Totara Release Notes

Totara TXP 18.6, 17.19, 16.25, 15.31, 14.36, 13.44 and Totara Learn 12.63, 11.63, 10.65, 9.71, 2.9.68 and 2.7.73 are now available

 
David Curry (Core Developer)
Totara TXP 18.6, 17.19, 16.25, 15.31, 14.36, 13.44 and Totara Learn 12.63, 11.63, 10.65, 9.71, 2.9.68 and 2.7.73 are now available
di David Curry (Core Developer) - Tuesday, 21 May 2024, 19:58
Gruppo Totara

Hello everyone,

The following versions of Totara have now been released:

These versions do contain security fixes, and for this reason we strongly recommend upgrading.
Each release also includes various bug fixes and improvements.

Kind regards,
Release Team

Release 18.6 (22nd May 2024):

Important:

    TL-40161       Restored auto-login as guest for courses without guest enrolment enabled

                   Prior to Totara 18, when ‘Auto-login guests’ was enabled, unauthenticated
                   users would be automatically logged in as a guest when visiting any course page.
                   This was changed in 18.0 so that auto-login would only happen if guest enrolment
                   was enabled for the course.
                   
                   This patch essentially reverts that change, restoring the pre-Totara-18
                   behaviour of guest auto-login on courses. 
                   
                   Sites which wish to have the newer behaviour can enable
                   `$CFG->autologinnoguestaccess` in config.php. This setting will cause
                   unauthenticated users to be redirected to the login page if they visit a course
                   that does not have guest enrolment enabled.


Security issues:

    TL-38659       Improved the capability checks for updating the parent course category

                   Insufficient web service capability checks previously allowed users who had the
                   capability to manage a category, move it to a parent category they did not have
                   the capability to manage. This is now prevented, fixing CVE-2023-5549.

    TL-39344       Fixed unsafe unserialize() calls in log_tool (CVE-2023-6661)
    TL-40273       Fixed CVE-2024-32489 and CVE-2024-22640 security issues

                   * Fixed tcpdf vulnerable to Regular Expression Denial of Service. When parsing
                     an untrusted HTML page with a crafted colour.
                   * Fixed tcpdf Cross-site Scripting vulnerability.


Improvements:

    TL-40131       Heading of results table in reports has changed to 'Results - [X] records'

Bug fixes:

    TL-36587       Updated the 'Switch to the standard theme' option so it does not appear when the theme for the device is the same as the standard theme
    TL-36737       Fixed an error being thrown when manually marking course completion with an expired session
    TL-38518       Fixed various issues with the grade columns in Record of Learning reports

                   This patch has fixed the following 3 issues:
                   
                   *  The formatting of the ‘Grade and required grade’ column in the ‘Record
                   of learning: courses’ report, now matches the same column in the ‘course
                   completion’ report.
                   *  The ‘Pass grade’ column in the ‘Record of learning: Courses’ report
                   now displays the correct data, matching the same column in the ‘course
                   completion’ report.
                   * The ‘Grade and required grade’ column now correctly handles RPL grades as
                   a percentage value in both the ‘Record of Learning’ and ‘Course
                   Completion’ reports.

    TL-38635       Updated min and max grade strings to be sentence case
    TL-39050       Fixed issue where random glossary entry block wasn't randomising the display entry
    TL-39512       Fixed a page error when viewing the preview of a Quiz's 'missing words' question while using Weka editor
    TL-39608       Fixed the notifications not always being generated when a learning plan is deleted
    TL-39677       Fixed an error when viewing or printing a performance activity containing linked review responses for a disabled feature type.
    TL-39764       Fixed legacy goals not showing in performance activities when Totara goals enabled
    TL-39811       Fixed the action/export column for the "Performance activity response data" report when a new export format is added in the Export setting
    TL-39815       Fixed an issue where the user ids in a "Quiz attempt reviewed" event description were incorrect
    TL-39816       Fixed display of 'missing words' quiz question when the answer options contained a dollar sign followed by a number
    TL-39819       Fixed file download after uploading to the wiki activity administration area
    TL-39839       Fixed file unzip functionality when the file is uploaded to a file resource of a course.

                   Previously, when an uploaded zip file included a Windows system file
                   ‘Thumbs.db’, an error was thrown in some cases when trying to unzip the file
                   within the file resource’s form element.

    TL-39936       Made 'coursepageurl' placeholder in course reminders a clickable link
    TL-39939       Use regex-safe string replacement for wildcards in lesson activity answers
    TL-39962       Fixed a bug where the progress summary for linked courses in the competency profile were incorrect
    TL-40079       The capability required for a user to change their own language no longer requires the ability to edit their own profile.

                   The user preferences page 'Preferred language' previously required the
                   capability 'moodle/user:editownprofile' to work. This capability is available by
                   default to Authenticated users, however if it is unavailable then there's no way
                   for a user to change their own active language in Totara 18 and above.

                   This change introduces a new capability, 'moodle/user:editownlanguage' which is
                   assigned to the User archetype. This capability allows a user to edit their own
                   language without having access to edit their entire profile for sites that have
                   limited that ability.

                   If you have customised your roles so they are not associated with the Archetype
                   anymore you may need to grant this capability to the correct roles manually.

    TL-40132       Don't remove users with signupwaitlist permission when updating the attendees of a seminar event
    TL-40148       Fixed an error when filtering for individuals in the assignment tab of certifications
    TL-40206       Fixed an exception when viewing the programs tab in learning plan advanced workflow settings
    TL-40259       Fixed an error that occurred when viewing items in an Engage playlist that included courses
    TL-40319       Addressed an error triggered in completion_start_user_bulk() if more than 100000 enrolments records are present

                   In a previous version of Totara we made changes to completion_start_user_bulk
                   ([TL-36115|https://totara.atlassian.net/browse/TL-36115]) in an attempt to
                   address a performance issue when creating missing course_completion records.
                   This change was released for 15.28, 16.22, 17.16, and 18.3. Unfortunately this
                   change caused a regression: If more than 100000 user_enrolment records were
                   present the processing of any subsequent batch, PHP Notices were generated and
                   not all course completion records were processed. However there are redundant
                   locations which process missing completion records (e.g.
                   {{core\task\completion_daily_task}}).

                   This patch reverts the batching as apart from the bug introduced we found it was
                   not necessarily producing the intended result. We are actively looking at
                   alternatives to address the original performance issue.

    TL-40454       Fixed an issue on the competency profile where the progress summary of linked courses was not correctly displayed

                   Previously courses that a user had yet to start were being displayed as 'not
                   available', when they should have been displayed as 'not yet started', this has
                   been fixed.


Release 17.19 (22nd May 2024):

Security issues:

    TL-38659       Improved the capability checks for updating the parent course category

                   Insufficient web service capability checks previously allowed users who had the
                   capability to manage a category, move it to a parent category they did not have
                   the capability to manage. This is now prevented, fixing CVE-2023-5549.

    TL-39344       Fixed unsafe unserialize() calls in log_tool (CVE-2023-6661)
    TL-40273       Fixed CVE-2024-32489 and CVE-2024-22640 security issues

                   * Fixed tcpdf vulnerable to Regular Expression Denial of Service. When parsing
                     an untrusted HTML page with a crafted colour.
                   * Fixed tcpdf Cross-site Scripting vulnerability.


Improvements:

    TL-40131       Heading of results table in reports has changed to 'Results - [X] records'

Bug fixes:

    TL-36587       Updated the 'Switch to the standard theme' option so it does not appear when the theme for the device is the same as the standard theme
    TL-36737       Fixed an error being thrown when manually marking course completion with an expired session
    TL-38518       Fixed various issues with the grade columns in Record of Learning reports

                   This patch has fixed the following 3 issues:
                   
                   *  The formatting of the ‘Grade and required grade’ column in the ‘Record
                   of learning: courses’ report, now matches the same column in the ‘course
                   completion’ report.
                   *  The ‘Pass grade’ column in the ‘Record of learning: Courses’ report
                   now displays the correct data, matching the same column in the ‘course
                   completion’ report.
                   * The ‘Grade and required grade’ column now correctly handles RPL grades as
                   a percentage value in both the ‘Record of Learning’ and ‘Course
                   Completion’ reports.

    TL-39050       Fixed issue where random glossary entry block wasn't randomising the display entry
    TL-39466       Improved help text when editing a seminars settings
    TL-39512       Fixed a page error when viewing the preview of a Quiz's 'missing words' question while using Weka editor
    TL-39608       Fixed the notifications not always being generated when a learning plan is deleted
    TL-39677       Fixed an error when viewing or printing a performance activity containing linked review responses for a disabled feature type.
    TL-39811       Fixed the action/export column for the "Performance activity response data" report when a new export format is added in the Export setting
    TL-39815       Fixed an issue where the user ids in a "Quiz attempt reviewed" event description were incorrect
    TL-39816       Fixed display of 'missing words' quiz question when the answer options contained a dollar sign followed by a number
    TL-39839       Fixed file unzip functionality when the file is uploaded to a file resource of a course.

                   Previously, when an uploaded zip file included a Windows system file
                   ‘Thumbs.db’, an error was thrown in some cases when trying to unzip the file
                   within the file resource’s form element.

    TL-39939       Use regex-safe string replacement for wildcards in lesson activity answers
    TL-39962       Fixed a bug where the progress summary for linked courses in the competency profile were incorrect
    TL-40132       Don't remove users with signupwaitlist permission when updating the attendees of a seminar event
    TL-40319       Addressed an error triggered in completion_start_user_bulk() if more than 100000 enrolments records are present

                   In a previous version of Totara we made changes to completion_start_user_bulk
                   ([TL-36115|https://totara.atlassian.net/browse/TL-36115]) in an attempt to
                   address a performance issue when creating missing course_completion records.
                   This change was released for 15.28, 16.22, 17.16, and 18.3. Unfortunately this
                   change caused a regression: If more than 100000 user_enrolment records were
                   present the processing of any subsequent batch, PHP Notices were generated and
                   not all course completion records were processed. However there are redundant
                   locations which process missing completion records (e.g.
                   {{core\task\completion_daily_task}}).

                   This patch reverts the batching as apart from the bug introduced we found it was
                   not necessarily producing the intended result. We are actively looking at
                   alternatives to address the original performance issue.

    TL-40454       Fixed an issue on the competency profile where the progress summary of linked courses was not correctly displayed

                   Previously courses that a user had yet to start were being displayed as 'not
                   available', when they should have been displayed as 'not yet started', this has
                   been fixed.


Release 16.25 (22nd May 2024):

Security issues:

    TL-38659       Improved the capability checks for updating the parent course category

                   Insufficient web service capability checks previously allowed users who had the
                   capability to manage a category, move it to a parent category they did not have
                   the capability to manage. This is now prevented, fixing CVE-2023-5549.

    TL-39344       Fixed unsafe unserialize() calls in log_tool (CVE-2023-6661)
    TL-40273       Fixed CVE-2024-32489 and CVE-2024-22640 security issues

                   * Fixed tcpdf vulnerable to Regular Expression Denial of Service. When parsing
                   an untrusted HTML page with a crafted colour.
                   * Fixed tcpdf Cross-site Scripting vulnerability.


Bug fixes:

    TL-36587       Updated the 'Switch to the standard theme' option so it does not appear when the theme for the device is the same as the standard theme
    TL-39608       Fixed the notifications not always being generated when a learning plan is deleted
    TL-39815       Fixed an issue where the user ids in a "Quiz attempt reviewed" event description were incorrect
    TL-39816       Fixed display of 'missing words' quiz question when the answer options contained a dollar sign followed by a number
    TL-39962       Fixed a bug where the progress summary for linked courses in the competency profile were incorrect
    TL-40132       Don't remove users with signupwaitlist permission when updating the attendees of a seminar event
    TL-40319       Addressed an error triggered in completion_start_user_bulk() if more than 100000 enrolments records are present

                   In a previous version of Totara we made changes to completion_start_user_bulk
                   ([TL-36115|https://totara.atlassian.net/browse/TL-36115]) in an attempt to
                   address a performance issue when creating missing course_completion records.
                   This change was released for 15.28, 16.22, 17.16, and 18.3. Unfortunately this
                   change caused a regression: If more than 100000 user_enrolment records were
                   present the processing of any subsequent batch, PHP Notices were generated and
                   not all course completion records were processed. However there are redundant
                   locations which process missing completion records (e.g.
                   {{core\task\completion_daily_task}}).

                   This patch reverts the batching as apart from the bug introduced we found it was
                   not necessarily producing the intended result. We are actively looking at
                   alternatives to address the original performance issue.

    TL-40454       Fixed an issue on the competency profile where the progress summary of linked courses was not correctly displayed

                   Previously courses that a user had yet to start were being displayed as 'not
                   available', when they should have been displayed as 'not yet started', this has
                   been fixed.


Release 15.31 (22nd May 2024):

Security issues:

    TL-38659       Improved the capability checks for updating the parent course category

                   Insufficient web service capability checks previously allowed users who had the
                   capability to manage a category, move it to a parent category they did not have
                   the capability to manage. This is now prevented, fixing CVE-2023-5549.

    TL-39344       Fixed unsafe unserialize() calls in log_tool (CVE-2023-6661)
    TL-40273       Fixed CVE-2024-32489 and CVE-2024-22640 security issues

                   * Fixed tcpdf vulnerable to Regular Expression Denial of Service. When parsing
                   an untrusted HTML page with a crafted colour.
                   * Fixed tcpdf Cross-site Scripting vulnerability.


Bug fixes:

    TL-36587       Updated the 'Switch to the standard theme' option so it does not appear when the theme for the device is the same as the standard theme
    TL-39816       Fixed display of 'missing words' quiz question when the answer options contained a dollar sign followed by a number
    TL-40132       Don't remove users with signupwaitlist permission when updating the attendees of a seminar event
    TL-40319       Addressed an error triggered in completion_start_user_bulk() if more than 100000 enrolments records are present

                   In a previous version of Totara we made changes to completion_start_user_bulk
                   ([TL-36115|https://totara.atlassian.net/browse/TL-36115]) in an attempt to
                   address a performance issue when creating missing course_completion records.
                   This change was released for 15.28, 16.22, 17.16, and 18.3. Unfortunately this
                   change caused a regression: If more than 100000 user_enrolment records were
                   present the processing of any subsequent batch, PHP Notices were generated and
                   not all course completion records were processed. However there are redundant
                   locations which process missing completion records (e.g.
                   {{core\task\completion_daily_task}}).

                   This patch reverts the batching as apart from the bug introduced we found it was
                   not necessarily producing the intended result. We are actively looking at
                   alternatives to address the original performance issue.


Release 14.36 (22nd May 2024):

Security issues:

    TL-38659       Improved the capability checks for updating the parent course category

                   Insufficient web service capability checks previously allowed users who had the
                   capability to manage a category, move it to a parent category they did not have
                   the capability to manage. This is now prevented, fixing CVE-2023-5549.

    TL-39344       Fixed unsafe unserialize() calls in log_tool (CVE-2023-6661)
    TL-40273       Fixed CVE-2024-32489 and CVE-2024-22640 security issues

                   * Fixed tcpdf vulnerable to Regular Expression Denial of Service. When parsing
                   an untrusted HTML page with a crafted colour.
                   * Fixed tcpdf Cross-site Scripting vulnerability.


Bug fixes:

    TL-39816       Fixed display of 'missing words' quiz question when the answer options contained a dollar sign followed by a number
    TL-40132       Don't remove users with signupwaitlist permission when updating the attendees of a seminar event

Release 13.44 (22nd May 2024):

Security issues:

    TL-38659       Improved the capability checks for updating the parent course category

                   Insufficient web service capability checks previously allowed users who had the
                   capability to manage a category, move it to a parent category they did not have
                   the capability to manage. This is now prevented, fixing CVE-2023-5549.

    TL-39344       Fixed unsafe unserialize() calls in log_tool (CVE-2023-6661)
    TL-40273       Fixed CVE-2024-32489 and CVE-2024-22640 security issues

                   * Fixed tcpdf vulnerable to Regular Expression Denial of Service. When parsing
                   an untrusted HTML page with a crafted colour.
                   * Fixed tcpdf Cross-site Scripting vulnerability.


Bug fixes:

    TL-39816       Fixed display of 'missing words' quiz question when the answer options contained a dollar sign followed by a number
    TL-40132       Don't remove users with signupwaitlist permission when updating the attendees of a seminar event

Release 12.63 (22nd May 2024):

Security issues:

    TL-38659       Improved the capability checks for updating the parent course category

                   Insufficient web service capability checks previously allowed users who had the
                   capability to manage a category, move it to a parent category they did not have
                   the capability to manage. This is now prevented, fixing CVE-2023-5549.

    TL-39344       Fixed unsafe unserialize() calls in log_tool (CVE-2023-6661)

Release 11.63 (22nd May 2024):

Security issues:

    TL-39344       Fixed unsafe unserialize() calls in log_tool (CVE-2023-6661)

Release 10.65 (22nd May 2024):

Security issues:

    TL-39344       Fixed unsafe unserialize() calls in log_tool (CVE-2023-6661)

Release 9.71 (22nd May 2024):

Security issues:

    TL-39344       Fixed unsafe unserialize() calls in log_tool (CVE-2023-6661)

Release 2.9.68 (22nd May 2024):

Security issues:

    TL-39344       Fixed unsafe unserialize() calls in log_tool (CVE-2023-6661)

Release 2.7.73 (22nd May 2024):

Security issues:

    TL-39344       Fixed unsafe unserialize() calls in log_tool (CVE-2023-6661)