Hello everyone,
The following versions of Totara have now been released:
- Release 18.7
- Release 17.20
- Release 16.26
- Release 15.32
- Release 14.37
- Release 13.45
- Release 12.64
- Release 11.64
- Release 10.66
- Release 9.72
- Release 2.9.69
- Release 2.7.74
- Release 2.5.91
- Release 2.2.86
These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.
A big thanks to the following people for their contributions to this release:
- * Ferenc Kis - Veloxnet Multimedia - TL-39637
- * Paul Holden - TL-40603, TL-40604
- * Paul Holden - TL-40603, TL-40604, TL-40606
Kind regards Release Team
Release 18.7 (18th June 2024):
Security issues:
TL-40602 Fixed authenticated local file inclusion risk in mod_wiki (CVE-2024-34004)
Fixed authenticated local file inclusion risk in some misconfigured shared
hosting environments via modified mod_wiki backup.
TL-40603 Fixed authenticated local file inclusion risk in mod_workshop (CVE-2024-34003)
Fixed authenticated local file inclusion risk in some misconfigured shared
hosting environments via modified mod_workshop backup.
TL-40604 Added stricter cleaning of a parameter when restoring feedback activity from backup (CVE-2024-34002)
TL-40606 Fixed stored XSS in lesson overview report (CVE-2024-34000)
TL-40819 Fixed multi-factor authentication bypass condition
Improvements:
TL-39187 Added URL in engage article related events
Previously, it was not possible for site admins to be know which article had
been created on Engage so it could be reviewed.
The event monitoring tool uses the value returned from an event's get_url()
method to populate the "link" placeholder. Usually, most event classes have been
written to return a valid url but it is not compulsory practice to do so - this
is the case with the engage article related events.
This ticket corrects this; now all the article related events (except remove
article) provide a URL.
TL-39497 Default AI plugin is automatically set when enabling the only existing ai plugin
TL-39857 Approval notification triggers are now only available within the workflow stage types in which they are able to be triggered
TL-40407 Added retrieval, sorting and filtering on timemodified to external API queries for job assignments
Graphql query `totara_job_job_assignments` now includes a filters input field,
which includes `since_timemodified` for filtering job assignments to those
modified on or since the given date.
Graphql type `totara_job_job_assignment` now includes field `timemodified`,
which details the time the job assignment was last modified. This field can be
sorted on via the existing sort query input.
TL-40408 Added totara_job_job_assignment query to API
Added the `totara_job_job_assignment` graphql query to the external to allow
querying for a single specific job assignment. Useful for HR integrations
TL-40468 Added a confirmation dialog when logging in and there is an existing active session
Bug fixes:
TL-37437 Fixed PHP 8.1 warning in XMLDB editor
TL-39066 Fixed assignment activity task cron execution when invalid pdf file is uploaded
TL-39204 Fixed a warning icon incorrectly showing up for random quiz questions
This patch fixes the issue when a warning icon appears when a random question is
selected for a quiz activity, no matter how many questions are in the question
bank.
TL-39498 Fixed inaccurate checks for active course enrolments leading to program enrolment failure
TL-39503 Fixed resources uploaded by suspended users not being displayed in workspace libraries
TL-39513 Fixed string formatting for competency framework name and competency name in summary page
TL-39637 Fixed audience membership not correctly assigned when using organisation and program assignment
Previously, users were not added to a dynamic audience when there were two rule
sets with an {{OR}} condition between them, and the rules were based on
different organisations but the same program assignment.
TL-39714 Fixed frozen date and time selector form fields not containing spaces
TL-39783 Fixed the competency tab view of Record of learning to not show any results if competencies had no achievements
TL-40544 Fixed incorrect parameters passed when recording approval workflow activity for notifications
TL-40642 Fixed accessibility of 'Grading summary' table on the assignment activity page
TL-40740 Allowed a OAuth instance to be created when no userinfo endpoint is defined
If no userinfo endpoint is defined, user information will not be requested run
when connecting to a system account. This can be used when configuring OAuth for
email and OICD support isn't required.
TL-40748 Added Microsoft SMTP as a template to the OAuth 2 consumer page
To use XOAuth2 and Microsoft together with Azure, the setup has slightly changed
to meet the removal of the Outlook user API endpoints. A new template option has
been enabled that will not use the Outlook REST API and doesn’t require a
crossover with the ‘SMTP.Send’ and ‘User.Read’ scopes in tokens.
For an existing connection, if no userinfo endpoint is defined then when
connecting the system account no call will be attempted, and instead you will be
prompted to label the system account manually. This is only really useful when
using the system account for Email XOAuth, as the login flow do require the
userinfo endpoint.
TL-40284 Improved accessibility of labels while viewing related terms in a glossary activity
TL-40291 Improved accessibility of the submission status table for learners viewing their assignment activity
TL-40295 Improved the accessibility of labels for date fields in a database activity
TL-40297 Added a message clarifying what the required fields marker is when adding entries to a database activity
TL-40568 Improved accessibility of the "Edit" buttons on feedback questions
Previously the aria label for these was just "Edit". They have now been updated
to include the name of the corresponding question, for example "Edit question
name".
TL-40570 Added the presentation role attribute to the table of previously issued certificates to improve accessibility
TL-40571 Changed the top row of cells in the course scale table to header cells
Contributions:
* Ferenc Kis - Veloxnet Multimedia - TL-39637
* Paul Holden - TL-40603, TL-40604, TL-40606
Release 17.20 (18th June 2024):
Security issues:
TL-40602 Fixed authenticated local file inclusion risk in mod_wiki (CVE-2024-34004)
Fixed authenticated local file inclusion risk in some misconfigured shared
hosting environments via modified mod_wiki backup.
TL-40603 Fixed authenticated local file inclusion risk in mod_workshop (CVE-2024-34003)
Fixed authenticated local file inclusion risk in some misconfigured shared
hosting environments via modified mod_workshop backup.
TL-40604 Added stricter cleaning of a parameter when restoring feedback activity from backup (CVE-2024-34002)
TL-40606 Fixed stored XSS in lesson overview report (CVE-2024-34000)
Improvements:
TL-39187 Added URL in engage article related events
Previously, it was not possible for site admins to be know which article had
been created on Engage so it could be reviewed.
The event monitoring tool uses the value returned from an event's get_url()
method to populate the "link" placeholder. Usually, most event classes have been
written to return a valid url but it is not compulsory practice to do so - this
is the case with the engage article related events.
This ticket corrects this; now all the article related events (except remove
article) provide a URL.
TL-39857 Approval notification triggers are now only available within the workflow stage types in which they are able to be triggered
Bug fixes:
TL-37437 Fixed PHP 8.1 warning in XMLDB editor
TL-39066 Fixed assignment activity task cron execution when invalid pdf file is uploaded
TL-39204 Fixed a warning icon incorrectly showing up for random quiz questions
This patch fixes the issue when a warning icon appears when a random question is
selected for a quiz activity, no matter how many questions are in the question
bank.
TL-39498 Fixed inaccurate checks for active course enrolments leading to program enrolment failure
TL-39503 Fixed resources uploaded by suspended users not being displayed in workspace libraries
TL-39513 Fixed string formatting for competency framework name and competency name in summary page
TL-39637 Fixed audience membership not correctly assigned when using organisation and program assignment
Previously, users were not added to a dynamic audience when there were two rule
sets with an {{OR}} condition between them, and the rules were based on
different organisations but the same program assignment.
TL-39783 Fixed the competency tab view of Record of learning to not show any results if competencies had no achievements
TL-40544 Fixed incorrect parameters passed when recording approval workflow activity for notifications
TL-40642 Fixed accessibility of 'Grading summary' table on the assignment activity page
TL-40284 Improved accessibility of labels while viewing related terms in a glossary activity
TL-40291 Improved accessibility of the submission status table for learners viewing their assignment activity
TL-40295 Improved the accessibility of labels for date fields in a database activity
TL-40297 Added a message clarifying what the required fields marker is when adding entries to a database activity
TL-40568 Improved accessibility of the "Edit" buttons on feedback questions
Previously the aria label for these was just "Edit". They have now been updated
to include the name of the corresponding question, for example "Edit question
name".
TL-40570 Added the presentation role attribute to the table of previously issued certificates to improve accessibility
TL-40571 Changed the top row of cells in the course scale table to header cells
Contributions:
* Ferenc Kis - Veloxnet Multimedia - TL-39637
* Paul Holden - TL-40603, TL-40604, TL-40606
Release 16.26 (18th June 2024):
Security issues:
TL-40602 Fixed authenticated local file inclusion risk in mod_wiki (CVE-2024-34004)
Fixed authenticated local file inclusion risk in some misconfigured shared
hosting environments via modified mod_wiki backup.
TL-40603 Fixed authenticated local file inclusion risk in mod_workshop (CVE-2024-34003)
Fixed authenticated local file inclusion risk in some misconfigured shared
hosting environments via modified mod_workshop backup.
TL-40604 Added stricter cleaning of a parameter when restoring feedback activity from backup (CVE-2024-34002)
TL-40606 Fixed stored XSS in lesson overview report (CVE-2024-34000)
Bug fixes:
TL-39066 Fixed assignment activity task cron execution when invalid pdf file is uploaded
TL-39204 Fixed a warning icon incorrectly showing up for random quiz questions
This patch fixes the issue when a warning icon appears when a random question is
selected for a quiz activity, no matter how many questions are in the question
bank.
TL-39503 Fixed resources uploaded by suspended users not being displayed in workspace libraries
TL-39637 Fixed audience membership not correctly assigned when using organisation and program assignment
Previously, users were not added to a dynamic audience when there were two rule
sets with an {{OR}} condition between them, and the rules were based on
different organisations but the same program assignment.
Contributions:
* Ferenc Kis - Veloxnet Multimedia - TL-39637
* Paul Holden - TL-40603, TL-40604, TL-40606
Release 15.32 (18th June 2024):
Security issues:
TL-40602 Fixed authenticated local file inclusion risk in mod_wiki (CVE-2024-34004)
Fixed authenticated local file inclusion risk in some misconfigured shared
hosting environments via modified mod_wiki backup.
TL-40603 Fixed authenticated local file inclusion risk in mod_workshop (CVE-2024-34003)
Fixed authenticated local file inclusion risk in some misconfigured shared
hosting environments via modified mod_workshop backup.
TL-40604 Added stricter cleaning of a parameter when restoring feedback activity from backup (CVE-2024-34002)
TL-40606 Fixed stored XSS in lesson overview report (CVE-2024-34000)
Bug fixes:
TL-39204 Fixed a warning icon incorrectly showing up for random quiz questions
This patch fixes the issue when a warning icon appears when a random question is
selected for a quiz activity, no matter how many questions are in the question
bank.
TL-39637 Fixed audience membership not correctly assigned when using organisation and program assignment
Previously, users were not added to a dynamic audience when there were two rule
sets with an {{OR}} condition between them, and the rules were based on
different organisations but the same program assignment.
Contributions:
* Ferenc Kis - Veloxnet Multimedia - TL-39637
* Paul Holden - TL-40603, TL-40604, TL-40606
Release 14.37 (18th June 2024):
Security issues:
TL-40602 Fixed authenticated local file inclusion risk in mod_wiki (CVE-2024-34004)
Fixed authenticated local file inclusion risk in some misconfigured shared
hosting environments via modified mod_wiki backup.
TL-40603 Fixed authenticated local file inclusion risk in mod_workshop (CVE-2024-34003)
Fixed authenticated local file inclusion risk in some misconfigured shared
hosting environments via modified mod_workshop backup.
TL-40604 Added stricter cleaning of a parameter when restoring feedback activity from backup (CVE-2024-34002)
TL-40606 Fixed stored XSS in lesson overview report (CVE-2024-34000)
Bug fixes:
TL-39204 Fixed a warning icon incorrectly showing up for random quiz questions
This patch fixes the issue when a warning icon appears when a random question is
selected for a quiz activity, no matter how many questions are in the question
bank.
Contributions:
* Paul Holden - TL-40603, TL-40604, TL-40606
Release 13.45 (18th June 2024):
Security issues:
TL-39351 Added missing capability check when viewing awarded badges (CVE-2023-6668)
TL-40602 Fixed authenticated local file inclusion risk in mod_wiki (CVE-2024-34004)
Fixed authenticated local file inclusion risk in some misconfigured shared
hosting environments via modified mod_wiki backup.
TL-40603 Fixed authenticated local file inclusion risk in mod_workshop (CVE-2024-34003)
Fixed authenticated local file inclusion risk in some misconfigured shared
hosting environments via modified mod_workshop backup.
TL-40604 Added stricter cleaning of a parameter when restoring feedback activity from backup (CVE-2024-34002)
TL-40606 Fixed stored XSS in lesson overview report (CVE-2024-34000)
Bug fixes:
TL-39204 Fixed a warning icon incorrectly showing up for random quiz questions
This patch fixes the issue when a warning icon appears when a random question is
selected for a quiz activity, no matter how many questions are in the question
bank.
Contributions:
* Paul Holden - TL-40603, TL-40604, TL-40606
Release 12.64 (18th June 2024):
Security issues:
TL-39351 Added missing capability check when viewing awarded badges (CVE-2023-6668)
TL-40602 Fixed authenticated local file inclusion risk in mod_wiki (CVE-2024-34004)
Fixed authenticated local file inclusion risk in some misconfigured shared
hosting environments via modified mod_wiki backup.
TL-40603 Fixed authenticated local file inclusion risk in mod_workshop (CVE-2024-34003)
Fixed authenticated local file inclusion risk in some misconfigured shared
hosting environments via modified mod_workshop backup.
TL-40604 Added stricter cleaning of a parameter when restoring feedback activity from backup (CVE-2024-34002)
Contributions:
* Paul Holden - TL-40603, TL-40604
Release 11.64 (18th June 2024):
Security issues:
TL-40602 Fixed authenticated local file inclusion risk in mod_wiki (CVE-2024-34004)
Fixed authenticated local file inclusion risk in some misconfigured shared
hosting environments via modified mod_wiki backup.
TL-40603 Fixed authenticated local file inclusion risk in mod_workshop (CVE-2024-34003)
Fixed authenticated local file inclusion risk in some misconfigured shared
hosting environments via modified mod_workshop backup.
TL-40604 Added stricter cleaning of a parameter when restoring feedback activity from backup (CVE-2024-34002)
Contributions:
* Paul Holden - TL-40603, TL-40604
Release 10.66 (18th June 2024):
Security issues:
TL-40602 Fixed authenticated local file inclusion risk in mod_wiki (CVE-2024-34004)
Fixed authenticated local file inclusion risk in some misconfigured shared
hosting environments via modified mod_wiki backup.
TL-40603 Fixed authenticated local file inclusion risk in mod_workshop (CVE-2024-34003)
Fixed authenticated local file inclusion risk in some misconfigured shared
hosting environments via modified mod_workshop backup.
TL-40604 Added stricter cleaning of a parameter when restoring feedback activity from backup (CVE-2024-34002)
Contributions:
* Paul Holden - TL-40603, TL-40604
Release 9.72 (18th June 2024):
Security issues:
TL-40602 Fixed authenticated local file inclusion risk in mod_wiki (CVE-2024-34004)
Fixed authenticated local file inclusion risk in some misconfigured shared
hosting environments via modified mod_wiki backup.
TL-40603 Fixed authenticated local file inclusion risk in mod_workshop (CVE-2024-34003)
Fixed authenticated local file inclusion risk in some misconfigured shared
hosting environments via modified mod_workshop backup.
TL-40604 Added stricter cleaning of a parameter when restoring feedback activity from backup (CVE-2024-34002)
Contributions:
* Paul Holden - TL-40603, TL-40604
Release 2.9.69 (18th June 2024):
Security issues:
TL-40602 Fixed authenticated local file inclusion risk in mod_wiki (CVE-2024-34004)
Fixed authenticated local file inclusion risk in some misconfigured shared
hosting environments via modified mod_wiki backup.
TL-40603 Fixed authenticated local file inclusion risk in mod_workshop (CVE-2024-34003)
Fixed authenticated local file inclusion risk in some misconfigured shared
hosting environments via modified mod_workshop backup.
TL-40604 Added stricter cleaning of a parameter when restoring feedback activity from backup (CVE-2024-34002)
Contributions:
* Paul Holden - TL-40603, TL-40604
Release 2.7.74 (18th June 2024):
Security issues:
TL-40603 Fixed authenticated local file inclusion risk in mod_workshop (CVE-2024-34003)
Fixed authenticated local file inclusion risk in some misconfigured shared
hosting environments via modified mod_workshop backup.
TL-40604 Added stricter cleaning of a parameter when restoring feedback activity from backup (CVE-2024-34002)
Contributions:
* Paul Holden - TL-40603, TL-40604
Release 2.5.91 (18th June 2024):
Security issues:
TL-40603 Fixed authenticated local file inclusion risk in mod_workshop (CVE-2024-34003)
Fixed authenticated local file inclusion risk in some misconfigured shared
hosting environments via modified mod_workshop backup.
TL-40604 Added stricter cleaning of a parameter when restoring feedback activity from backup (CVE-2024-34002)
Contributions:
* Paul Holden - TL-40603, TL-40604
Release 2.2.86 (18th June 2024):
Security issues:
TL-40603 Fixed authenticated local file inclusion risk in mod_workshop (CVE-2024-34003)
Fixed authenticated local file inclusion risk in some misconfigured shared
hosting environments via modified mod_workshop backup.
TL-40604 Added stricter cleaning of a parameter when restoring feedback activity from backup (CVE-2024-34002)
Contributions:
* Paul Holden - TL-40603, TL-40604