
Security issues:
TL-38659 Improved the capability checks for updating the parent course category
Insufficient web service capability checks previously allowed users who had the
capability to manage a category, move it to a parent category they did not have
the capability to manage. This is now prevented, fixing CVE-2023-5549.
TL-39344 Fixed unsafe unserialize() calls in log_tool (CVE-2023-6661)
TL-40273 Fixed CVE-2024-32489 and CVE-2024-22640 security issues
* Fixed tcpdf vulnerable to Regular Expression Denial of Service. When parsing
an untrusted HTML page with a crafted colour.
* Fixed tcpdf Cross-site Scripting vulnerability.
Bug fixes:
TL-36587 Updated the 'Switch to the standard theme' option so it does not appear when the theme for the device is the same as the standard theme
TL-39608 Fixed the notifications not always being generated when a learning plan is deleted
TL-39815 Fixed an issue where the user ids in a "Quiz attempt reviewed" event description were incorrect
TL-39816 Fixed display of 'missing words' quiz question when the answer options contained a dollar sign followed by a number
TL-39962 Fixed a bug where the progress summary for linked courses in the competency profile were incorrect
TL-40132 Don't remove users with signupwaitlist permission when updating the attendees of a seminar event
TL-40319 Addressed an error triggered in completion_start_user_bulk() if more than 100000 enrolments records are present
In a previous version of Totara we made changes to completion_start_user_bulk
([TL-36115|https://totara.atlassian.net/browse/TL-36115]) in an attempt to
address a performance issue when creating missing course_completion records.
This change was released for 15.28, 16.22, 17.16, and 18.3. Unfortunately this
change caused a regression: If more than 100000 user_enrolment records were
present the processing of any subsequent batch, PHP Notices were generated and
not all course completion records were processed. However there are redundant
locations which process missing completion records (e.g.
{{core\task\completion_daily_task}}).
This patch reverts the batching as apart from the bug introduced we found it was
not necessarily producing the intended result. We are actively looking at
alternatives to address the original performance issue.
TL-40454 Fixed an issue on the competency profile where the progress summary of linked courses was not correctly displayed
Previously courses that a user had yet to start were being displayed as 'not
available', when they should have been displayed as 'not yet started', this has
been fixed.
Release 15.31 (22nd May 2024):
Security issues:
TL-38659 Improved the capability checks for updating the parent course category
Insufficient web service capability checks previously allowed users who had the
capability to manage a category, move it to a parent category they did not have
the capability to manage. This is now prevented, fixing CVE-2023-5549.
TL-39344 Fixed unsafe unserialize() calls in log_tool (CVE-2023-6661)
TL-40273 Fixed CVE-2024-32489 and CVE-2024-22640 security issues
* Fixed tcpdf vulnerable to Regular Expression Denial of Service. When parsing
an untrusted HTML page with a crafted colour.
* Fixed tcpdf Cross-site Scripting vulnerability.
Bug fixes:
TL-36587 Updated the 'Switch to the standard theme' option so it does not appear when the theme for the device is the same as the standard theme
TL-39816 Fixed display of 'missing words' quiz question when the answer options contained a dollar sign followed by a number
TL-40132 Don't remove users with signupwaitlist permission when updating the attendees of a seminar event
TL-40319 Addressed an error triggered in completion_start_user_bulk() if more than 100000 enrolments records are present
In a previous version of Totara we made changes to completion_start_user_bulk
([TL-36115|https://totara.atlassian.net/browse/TL-36115]) in an attempt to
address a performance issue when creating missing course_completion records.
This change was released for 15.28, 16.22, 17.16, and 18.3. Unfortunately this
change caused a regression: If more than 100000 user_enrolment records were
present the processing of any subsequent batch, PHP Notices were generated and
not all course completion records were processed. However there are redundant
locations which process missing completion records (e.g.
{{core\task\completion_daily_task}}).
This patch reverts the batching as apart from the bug introduced we found it was
not necessarily producing the intended result. We are actively looking at
alternatives to address the original performance issue.
Release 14.36 (22nd May 2024):
Security issues:
TL-38659 Improved the capability checks for updating the parent course category
Insufficient web service capability checks previously allowed users who had the
capability to manage a category, move it to a parent category they did not have
the capability to manage. This is now prevented, fixing CVE-2023-5549.
TL-39344 Fixed unsafe unserialize() calls in log_tool (CVE-2023-6661)
TL-40273 Fixed CVE-2024-32489 and CVE-2024-22640 security issues
* Fixed tcpdf vulnerable to Regular Expression Denial of Service. When parsing
an untrusted HTML page with a crafted colour.
* Fixed tcpdf Cross-site Scripting vulnerability.
Bug fixes:
TL-39816 Fixed display of 'missing words' quiz question when the answer options contained a dollar sign followed by a number
TL-40132 Don't remove users with signupwaitlist permission when updating the attendees of a seminar event
Release 13.44 (22nd May 2024):
Security issues:
TL-38659 Improved the capability checks for updating the parent course category
Insufficient web service capability checks previously allowed users who had the
capability to manage a category, move it to a parent category they did not have
the capability to manage. This is now prevented, fixing CVE-2023-5549.
TL-39344 Fixed unsafe unserialize() calls in log_tool (CVE-2023-6661)
TL-40273 Fixed CVE-2024-32489 and CVE-2024-22640 security issues
* Fixed tcpdf vulnerable to Regular Expression Denial of Service. When parsing
an untrusted HTML page with a crafted colour.
* Fixed tcpdf Cross-site Scripting vulnerability.
Bug fixes:
TL-39816 Fixed display of 'missing words' quiz question when the answer options contained a dollar sign followed by a number
TL-40132 Don't remove users with signupwaitlist permission when updating the attendees of a seminar event
Release 12.63 (22nd May 2024):
Security issues:
TL-38659 Improved the capability checks for updating the parent course category
Insufficient web service capability checks previously allowed users who had the
capability to manage a category, move it to a parent category they did not have
the capability to manage. This is now prevented, fixing CVE-2023-5549.
TL-39344 Fixed unsafe unserialize() calls in log_tool (CVE-2023-6661)
Release 11.63 (22nd May 2024):
Security issues:
TL-39344 Fixed unsafe unserialize() calls in log_tool (CVE-2023-6661)
Release 10.65 (22nd May 2024):
Security issues:
TL-39344 Fixed unsafe unserialize() calls in log_tool (CVE-2023-6661)
Release 9.71 (22nd May 2024):
Security issues:
TL-39344 Fixed unsafe unserialize() calls in log_tool (CVE-2023-6661)
Release 2.9.68 (22nd May 2024):
Security issues:
TL-39344 Fixed unsafe unserialize() calls in log_tool (CVE-2023-6661)
Release 2.7.73 (22nd May 2024):
Security issues:
TL-39344 Fixed unsafe unserialize() calls in log_tool (CVE-2023-6661)