Totara Release Notes

Totara TXP 18.7, 17.20, 16.26, 15.32, 14.37, 13.45, 12.64, 11.64, 10.66, 9.72, 2.9.69, 2.7.74, 2.5.91 and 2.2.86 are now available

 
Angela Kuznetsova
Totara TXP 18.7, 17.20, 16.26, 15.32, 14.37, 13.45, 12.64, 11.64, 10.66, 9.72, 2.9.69, 2.7.74, 2.5.91 and 2.2.86 are now available
door Angela Kuznetsova - Monday, 17 June 2024, 19:02 PM
Groep Totara

Hello everyone,

The following versions of Totara have now been released:

These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.

A big thanks to the following people for their contributions to this release:

  • * Ferenc Kis - Veloxnet Multimedia - TL-39637
  • * Paul Holden - TL-40603, TL-40604 
  • * Paul Holden - TL-40603, TL-40604, TL-40606 

Kind regards Release Team

Release 18.7 (18th June 2024):

Security issues:

    TL-40602       Fixed authenticated local file inclusion risk in mod_wiki (CVE-2024-34004)

                   Fixed authenticated local file inclusion risk in some misconfigured shared
                   hosting environments via modified mod_wiki backup.

    TL-40603       Fixed authenticated local file inclusion risk in mod_workshop (CVE-2024-34003)

                   Fixed authenticated local file inclusion risk in some misconfigured shared
                   hosting environments via modified mod_workshop backup.

    TL-40604       Added stricter cleaning of a parameter when restoring feedback activity from backup (CVE-2024-34002)
    TL-40606       Fixed stored XSS in lesson overview report (CVE-2024-34000)
    TL-40819       Fixed multi-factor authentication bypass condition

Improvements:

    TL-39187       Added URL in engage article related events

                   Previously, it was not possible for site admins to be know which article had
                   been created on Engage so it could be reviewed.

                   The event monitoring tool uses the value returned from an event's get_url()
                   method to populate the "link" placeholder. Usually, most event classes have been
                   written to return a valid url but it is not compulsory practice to do so - this
                   is the case with the engage article related events. 

                   This ticket corrects this; now all the article related events (except remove
                   article) provide a URL.

    TL-39497       Default AI plugin is automatically set when enabling the only existing ai plugin
    TL-39857       Approval notification triggers are now only available within the workflow stage types in which they are able to be triggered
    TL-40407       Added retrieval, sorting and filtering on timemodified to external API queries for job assignments

                   Graphql query `totara_job_job_assignments` now includes a filters input field,
                   which includes `since_timemodified` for filtering job assignments to those
                   modified on or since the given date.
                   
                   Graphql type `totara_job_job_assignment` now includes field `timemodified`,
                   which details the time the job assignment was last modified. This field can be
                   sorted on via the existing sort query input.

    TL-40408       Added totara_job_job_assignment query to API

                   Added the `totara_job_job_assignment` graphql query to the external to allow
                   querying for a single specific job assignment. Useful for HR integrations

    TL-40468       Added a confirmation dialog when logging in and there is an existing active session

Bug fixes:

    TL-37437       Fixed PHP 8.1 warning in XMLDB editor
    TL-39066       Fixed assignment activity task cron execution when invalid pdf file is uploaded
    TL-39204       Fixed a warning icon incorrectly showing up for random quiz questions

                   This patch fixes the issue when a warning icon appears when a random question is
                   selected for a quiz activity, no matter how many questions are in the question
                   bank.

    TL-39498       Fixed inaccurate checks for active course enrolments leading to program enrolment failure
    TL-39503       Fixed resources uploaded by suspended users not being displayed in workspace libraries
    TL-39513       Fixed string formatting for competency framework name and competency name in summary page
    TL-39637       Fixed audience membership not correctly assigned when using organisation and program assignment

                   Previously, users were not added to a dynamic audience when there were two rule
                   sets with an {{OR}} condition between them, and the rules were based on
                   different organisations but the same program assignment.

    TL-39714       Fixed frozen date and time selector form fields not containing spaces
    TL-39783       Fixed the competency tab view of Record of learning to not show any results if competencies had no achievements
    TL-40544       Fixed incorrect parameters passed when recording approval workflow activity for notifications
    TL-40642       Fixed accessibility of 'Grading summary' table on the assignment activity page
    TL-40740       Allowed a OAuth instance to be created when no userinfo endpoint is defined

                   If no userinfo endpoint is defined, user information will not be requested run
                   when connecting to a system account. This can be used when configuring OAuth for
                   email and OICD support isn't required.

    TL-40748       Added Microsoft SMTP as a template to the OAuth 2 consumer page

                   To use XOAuth2 and Microsoft together with Azure, the setup has slightly changed
                   to meet the removal of the Outlook user API endpoints. A new template option has
                   been enabled that will not use the Outlook REST API and doesn’t require a
                   crossover with the ‘SMTP.Send’ and ‘User.Read’ scopes in tokens.

                   For an existing connection, if no userinfo endpoint is defined then when
                   connecting the system account no call will be attempted, and instead you will be
                   prompted to label the system account manually. This is only really useful when
                   using the system account for Email XOAuth, as the login flow do require the
                   userinfo endpoint.

    TL-40284       Improved accessibility of labels while viewing related terms in a glossary activity
    TL-40291       Improved accessibility of the submission status table for learners viewing their assignment activity
    TL-40295       Improved the accessibility of labels for date fields in a database activity
    TL-40297       Added a message clarifying what the required fields marker is when adding entries to a database activity
    TL-40568       Improved accessibility of the "Edit" buttons on feedback questions

                   Previously the aria label for these was just "Edit". They have now been updated
                   to include the name of the corresponding question, for example "Edit question
                   name".

    TL-40570       Added the presentation role attribute to the table of previously issued certificates to improve accessibility
    TL-40571       Changed the top row of cells in the course scale table to header cells

Contributions:

    * Ferenc Kis - Veloxnet Multimedia - TL-39637
    * Paul Holden  - TL-40603, TL-40604, TL-40606

Release 17.20 (18th June 2024):

Security issues:

    TL-40602       Fixed authenticated local file inclusion risk in mod_wiki (CVE-2024-34004)

                   Fixed authenticated local file inclusion risk in some misconfigured shared
                   hosting environments via modified mod_wiki backup.

    TL-40603       Fixed authenticated local file inclusion risk in mod_workshop (CVE-2024-34003)

                   Fixed authenticated local file inclusion risk in some misconfigured shared
                   hosting environments via modified mod_workshop backup.

    TL-40604       Added stricter cleaning of a parameter when restoring feedback activity from backup (CVE-2024-34002)
    TL-40606       Fixed stored XSS in lesson overview report (CVE-2024-34000)

Improvements:

    TL-39187       Added URL in engage article related events

                   Previously, it was not possible for site admins to be know which article had
                   been created on Engage so it could be reviewed.

                   The event monitoring tool uses the value returned from an event's get_url()
                   method to populate the "link" placeholder. Usually, most event classes have been
                   written to return a valid url but it is not compulsory practice to do so - this
                   is the case with the engage article related events. 

                   This ticket corrects this; now all the article related events (except remove
                   article) provide a URL.

    TL-39857       Approval notification triggers are now only available within the workflow stage types in which they are able to be triggered

Bug fixes:

    TL-37437       Fixed PHP 8.1 warning in XMLDB editor
    TL-39066       Fixed assignment activity task cron execution when invalid pdf file is uploaded
    TL-39204       Fixed a warning icon incorrectly showing up for random quiz questions

                   This patch fixes the issue when a warning icon appears when a random question is
                   selected for a quiz activity, no matter how many questions are in the question
                   bank.

    TL-39498       Fixed inaccurate checks for active course enrolments leading to program enrolment failure
    TL-39503       Fixed resources uploaded by suspended users not being displayed in workspace libraries
    TL-39513       Fixed string formatting for competency framework name and competency name in summary page
    TL-39637       Fixed audience membership not correctly assigned when using organisation and program assignment

                   Previously, users were not added to a dynamic audience when there were two rule
                   sets with an {{OR}} condition between them, and the rules were based on
                   different organisations but the same program assignment.

    TL-39783       Fixed the competency tab view of Record of learning to not show any results if competencies had no achievements
    TL-40544       Fixed incorrect parameters passed when recording approval workflow activity for notifications
    TL-40642       Fixed accessibility of 'Grading summary' table on the assignment activity page
    TL-40284       Improved accessibility of labels while viewing related terms in a glossary activity
    TL-40291       Improved accessibility of the submission status table for learners viewing their assignment activity
    TL-40295       Improved the accessibility of labels for date fields in a database activity
    TL-40297       Added a message clarifying what the required fields marker is when adding entries to a database activity
    TL-40568       Improved accessibility of the "Edit" buttons on feedback questions

                   Previously the aria label for these was just "Edit". They have now been updated
                   to include the name of the corresponding question, for example "Edit question
                   name".

    TL-40570       Added the presentation role attribute to the table of previously issued certificates to improve accessibility
    TL-40571       Changed the top row of cells in the course scale table to header cells

Contributions:

    * Ferenc Kis - Veloxnet Multimedia - TL-39637
    * Paul Holden  - TL-40603, TL-40604, TL-40606

Release 16.26 (18th June 2024):

Security issues:

    TL-40602       Fixed authenticated local file inclusion risk in mod_wiki (CVE-2024-34004)

                   Fixed authenticated local file inclusion risk in some misconfigured shared
                   hosting environments via modified mod_wiki backup.

    TL-40603       Fixed authenticated local file inclusion risk in mod_workshop (CVE-2024-34003)

                   Fixed authenticated local file inclusion risk in some misconfigured shared
                   hosting environments via modified mod_workshop backup.

    TL-40604       Added stricter cleaning of a parameter when restoring feedback activity from backup (CVE-2024-34002)
    TL-40606       Fixed stored XSS in lesson overview report (CVE-2024-34000)

Bug fixes:

    TL-39066       Fixed assignment activity task cron execution when invalid pdf file is uploaded
    TL-39204       Fixed a warning icon incorrectly showing up for random quiz questions

                   This patch fixes the issue when a warning icon appears when a random question is
                   selected for a quiz activity, no matter how many questions are in the question
                   bank.

    TL-39503       Fixed resources uploaded by suspended users not being displayed in workspace libraries
    TL-39637       Fixed audience membership not correctly assigned when using organisation and program assignment

                   Previously, users were not added to a dynamic audience when there were two rule
                   sets with an {{OR}} condition between them, and the rules were based on
                   different organisations but the same program assignment.


Contributions:

    * Ferenc Kis - Veloxnet Multimedia - TL-39637
    * Paul Holden  - TL-40603, TL-40604, TL-40606

Release 15.32 (18th June 2024):

Security issues:

    TL-40602       Fixed authenticated local file inclusion risk in mod_wiki (CVE-2024-34004)

                   Fixed authenticated local file inclusion risk in some misconfigured shared
                   hosting environments via modified mod_wiki backup.

    TL-40603       Fixed authenticated local file inclusion risk in mod_workshop (CVE-2024-34003)

                   Fixed authenticated local file inclusion risk in some misconfigured shared
                   hosting environments via modified mod_workshop backup.

    TL-40604       Added stricter cleaning of a parameter when restoring feedback activity from backup (CVE-2024-34002)
    TL-40606       Fixed stored XSS in lesson overview report (CVE-2024-34000)

Bug fixes:

    TL-39204       Fixed a warning icon incorrectly showing up for random quiz questions

                   This patch fixes the issue when a warning icon appears when a random question is
                   selected for a quiz activity, no matter how many questions are in the question
                   bank.

    TL-39637       Fixed audience membership not correctly assigned when using organisation and program assignment

                   Previously, users were not added to a dynamic audience when there were two rule
                   sets with an {{OR}} condition between them, and the rules were based on
                   different organisations but the same program assignment.


Contributions:

    * Ferenc Kis - Veloxnet Multimedia - TL-39637
    * Paul Holden  - TL-40603, TL-40604, TL-40606

Release 14.37 (18th June 2024):

Security issues:

    TL-40602       Fixed authenticated local file inclusion risk in mod_wiki (CVE-2024-34004)

                   Fixed authenticated local file inclusion risk in some misconfigured shared
                   hosting environments via modified mod_wiki backup.

    TL-40603       Fixed authenticated local file inclusion risk in mod_workshop (CVE-2024-34003)

                   Fixed authenticated local file inclusion risk in some misconfigured shared
                   hosting environments via modified mod_workshop backup.

    TL-40604       Added stricter cleaning of a parameter when restoring feedback activity from backup (CVE-2024-34002)
    TL-40606       Fixed stored XSS in lesson overview report (CVE-2024-34000)

Bug fixes:

    TL-39204       Fixed a warning icon incorrectly showing up for random quiz questions

                   This patch fixes the issue when a warning icon appears when a random question is
                   selected for a quiz activity, no matter how many questions are in the question
                   bank.


Contributions:

    * Paul Holden  - TL-40603, TL-40604, TL-40606

Release 13.45 (18th June 2024):

Security issues:

    TL-39351       Added missing capability check when viewing awarded badges (CVE-2023-6668)
    TL-40602       Fixed authenticated local file inclusion risk in mod_wiki (CVE-2024-34004)

                   Fixed authenticated local file inclusion risk in some misconfigured shared
                   hosting environments via modified mod_wiki backup.

    TL-40603       Fixed authenticated local file inclusion risk in mod_workshop (CVE-2024-34003)

                   Fixed authenticated local file inclusion risk in some misconfigured shared
                   hosting environments via modified mod_workshop backup.

    TL-40604       Added stricter cleaning of a parameter when restoring feedback activity from backup (CVE-2024-34002)
    TL-40606       Fixed stored XSS in lesson overview report (CVE-2024-34000)

Bug fixes:

    TL-39204       Fixed a warning icon incorrectly showing up for random quiz questions

                   This patch fixes the issue when a warning icon appears when a random question is
                   selected for a quiz activity, no matter how many questions are in the question
                   bank.


Contributions:

    * Paul Holden  - TL-40603, TL-40604, TL-40606

Release 12.64 (18th June 2024):

Security issues:

    TL-39351       Added missing capability check when viewing awarded badges (CVE-2023-6668)
    TL-40602       Fixed authenticated local file inclusion risk in mod_wiki (CVE-2024-34004)

                   Fixed authenticated local file inclusion risk in some misconfigured shared
                   hosting environments via modified mod_wiki backup.

    TL-40603       Fixed authenticated local file inclusion risk in mod_workshop (CVE-2024-34003)

                   Fixed authenticated local file inclusion risk in some misconfigured shared
                   hosting environments via modified mod_workshop backup.

    TL-40604       Added stricter cleaning of a parameter when restoring feedback activity from backup (CVE-2024-34002)

Contributions:

    * Paul Holden  - TL-40603, TL-40604

Release 11.64 (18th June 2024):

Security issues:

    TL-40602       Fixed authenticated local file inclusion risk in mod_wiki (CVE-2024-34004)

                   Fixed authenticated local file inclusion risk in some misconfigured shared
                   hosting environments via modified mod_wiki backup.

    TL-40603       Fixed authenticated local file inclusion risk in mod_workshop (CVE-2024-34003)

                   Fixed authenticated local file inclusion risk in some misconfigured shared
                   hosting environments via modified mod_workshop backup.

    TL-40604       Added stricter cleaning of a parameter when restoring feedback activity from backup (CVE-2024-34002)

Contributions:

    * Paul Holden  - TL-40603, TL-40604

Release 10.66 (18th June 2024):

Security issues:

    TL-40602       Fixed authenticated local file inclusion risk in mod_wiki (CVE-2024-34004)

                   Fixed authenticated local file inclusion risk in some misconfigured shared
                   hosting environments via modified mod_wiki backup.

    TL-40603       Fixed authenticated local file inclusion risk in mod_workshop (CVE-2024-34003)

                   Fixed authenticated local file inclusion risk in some misconfigured shared
                   hosting environments via modified mod_workshop backup.

    TL-40604       Added stricter cleaning of a parameter when restoring feedback activity from backup (CVE-2024-34002)

Contributions:

    * Paul Holden  - TL-40603, TL-40604

Release 9.72 (18th June 2024):

Security issues:

    TL-40602       Fixed authenticated local file inclusion risk in mod_wiki (CVE-2024-34004)

                   Fixed authenticated local file inclusion risk in some misconfigured shared
                   hosting environments via modified mod_wiki backup.

    TL-40603       Fixed authenticated local file inclusion risk in mod_workshop (CVE-2024-34003)

                   Fixed authenticated local file inclusion risk in some misconfigured shared
                   hosting environments via modified mod_workshop backup.

    TL-40604       Added stricter cleaning of a parameter when restoring feedback activity from backup (CVE-2024-34002)

Contributions:

    * Paul Holden  - TL-40603, TL-40604

Release 2.9.69 (18th June 2024):

Security issues:

    TL-40602       Fixed authenticated local file inclusion risk in mod_wiki (CVE-2024-34004)

                   Fixed authenticated local file inclusion risk in some misconfigured shared
                   hosting environments via modified mod_wiki backup.

    TL-40603       Fixed authenticated local file inclusion risk in mod_workshop (CVE-2024-34003)

                   Fixed authenticated local file inclusion risk in some misconfigured shared
                   hosting environments via modified mod_workshop backup.

    TL-40604       Added stricter cleaning of a parameter when restoring feedback activity from backup (CVE-2024-34002)

Contributions:

    * Paul Holden  - TL-40603, TL-40604

Release 2.7.74 (18th June 2024):

Security issues:

    TL-40603       Fixed authenticated local file inclusion risk in mod_workshop (CVE-2024-34003)

                   Fixed authenticated local file inclusion risk in some misconfigured shared
                   hosting environments via modified mod_workshop backup.

    TL-40604       Added stricter cleaning of a parameter when restoring feedback activity from backup (CVE-2024-34002)

Contributions:

    * Paul Holden  - TL-40603, TL-40604

Release 2.5.91 (18th June 2024):

Security issues:

    TL-40603       Fixed authenticated local file inclusion risk in mod_workshop (CVE-2024-34003)

                   Fixed authenticated local file inclusion risk in some misconfigured shared
                   hosting environments via modified mod_workshop backup.

    TL-40604       Added stricter cleaning of a parameter when restoring feedback activity from backup (CVE-2024-34002)

Contributions:

    * Paul Holden  - TL-40603, TL-40604

Release 2.2.86 (18th June 2024):

Security issues:

    TL-40603       Fixed authenticated local file inclusion risk in mod_workshop (CVE-2024-34003)

                   Fixed authenticated local file inclusion risk in some misconfigured shared
                   hosting environments via modified mod_workshop backup.

    TL-40604       Added stricter cleaning of a parameter when restoring feedback activity from backup (CVE-2024-34002)

Contributions:

    * Paul Holden  - TL-40603, TL-40604