Hello everyone,
The following versions of Totara have now been released:
- Release 18.8
- Release 17.21
- Release 16.27
- Release 15.33
- Release 14.38
- Release 13.46
- Release 12.65
- Release 11.65
- Release 10.67
- Release 9.73
- Release 2.9.70
- Release 2.7.75
These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.
Kind regards Release Team
Release 18.8 (06th August 2024):
Security issues:
TL-34395 Fixed security vulnerability with URLs in Weka editor when creating an article
TL-38232 Fixed stored XSS in SVG files
TL-39346 Fixed infinite recursion when importing CSS in URL downloader (CVE-2023-6662)
There are checks to URLs that attempt to limit recursion when parse_file is
called. This is problematic for CSS import URLs that can call an indefinite
amount of nested import URLs. An import limit has been introduced to address
this. Fragments are also now stripped from CSS URLs.
TL-40601 Fixed Local File Inclusion (LFI) risk in mod_data (CVE-2024-34005)
TL-40665 Fixed an XSS vulnerability in the user selector component (CVE-2024-34000)
New features:
TL-39118 Introduced the AI integration framework and suggest course tags interaction
Introduced the AI integration subsystem, providing a structured approach to
incorporate AI tools and features into Totara via AI plugins.
* Developers can now define and introduce AI plugins with a clear list of
supported features
* New interactions can be added from any Totara component through these AI
plugins
* Added functionality to manage AI plugins and designate one as the default
* Defined a generative prompt feature that can be implemented by AI plugins
Also, we’ve introduced a ‘suggest course tags’ interaction which
demonstrates how to create an interaction.
Improvements:
TL-38165 Added Totara 19 minimum server requirements to the Admin Environment checks page
Bug fixes:
TL-38256 Fixed OAuth 2.0 authentication plugin not being robust to user email changes
The OAuth 2.0 authentication plugin now identifies users by the OIDC ‘sub’
claim, which never changes, instead of the user's email address.
This resolves an issue where users may be locked out of their accounts if their
email address changes at the identity provider, even if it is just uppercase to
lowercase.
TL-39162 Fixed a scenario where colours could not be linked to specific data sets in report builder charts
Colours used in report builder charts are defined in a list, and the next
available colour is taken from the list when needed. When reports were filtered
there was no way to link a specific colour to a specific dataset, resulting in
colours shifting in different perspectives.
With this change it is possible to override chart colours for a specific dataset
in the advanced settings section as needed. For more information please see the
developer documentation:
https://totara.atlassian.net/wiki/spaces/DEV/pages/121184255/Advanced+settings
TL-39494 Resolved an issue in the audience reports where the sorting functionality for the status column was not working
TL-39653 Updated the display text if the quiz activity failed on a pathway format course
TL-39828 Fixed cloning incorrect job assignments when cloning an application in approval workflows
Previously, we copied the job assignment from the old application during the
cloning process.
Now, we check if the applicant has an assignment in the workflow type and use
the applicant's current job assignment while cloning. If the applicant has more
than one job assignment, the user can choose the preferred job assignment.
TL-39968 Fixed invalid custom field record IDs resulting in errors on the hierarchy item list page
Implemented a new base data provider and search filter for hierarchy items using
Totara ORM. This helps address an issue where hierarchy custom field record IDs
did not match and an error was thrown on the hierarchy item list page.
TL-40321 Fixed tenant users not having access to H5P libraries and cached assets
TL-40364 Fixed that Site Administrators cannot add users to a seminar waitlist
TL-40391 Fixed failure when exporting the Program Overview report in Excel or ODS format
TL-40957 Fixed snapshots for PHPUnit tests not restoring tables where data got deleted through foreign key constraint
This only affects PHPUnit tests. On MySQL and MariaDB deletion of data through
cascading delete constraints does not trigger triggers used to mark tables as
modified. Only these tables will be rolled back after each test. This resulted
in data not being properly restored after tests which can lead to other tests
failing.
TL-40966 Added a MariaDB optimiser hint for search depth where some versions of MariaDB could get stuck when looking up context capabilities
MariaDB versions 10.5 and earlier have an issue with the default setting for
optimizer_search_depth where some complex queries can cause the optimizer to
take a long time to generate a query plan. This can be fixed by adjusting the
optimizer_search_depth setting.
The has_capability_in_any_context function has been updated to include a
optimizer hint, where this problem could occur for MariaDB sites with a
complicated context tree. This optimization is off by default, but can be
enabled by setting a value for
$CFG->mariadb_search_depth_has_capability_in_context in config.php. For valid
values or more information please see the MariaDB documentation
https://mariadb.com/docs/server/ref/mdb/system-variables/optimizer_search_depth/.
TL-35562 Fixed discussion content in workspaces to fit mobile view
TL-37338 Fixed the HTML heading order on the notification page
TL-37340 Fixed an issue where an empty link was being created in the notification footer
TL-40293 Fixed an accessibility issue with YUI modals not returning focus to original element
TL-40805 Fixed an accessibility issue with row headers in report builder
Previously, tables generated by the report builder would have not row header
defined which is a potential accessibility issue. To address this we implemented
the ability to configure which column is used as a row header in each report.
When a column is configured as a row header it will render on the page as a
{{th}} tag with a scope of row, allowing for screen readers to read the report
results in a more understandable manner.
TL-40806 Improved truncation of course names in the current learning block
TL-40836 Added missing aria labels on the 'Show non-respondents' tab of a feedback activity
TL-40838 Added an aria-label to the response charts on the analysis tab of a feedback activity
TL-40891 Improved accessibility of the course section select box
Recommendations engine:
TL-40020 Upgraded libraries used by Machine Learning Service
Please upgrade your installed services as there have been minor changes to the
service to support the upgraded libraries.
Upgraded Flask package to version 2.2.5
Upgraded lightfm package to version 1.17
Upgraded nltk package to version 3.8.1 (CVE-2021-43854, CVE-2021-3842,
CVE-2021-3828)
Upgraded requests package to version 2.31.0 (CVE-2023-32681)
Upgraded scikit-learn package to version 1.0.2 (CVE-2020-28975)
Upgraded scipy package to version 1.7.3
Upgraded certifi package to version 2024.7.4 (CVE-2023-37920, CVE-2022-23491)
Upgraded Jinja2 package to version 3.1.4 (CVE-2024-22195)
Upgraded joblib package to version 1.3.2 (CVE-2022-21797)
Upgraded MarkupSafe package to version 2.1.5
Upgraded urllib3 package to version 2.0.7 (CVE-2023-45803, CVE-2023-43804)
Upgraded Werkzeug package to version 2.2.3
TL-40797 Upgraded libraries used by the recommendations engine
Upgraded certifi to version 2024.7.4 (CVE-2023-37920, CVE-2022-23491)
Upgraded urllib3 to version 1.26.19 (CVE-2023-43804, CVE-2023-45803)
Library updates:
TL-38136 Updated the PhpCAS library to 1.6.1 (CVE-2022-39369)
TL-40938 Updated eslint to 8.57.0
Release 17.21 (06th August 2024):
Security issues:
TL-34395 Fixed security vulnerability with URLs in Weka editor when creating an article
TL-38232 Fixed stored XSS in SVG files
TL-39346 Fixed infinite recursion when importing CSS in URL downloader (CVE-2023-6662)
There are checks to URLs that attempt to limit recursion when parse_file is
called. This is problematic for CSS import URLs that can call an indefinite
amount of nested import URLs. An import limit has been introduced to address
this. Fragments are also now stripped from CSS URLs.
TL-40601 Fixed Local File Inclusion (LFI) risk in mod_data (CVE-2024-34005)
TL-40665 Fixed an XSS vulnerability in the user selector component (CVE-2024-34000)
Improvements:
TL-38165 Added Totara 19 minimum server requirements to the Admin Environment checks page
Bug fixes:
TL-39162 Fixed a scenario where colours could not be linked to specific data sets in report builder charts
Colours used in report builder charts are defined in a list, and the next
available colour is taken from the list when needed. When reports were filtered
there was no way to link a specific colour to a specific dataset, resulting in
colours shifting in different perspectives.
With this change it is possible to override chart colours for a specific dataset
in the advanced settings section as needed. For more information please see the
developer documentation:
https://totara.atlassian.net/wiki/spaces/DEV/pages/121184255/Advanced+settings
TL-39494 Resolved an issue in the audience reports where the sorting functionality for the status column was not working
TL-39968 Fixed invalid custom field record IDs resulting in errors on the hierarchy item list page
Implemented a new base data provider and search filter for hierarchy items using
Totara ORM. This helps address an issue where hierarchy custom field record IDs
did not match and an error was thrown on the hierarchy item list page.
TL-40364 Fixed that Site Administrators cannot add users to a seminar waitlist
TL-40544 Fixed incorrect parameters passed when recording approval workflow activity for notifications
This was mistakenly announced in a previous version of 17, but has now been
included
TL-40957 Fixed snapshots for PHPUnit tests not restoring tables where data got deleted through foreign key constraint
This only affects PHPUnit tests. On MySQL and MariaDB deletion of data through
cascading delete constraints does not trigger triggers used to mark tables as
modified. Only these tables will be rolled back after each test. This resulted
in data not being properly restored after tests which can lead to other tests
failing.
TL-37338 Fixed the HTML heading order on the notification page
TL-37340 Fixed an issue where an empty link was being created in the notification footer
TL-40836 Added missing aria labels on the 'Show non-respondents' tab of a feedback activity
TL-40838 Added an aria-label to the response charts on the analysis tab of a feedback activity
Recommendations engine:
TL-40020 Upgraded libraries used by Machine Learning Service
Please upgrade your installed services as there have been minor changes to the
service to support the upgraded libraries.
Upgraded Flask package to version 2.2.5
Upgraded lightfm package to version 1.17
Upgraded nltk package to version 3.8.1 (CVE-2021-43854, CVE-2021-3842,
CVE-2021-3828)
Upgraded requests package to version 2.31.0 (CVE-2023-32681)
Upgraded scikit-learn package to version 1.0.2 (CVE-2020-28975)
Upgraded scipy package to version 1.7.3
Upgraded certifi package to version 2024.7.4 (CVE-2023-37920, CVE-2022-23491)
Upgraded Jinja2 package to version 3.1.4 (CVE-2024-22195)
Upgraded joblib package to version 1.3.2 (CVE-2022-21797)
Upgraded MarkupSafe package to version 2.1.5
Upgraded urllib3 package to version 2.0.7 (CVE-2023-45803, CVE-2023-43804)
Upgraded Werkzeug package to version 2.2.3
TL-40797 Upgraded libraries used by the recommendations engine
Upgraded certifi to version 2024.7.4 (CVE-2023-37920, CVE-2022-23491)
Upgraded urllib3 to version 1.26.19 (CVE-2023-43804, CVE-2023-45803)
Library updates:
TL-38136 Updated the PhpCAS library to 1.6.1 (CVE-2022-39369)
Release 16.27 (06th August 2024):
Security issues:
TL-34395 Fixed security vulnerability with URLs in Weka editor when creating an article
TL-38232 Fixed stored XSS in SVG files
TL-39346 Fixed infinite recursion when importing CSS in URL downloader (CVE-2023-6662)
There are checks to URLs that attempt to limit recursion when parse_file is
called. This is problematic for CSS import URLs that can call an indefinite
amount of nested import URLs. An import limit has been introduced to address
this. Fragments are also now stripped from CSS URLs.
TL-40601 Fixed Local File Inclusion (LFI) risk in mod_data (CVE-2024-34005)
TL-40665 Fixed an XSS vulnerability in the user selector component (CVE-2024-34000)
Improvements:
TL-38165 Added Totara 19 minimum server requirements to the Admin Environment checks page
Bug fixes:
TL-40364 Fixed that Site Administrators cannot add users to a seminar waitlist
TL-40957 Fixed snapshots for PHPUnit tests not restoring tables where data got deleted through foreign key constraint
This only affects PHPUnit tests. On MySQL and MariaDB deletion of data through
cascading delete constraints does not trigger triggers used to mark tables as
modified. Only these tables will be rolled back after each test. This resulted
in data not being properly restored after tests which can lead to other tests
failing.
Recommendations engine:
TL-40020 Upgraded libraries used by Machine Learning Service
Please upgrade your installed services as there have been minor changes to the
service to support the upgraded libraries.
Upgraded Flask package to version 2.2.5
Upgraded lightfm package to version 1.17
Upgraded nltk package to version 3.8.1 (CVE-2021-43854, CVE-2021-3842,
CVE-2021-3828)
Upgraded requests package to version 2.31.0 (CVE-2023-32681)
Upgraded scikit-learn package to version 1.0.2 (CVE-2020-28975)
Upgraded scipy package to version 1.7.3
Upgraded certifi package to version 2024.7.4 (CVE-2023-37920, CVE-2022-23491)
Upgraded Jinja2 package to version 3.1.4 (CVE-2024-22195)
Upgraded joblib package to version 1.3.2 (CVE-2022-21797)
Upgraded MarkupSafe package to version 2.1.5
Upgraded urllib3 package to version 2.0.7 (CVE-2023-45803, CVE-2023-43804)
Upgraded Werkzeug package to version 2.2.3
TL-40797 Upgraded libraries used by the recommendations engine
Upgraded certifi to version 2024.7.4 (CVE-2023-37920, CVE-2022-23491)
Upgraded urllib3 to version 1.26.19 (CVE-2023-43804, CVE-2023-45803)
Library updates:
TL-38136 Updated the PhpCAS library to 1.6.1 (CVE-2022-39369)
Release 15.33 (06th August 2024):
Security issues:
TL-34395 Fixed security vulnerability with URLs in Weka editor when creating an article
TL-38232 Fixed stored XSS in SVG files
TL-39346 Fixed infinite recursion when importing CSS in URL downloader (CVE-2023-6662)
There are checks to URLs that attempt to limit recursion when parse_file is
called. This is problematic for CSS import URLs that can call an indefinite
amount of nested import URLs. An import limit has been introduced to address
this. Fragments are also now stripped from CSS URLs.
TL-40601 Fixed Local File Inclusion (LFI) risk in mod_data (CVE-2024-34005)
TL-40665 Fixed an XSS vulnerability in the user selector component (CVE-2024-34000)
Improvements:
TL-38165 Added Totara 19 minimum server requirements to the Admin Environment checks page
Bug fixes:
TL-40364 Fixed that Site Administrators cannot add users to a seminar waitlist
TL-40957 Fixed snapshots for PHPUnit tests not restoring tables where data got deleted through foreign key constraint
This only affects PHPUnit tests. On MySQL and MariaDB deletion of data through
cascading delete constraints does not trigger triggers used to mark tables as
modified. Only these tables will be rolled back after each test. This resulted
in data not being properly restored after tests which can lead to other tests
failing.
Recommendations engine:
TL-40020 Upgraded libraries used by Machine Learning Service
Please upgrade your installed services as there have been minor changes to the
service to support the upgraded libraries.
Upgraded Flask package to version 2.2.5
Upgraded lightfm package to version 1.17
Upgraded nltk package to version 3.8.1 (CVE-2021-43854, CVE-2021-3842,
CVE-2021-3828)
Upgraded requests package to version 2.31.0 (CVE-2023-32681)
Upgraded scikit-learn package to version 1.0.2 (CVE-2020-28975)
Upgraded scipy package to version 1.7.3
Upgraded certifi package to version 2024.7.4 (CVE-2023-37920, CVE-2022-23491)
Upgraded Jinja2 package to version 3.1.4 (CVE-2024-22195)
Upgraded joblib package to version 1.3.2 (CVE-2022-21797)
Upgraded MarkupSafe package to version 2.1.5
Upgraded urllib3 package to version 2.0.7 (CVE-2023-45803, CVE-2023-43804)
Upgraded Werkzeug package to version 2.2.3
TL-40797 Upgraded libraries used by the recommendations engine
Upgraded certifi to version 2024.7.4 (CVE-2023-37920, CVE-2022-23491)
Upgraded urllib3 to version 1.26.19 (CVE-2023-43804, CVE-2023-45803)
Library updates:
TL-38136 Updated the PhpCAS library to 1.6.1 (CVE-2022-39369)
Release 14.38 (06th August 2024):
Security issues:
TL-34395 Fixed security vulnerability with URLs in Weka editor when creating an article
TL-38232 Fixed stored XSS in SVG files
TL-39346 Fixed infinite recursion when importing CSS in URL downloader (CVE-2023-6662)
There are checks to URLs that attempt to limit recursion when parse_file is
called. This is problematic for CSS import URLs that can call an indefinite
amount of nested import URLs. An import limit has been introduced to address
this. Fragments are also now stripped from CSS URLs.
TL-40601 Fixed Local File Inclusion (LFI) risk in mod_data (CVE-2024-34005)
TL-40665 Fixed an XSS vulnerability in the user selector component (CVE-2024-34000)
Improvements:
TL-38165 Added Totara 19 minimum server requirements to the Admin Environment checks page
Bug fixes:
TL-40364 Fixed that Site Administrators cannot add users to a seminar waitlist
TL-40957 Fixed snapshots for PHPUnit tests not restoring tables where data got deleted through foreign key constraint
This only affects PHPUnit tests. On MySQL and MariaDB deletion of data through
cascading delete constraints does not trigger triggers used to mark tables as
modified. Only these tables will be rolled back after each test. This resulted
in data not being properly restored after tests which can lead to other tests
failing.
Recommendations engine:
TL-40797 Upgraded libraries used by the recommendations engine
Upgraded certifi to version 2024.7.4 (CVE-2023-37920, CVE-2022-23491)
Upgraded urllib3 to version 1.26.19 (CVE-2023-43804, CVE-2023-45803)
Library updates:
TL-38136 Updated the PhpCAS library to 1.6.1 (CVE-2022-39369)
Release 13.46 (06th August 2024):
Security issues:
TL-34395 Fixed security vulnerability with URLs in Weka editor when creating an article
TL-38232 Fixed stored XSS in SVG files
TL-39346 Fixed infinite recursion when importing CSS in URL downloader (CVE-2023-6662)
There are checks to URLs that attempt to limit recursion when parse_file is
called. This is problematic for CSS import URLs that can call an indefinite
amount of nested import URLs. An import limit has been introduced to address
this. Fragments are also now stripped from CSS URLs.
TL-40601 Fixed Local File Inclusion (LFI) risk in mod_data (CVE-2024-34005)
TL-40665 Fixed an XSS vulnerability in the user selector component (CVE-2024-34000)
Improvements:
TL-38165 Added Totara 19 minimum server requirements to the Admin Environment checks page
Bug fixes:
TL-40364 Fixed that Site Administrators cannot add users to a seminar waitlist
TL-40957 Fixed snapshots for PHPUnit tests not restoring tables where data got deleted through foreign key constraint
This only affects PHPUnit tests. On MySQL and MariaDB deletion of data through
cascading delete constraints does not trigger triggers used to mark tables as
modified. Only these tables will be rolled back after each test. This resulted
in data not being properly restored after tests which can lead to other tests
failing.
Recommendations engine:
TL-40797 Upgraded libraries used by the recommendations engine
Upgraded certifi to version 2024.7.4 (CVE-2023-37920, CVE-2022-23491)
Upgraded urllib3 to version 1.26.19 (CVE-2023-43804, CVE-2023-45803)
Library updates:
TL-38136 Updated the PhpCAS library to 1.6.1 (CVE-2022-39369)
Release 12.65 (06th August 2024):
Security issues:
TL-39346 Fixed infinite recursion when importing CSS in URL downloader (CVE-2023-6662)
There are checks to URLs that attempt to limit recursion when parse_file is
called. This is problematic for CSS import URLs that can call an indefinite
amount of nested import URLs. An import limit has been introduced to address
this. Fragments are also now stripped from CSS URLs.
Release 11.65 (06th August 2024):
Security issues:
TL-39346 Fixed infinite recursion when importing CSS in URL downloader (CVE-2023-6662)
There are checks to URLs that attempt to limit recursion when parse_file is
called. This is problematic for CSS import URLs that can call an indefinite
amount of nested import URLs. An import limit has been introduced to address
this. Fragments are also now stripped from CSS URLs.
Release 10.67 (06th August 2024):
Security issues:
TL-39346 Fixed infinite recursion when importing CSS in URL downloader (CVE-2023-6662)
There are checks to URLs that attempt to limit recursion when parse_file is
called. This is problematic for CSS import URLs that can call an indefinite
amount of nested import URLs. An import limit has been introduced to address
this. Fragments are also now stripped from CSS URLs.
Release 9.73 (06th August 2024):
Security issues:
TL-39346 Fixed infinite recursion when importing CSS in URL downloader (CVE-2023-6662)
There are checks to URLs that attempt to limit recursion when parse_file is
called. This is problematic for CSS import URLs that can call an indefinite
amount of nested import URLs. An import limit has been introduced to address
this. Fragments are also now stripped from CSS URLs.
Release 2.9.70 (06th August 2024):
Security issues:
TL-39346 Fixed infinite recursion when importing CSS in URL downloader (CVE-2023-6662)
There are checks to URLs that attempt to limit recursion when parse_file is
called. This is problematic for CSS import URLs that can call an indefinite
amount of nested import URLs. An import limit has been introduced to address
this. Fragments are also now stripped from CSS URLs.
Release 2.7.75 (06th August 2024):
Security issues:
TL-39346 Fixed infinite recursion when importing CSS in URL downloader (CVE-2023-6662)
There are checks to URLs that attempt to limit recursion when parse_file is
called. This is problematic for CSS import URLs that can call an indefinite
amount of nested import URLs. An import limit has been introduced to address
this. Fragments are also now stripped from CSS URLs.