Totara Release Notes

Totara TXP 18.8, 17.21, 16.27, 15.33, 14.38, 13.46, 12.65, 11.65, 10.67, 9.73, 2.9.70 and 2.7.75 are now available

 
David Curry (Core Developer)
Totara TXP 18.8, 17.21, 16.27, 15.33, 14.38, 13.46, 12.65, 11.65, 10.67, 9.73, 2.9.70 and 2.7.75 are now available
de David Curry (Core Developer) - Monday, 5 de August de 2024, 21:27
Grupo Totara

Hello everyone,

The following versions of Totara have now been released:

These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.

Kind regards Release Team

Release 18.8 (06th August 2024):

Security issues:

    TL-34395       Fixed security vulnerability with URLs in Weka editor when creating an article
    TL-38232       Fixed stored XSS in SVG files
    TL-39346       Fixed infinite recursion when importing CSS in URL downloader (CVE-2023-6662)

                   There are checks to URLs that attempt to limit recursion when parse_file is
                   called. This is problematic for CSS import URLs that can call an indefinite
                   amount of nested import URLs. An import limit has been introduced to address
                   this. Fragments are also now stripped from CSS URLs.

    TL-40601       Fixed Local File Inclusion (LFI) risk in mod_data (CVE-2024-34005)
    TL-40665       Fixed an XSS vulnerability in the user selector component (CVE-2024-34000)

New features:

    TL-39118       Introduced the AI integration framework and suggest course tags interaction

                   Introduced the AI integration subsystem, providing a structured approach to
                   incorporate AI tools and features into Totara via AI plugins.

                   * Developers can now define and introduce AI plugins with a clear list of
                   supported features
                   * New interactions can be added from any Totara component through these AI
                   plugins
                   * Added functionality to manage AI plugins and designate one as the default
                   * Defined a generative prompt feature that can be implemented by AI plugins

                   Also, we’ve introduced a ‘suggest course tags’ interaction which
                   demonstrates how to create an interaction.


Improvements:

    TL-38165       Added Totara 19 minimum server requirements to the Admin Environment checks page

Bug fixes:

    TL-38256       Fixed OAuth 2.0 authentication plugin not being robust to user email changes

                   The OAuth 2.0 authentication plugin now identifies users by the OIDC ‘sub’
                   claim, which never changes, instead of the user's email address.

                   This resolves an issue where users may be locked out of their accounts if their
                   email address changes at the identity provider, even if it is just uppercase to
                   lowercase.

    TL-39162       Fixed a scenario where colours could not be linked to specific data sets in report builder charts

                   Colours used in report builder charts are defined in a list, and the next
                   available colour is taken from the list when needed. When reports were filtered
                   there was no way to link a specific colour to a specific dataset, resulting in
                   colours shifting in different perspectives.

                   With this change it is possible to override chart colours for a specific dataset
                   in the advanced settings section as needed. For more information please see the
                   developer documentation:
                   https://totara.atlassian.net/wiki/spaces/DEV/pages/121184255/Advanced+settings

    TL-39494       Resolved an issue in the audience reports where the sorting functionality for the status column was not working
    TL-39653       Updated the display text if the quiz activity failed on a pathway format course
    TL-39828       Fixed cloning incorrect job assignments when cloning an application in approval workflows

                   Previously, we copied the job assignment from the old application during the
                   cloning process.

                   Now, we check if the applicant has an assignment in the workflow type and use
                   the applicant's current job assignment while cloning. If the applicant has more
                   than one job assignment, the user can choose the preferred job assignment.

    TL-39968       Fixed invalid custom field record IDs resulting in errors on the hierarchy item list page

                   Implemented a new base data provider and search filter for hierarchy items using
                   Totara ORM. This helps address an issue where hierarchy custom field record IDs
                   did not match and an error was thrown on the hierarchy item list page.

    TL-40321       Fixed tenant users not having access to H5P libraries and cached assets
    TL-40364       Fixed that Site Administrators cannot add users to a seminar waitlist
    TL-40391       Fixed failure when exporting the Program Overview report in Excel or ODS format
    TL-40957       Fixed snapshots for PHPUnit tests not restoring tables where data got deleted through foreign key constraint 

                   This only affects PHPUnit tests. On MySQL and MariaDB deletion of data through
                   cascading delete constraints does not trigger triggers used to mark tables as
                   modified. Only these tables will be rolled back after each test. This resulted
                   in data not being properly restored after tests which can lead to other tests
                   failing.

    TL-40966       Added a MariaDB optimiser hint for search depth where some versions of MariaDB could get stuck when looking up context capabilities

                   MariaDB versions 10.5 and earlier have an issue with the default setting for
                   optimizer_search_depth where some complex queries can cause the optimizer to
                   take a long time to generate a query plan. This can be fixed by adjusting the
                   optimizer_search_depth setting.
                   
                   The has_capability_in_any_context function has been updated to include a
                   optimizer hint, where this problem could occur for MariaDB sites with a
                   complicated context tree. This optimization is off by default, but can be
                   enabled by setting a value for
                   $CFG->mariadb_search_depth_has_capability_in_context in config.php. For valid
                   values or more information please see the MariaDB documentation
                   https://mariadb.com/docs/server/ref/mdb/system-variables/optimizer_search_depth/.

    TL-35562       Fixed discussion content in workspaces to fit mobile view
    TL-37338       Fixed the HTML heading order on the notification page
    TL-37340       Fixed an issue where an empty link was being created in the notification footer
    TL-40293       Fixed an accessibility issue with YUI modals not returning focus to original element
    TL-40805       Fixed an accessibility issue with row headers in report builder

                   Previously, tables generated by the report builder would have not row header
                   defined which is a potential accessibility issue. To address this we implemented
                   the ability to configure which column is used as a row header in each report.
                   When a column is configured as a row header it will render on the page as a
                   {{th}} tag with a scope of row, allowing for screen readers to read the report
                   results in a more understandable manner.

    TL-40806       Improved truncation of course names in the current learning block
    TL-40836       Added missing aria labels on the 'Show non-respondents' tab of a feedback activity
    TL-40838       Added an aria-label to the response charts on the analysis tab of a feedback activity
    TL-40891       Improved accessibility of the course section select box

Recommendations engine:

    TL-40020       Upgraded libraries used by Machine Learning Service

                   Please upgrade your installed services as there have been minor changes to the
                   service to support the upgraded libraries.

                   Upgraded Flask package to version 2.2.5
                   Upgraded lightfm package to version 1.17
                   Upgraded nltk package to version 3.8.1 (CVE-2021-43854, CVE-2021-3842,
                   CVE-2021-3828)
                   Upgraded requests package to version 2.31.0 (CVE-2023-32681)
                   Upgraded scikit-learn package to version 1.0.2 (CVE-2020-28975)
                   Upgraded scipy package to version 1.7.3
                   Upgraded certifi package to version 2024.7.4 (CVE-2023-37920, CVE-2022-23491)
                   Upgraded Jinja2 package to version 3.1.4 (CVE-2024-22195)
                   Upgraded joblib package to version 1.3.2 (CVE-2022-21797)
                   Upgraded MarkupSafe package to version 2.1.5
                   Upgraded urllib3 package to version 2.0.7 (CVE-2023-45803, CVE-2023-43804)
                   Upgraded Werkzeug package to version 2.2.3

    TL-40797       Upgraded libraries used by the recommendations engine

                   Upgraded certifi to version 2024.7.4 (CVE-2023-37920, CVE-2022-23491)
                   Upgraded urllib3 to version 1.26.19 (CVE-2023-43804, CVE-2023-45803)


Library updates:

    TL-38136       Updated the PhpCAS library to 1.6.1 (CVE-2022-39369)
    TL-40938       Updated eslint to 8.57.0

Release 17.21 (06th August 2024):

Security issues:

    TL-34395       Fixed security vulnerability with URLs in Weka editor when creating an article
    TL-38232       Fixed stored XSS in SVG files
    TL-39346       Fixed infinite recursion when importing CSS in URL downloader (CVE-2023-6662)

                   There are checks to URLs that attempt to limit recursion when parse_file is
                   called. This is problematic for CSS import URLs that can call an indefinite
                   amount of nested import URLs. An import limit has been introduced to address
                   this. Fragments are also now stripped from CSS URLs.

    TL-40601       Fixed Local File Inclusion (LFI) risk in mod_data (CVE-2024-34005)
    TL-40665       Fixed an XSS vulnerability in the user selector component (CVE-2024-34000)

Improvements:

    TL-38165       Added Totara 19 minimum server requirements to the Admin Environment checks page

Bug fixes:

    TL-39162       Fixed a scenario where colours could not be linked to specific data sets in report builder charts

                   Colours used in report builder charts are defined in a list, and the next
                   available colour is taken from the list when needed. When reports were filtered
                   there was no way to link a specific colour to a specific dataset, resulting in
                   colours shifting in different perspectives.

                   With this change it is possible to override chart colours for a specific dataset
                   in the advanced settings section as needed. For more information please see the
                   developer documentation:
                   https://totara.atlassian.net/wiki/spaces/DEV/pages/121184255/Advanced+settings

    TL-39494       Resolved an issue in the audience reports where the sorting functionality for the status column was not working
    TL-39968       Fixed invalid custom field record IDs resulting in errors on the hierarchy item list page

                   Implemented a new base data provider and search filter for hierarchy items using
                   Totara ORM. This helps address an issue where hierarchy custom field record IDs
                   did not match and an error was thrown on the hierarchy item list page.

    TL-40364       Fixed that Site Administrators cannot add users to a seminar waitlist
    TL-40544       Fixed incorrect parameters passed when recording approval workflow activity for notifications

                   This was mistakenly announced in a previous version of 17, but has now been
                   included

    TL-40957       Fixed snapshots for PHPUnit tests not restoring tables where data got deleted through foreign key constraint 

                   This only affects PHPUnit tests. On MySQL and MariaDB deletion of data through
                   cascading delete constraints does not trigger triggers used to mark tables as
                   modified. Only these tables will be rolled back after each test. This resulted
                   in data not being properly restored after tests which can lead to other tests
                   failing.

    TL-37338       Fixed the HTML heading order on the notification page
    TL-37340       Fixed an issue where an empty link was being created in the notification footer
    TL-40836       Added missing aria labels on the 'Show non-respondents' tab of a feedback activity
    TL-40838       Added an aria-label to the response charts on the analysis tab of a feedback activity

Recommendations engine:

    TL-40020       Upgraded libraries used by Machine Learning Service

                   Please upgrade your installed services as there have been minor changes to the
                   service to support the upgraded libraries.

                   Upgraded Flask package to version 2.2.5
                   Upgraded lightfm package to version 1.17
                   Upgraded nltk package to version 3.8.1 (CVE-2021-43854, CVE-2021-3842,
                   CVE-2021-3828)
                   Upgraded requests package to version 2.31.0 (CVE-2023-32681)
                   Upgraded scikit-learn package to version 1.0.2 (CVE-2020-28975)
                   Upgraded scipy package to version 1.7.3
                   Upgraded certifi package to version 2024.7.4 (CVE-2023-37920, CVE-2022-23491)
                   Upgraded Jinja2 package to version 3.1.4 (CVE-2024-22195)
                   Upgraded joblib package to version 1.3.2 (CVE-2022-21797)
                   Upgraded MarkupSafe package to version 2.1.5
                   Upgraded urllib3 package to version 2.0.7 (CVE-2023-45803, CVE-2023-43804)
                   Upgraded Werkzeug package to version 2.2.3

    TL-40797       Upgraded libraries used by the recommendations engine

                   Upgraded certifi to version 2024.7.4 (CVE-2023-37920, CVE-2022-23491)
                   Upgraded urllib3 to version 1.26.19 (CVE-2023-43804, CVE-2023-45803)


Library updates:

    TL-38136       Updated the PhpCAS library to 1.6.1 (CVE-2022-39369)

Release 16.27 (06th August 2024):

Security issues:

    TL-34395       Fixed security vulnerability with URLs in Weka editor when creating an article
    TL-38232       Fixed stored XSS in SVG files
    TL-39346       Fixed infinite recursion when importing CSS in URL downloader (CVE-2023-6662)

                   There are checks to URLs that attempt to limit recursion when parse_file is
                   called. This is problematic for CSS import URLs that can call an indefinite
                   amount of nested import URLs. An import limit has been introduced to address
                   this. Fragments are also now stripped from CSS URLs.

    TL-40601       Fixed Local File Inclusion (LFI) risk in mod_data (CVE-2024-34005)
    TL-40665       Fixed an XSS vulnerability in the user selector component (CVE-2024-34000)

Improvements:

    TL-38165       Added Totara 19 minimum server requirements to the Admin Environment checks page

Bug fixes:

    TL-40364       Fixed that Site Administrators cannot add users to a seminar waitlist
    TL-40957       Fixed snapshots for PHPUnit tests not restoring tables where data got deleted through foreign key constraint 

                   This only affects PHPUnit tests. On MySQL and MariaDB deletion of data through
                   cascading delete constraints does not trigger triggers used to mark tables as
                   modified. Only these tables will be rolled back after each test. This resulted
                   in data not being properly restored after tests which can lead to other tests
                   failing.


Recommendations engine:

    TL-40020       Upgraded libraries used by Machine Learning Service

                   Please upgrade your installed services as there have been minor changes to the
                   service to support the upgraded libraries.

                   Upgraded Flask package to version 2.2.5
                   Upgraded lightfm package to version 1.17
                   Upgraded nltk package to version 3.8.1 (CVE-2021-43854, CVE-2021-3842,
                   CVE-2021-3828)
                   Upgraded requests package to version 2.31.0 (CVE-2023-32681)
                   Upgraded scikit-learn package to version 1.0.2 (CVE-2020-28975)
                   Upgraded scipy package to version 1.7.3
                   Upgraded certifi package to version 2024.7.4 (CVE-2023-37920, CVE-2022-23491)
                   Upgraded Jinja2 package to version 3.1.4 (CVE-2024-22195)
                   Upgraded joblib package to version 1.3.2 (CVE-2022-21797)
                   Upgraded MarkupSafe package to version 2.1.5
                   Upgraded urllib3 package to version 2.0.7 (CVE-2023-45803, CVE-2023-43804)
                   Upgraded Werkzeug package to version 2.2.3

    TL-40797       Upgraded libraries used by the recommendations engine

                   Upgraded certifi to version 2024.7.4 (CVE-2023-37920, CVE-2022-23491)
                   Upgraded urllib3 to version 1.26.19 (CVE-2023-43804, CVE-2023-45803)


Library updates:

    TL-38136       Updated the PhpCAS library to 1.6.1 (CVE-2022-39369)

Release 15.33 (06th August 2024):

Security issues:

    TL-34395       Fixed security vulnerability with URLs in Weka editor when creating an article
    TL-38232       Fixed stored XSS in SVG files
    TL-39346       Fixed infinite recursion when importing CSS in URL downloader (CVE-2023-6662)

                   There are checks to URLs that attempt to limit recursion when parse_file is
                   called. This is problematic for CSS import URLs that can call an indefinite
                   amount of nested import URLs. An import limit has been introduced to address
                   this. Fragments are also now stripped from CSS URLs.

    TL-40601       Fixed Local File Inclusion (LFI) risk in mod_data (CVE-2024-34005)
    TL-40665       Fixed an XSS vulnerability in the user selector component (CVE-2024-34000)

Improvements:

    TL-38165       Added Totara 19 minimum server requirements to the Admin Environment checks page

Bug fixes:

    TL-40364       Fixed that Site Administrators cannot add users to a seminar waitlist
    TL-40957       Fixed snapshots for PHPUnit tests not restoring tables where data got deleted through foreign key constraint 

                   This only affects PHPUnit tests. On MySQL and MariaDB deletion of data through
                   cascading delete constraints does not trigger triggers used to mark tables as
                   modified. Only these tables will be rolled back after each test. This resulted
                   in data not being properly restored after tests which can lead to other tests
                   failing.


Recommendations engine:

    TL-40020       Upgraded libraries used by Machine Learning Service

                   Please upgrade your installed services as there have been minor changes to the
                   service to support the upgraded libraries.

                   Upgraded Flask package to version 2.2.5
                   Upgraded lightfm package to version 1.17
                   Upgraded nltk package to version 3.8.1 (CVE-2021-43854, CVE-2021-3842,
                   CVE-2021-3828)
                   Upgraded requests package to version 2.31.0 (CVE-2023-32681)
                   Upgraded scikit-learn package to version 1.0.2 (CVE-2020-28975)
                   Upgraded scipy package to version 1.7.3
                   Upgraded certifi package to version 2024.7.4 (CVE-2023-37920, CVE-2022-23491)
                   Upgraded Jinja2 package to version 3.1.4 (CVE-2024-22195)
                   Upgraded joblib package to version 1.3.2 (CVE-2022-21797)
                   Upgraded MarkupSafe package to version 2.1.5
                   Upgraded urllib3 package to version 2.0.7 (CVE-2023-45803, CVE-2023-43804)
                   Upgraded Werkzeug package to version 2.2.3

    TL-40797       Upgraded libraries used by the recommendations engine

                   Upgraded certifi to version 2024.7.4 (CVE-2023-37920, CVE-2022-23491)
                   Upgraded urllib3 to version 1.26.19 (CVE-2023-43804, CVE-2023-45803)


Library updates:

    TL-38136       Updated the PhpCAS library to 1.6.1 (CVE-2022-39369)

Release 14.38 (06th August 2024):

Security issues:

    TL-34395       Fixed security vulnerability with URLs in Weka editor when creating an article
    TL-38232       Fixed stored XSS in SVG files
    TL-39346       Fixed infinite recursion when importing CSS in URL downloader (CVE-2023-6662)

                   There are checks to URLs that attempt to limit recursion when parse_file is
                   called. This is problematic for CSS import URLs that can call an indefinite
                   amount of nested import URLs. An import limit has been introduced to address
                   this. Fragments are also now stripped from CSS URLs.

    TL-40601       Fixed Local File Inclusion (LFI) risk in mod_data (CVE-2024-34005)
    TL-40665       Fixed an XSS vulnerability in the user selector component (CVE-2024-34000)

Improvements:

    TL-38165       Added Totara 19 minimum server requirements to the Admin Environment checks page

Bug fixes:

    TL-40364       Fixed that Site Administrators cannot add users to a seminar waitlist
    TL-40957       Fixed snapshots for PHPUnit tests not restoring tables where data got deleted through foreign key constraint 

                   This only affects PHPUnit tests. On MySQL and MariaDB deletion of data through
                   cascading delete constraints does not trigger triggers used to mark tables as
                   modified. Only these tables will be rolled back after each test. This resulted
                   in data not being properly restored after tests which can lead to other tests
                   failing.


Recommendations engine:

    TL-40797       Upgraded libraries used by the recommendations engine

                   Upgraded certifi to version 2024.7.4 (CVE-2023-37920, CVE-2022-23491)
                   Upgraded urllib3 to version 1.26.19 (CVE-2023-43804, CVE-2023-45803)


Library updates:

    TL-38136       Updated the PhpCAS library to 1.6.1 (CVE-2022-39369)

Release 13.46 (06th August 2024):

Security issues:

    TL-34395       Fixed security vulnerability with URLs in Weka editor when creating an article
    TL-38232       Fixed stored XSS in SVG files
    TL-39346       Fixed infinite recursion when importing CSS in URL downloader (CVE-2023-6662)

                   There are checks to URLs that attempt to limit recursion when parse_file is
                   called. This is problematic for CSS import URLs that can call an indefinite
                   amount of nested import URLs. An import limit has been introduced to address
                   this. Fragments are also now stripped from CSS URLs.

    TL-40601       Fixed Local File Inclusion (LFI) risk in mod_data (CVE-2024-34005)
    TL-40665       Fixed an XSS vulnerability in the user selector component (CVE-2024-34000)

Improvements:

    TL-38165       Added Totara 19 minimum server requirements to the Admin Environment checks page

Bug fixes:

    TL-40364       Fixed that Site Administrators cannot add users to a seminar waitlist
    TL-40957       Fixed snapshots for PHPUnit tests not restoring tables where data got deleted through foreign key constraint 

                   This only affects PHPUnit tests. On MySQL and MariaDB deletion of data through
                   cascading delete constraints does not trigger triggers used to mark tables as
                   modified. Only these tables will be rolled back after each test. This resulted
                   in data not being properly restored after tests which can lead to other tests
                   failing.


Recommendations engine:

    TL-40797       Upgraded libraries used by the recommendations engine

                   Upgraded certifi to version 2024.7.4 (CVE-2023-37920, CVE-2022-23491)
                   Upgraded urllib3 to version 1.26.19 (CVE-2023-43804, CVE-2023-45803)


Library updates:

    TL-38136       Updated the PhpCAS library to 1.6.1 (CVE-2022-39369)

Release 12.65 (06th August 2024):

Security issues:

    TL-39346       Fixed infinite recursion when importing CSS in URL downloader (CVE-2023-6662)

                   There are checks to URLs that attempt to limit recursion when parse_file is
                   called. This is problematic for CSS import URLs that can call an indefinite
                   amount of nested import URLs. An import limit has been introduced to address
                   this. Fragments are also now stripped from CSS URLs.


Release 11.65 (06th August 2024):

Security issues:

    TL-39346       Fixed infinite recursion when importing CSS in URL downloader (CVE-2023-6662)

                   There are checks to URLs that attempt to limit recursion when parse_file is
                   called. This is problematic for CSS import URLs that can call an indefinite
                   amount of nested import URLs. An import limit has been introduced to address
                   this. Fragments are also now stripped from CSS URLs.


Release 10.67 (06th August 2024):

Security issues:

    TL-39346       Fixed infinite recursion when importing CSS in URL downloader (CVE-2023-6662)

                   There are checks to URLs that attempt to limit recursion when parse_file is
                   called. This is problematic for CSS import URLs that can call an indefinite
                   amount of nested import URLs. An import limit has been introduced to address
                   this. Fragments are also now stripped from CSS URLs.


Release 9.73 (06th August 2024):

Security issues:

    TL-39346       Fixed infinite recursion when importing CSS in URL downloader (CVE-2023-6662)

                   There are checks to URLs that attempt to limit recursion when parse_file is
                   called. This is problematic for CSS import URLs that can call an indefinite
                   amount of nested import URLs. An import limit has been introduced to address
                   this. Fragments are also now stripped from CSS URLs.


Release 2.9.70 (06th August 2024):

Security issues:

    TL-39346       Fixed infinite recursion when importing CSS in URL downloader (CVE-2023-6662)

                   There are checks to URLs that attempt to limit recursion when parse_file is
                   called. This is problematic for CSS import URLs that can call an indefinite
                   amount of nested import URLs. An import limit has been introduced to address
                   this. Fragments are also now stripped from CSS URLs.


Release 2.7.75 (06th August 2024):

Security issues:

    TL-39346       Fixed infinite recursion when importing CSS in URL downloader (CVE-2023-6662)

                   There are checks to URLs that attempt to limit recursion when parse_file is
                   called. This is problematic for CSS import URLs that can call an indefinite
                   amount of nested import URLs. An import limit has been introduced to address
                   this. Fragments are also now stripped from CSS URLs.