Hello everyone,
The following versions of Totara have now been released:
- Release 18.9
- Release 17.22
- Release 16.28
- Release 15.34
- Release 14.39
- Release 13.47
- Release 12.66
- Release 11.66
- Release 10.68
- Release 9.74
- Release 2.9.71
- Release 2.7.76
- Release 2.5.92
- Release 2.2.87
These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.
Kind regards,
Release Team
Release 18.9 (02nd September 2024):
Security issues:
TL-39800 Fixed denial of service risk in file picker unzip functionality (CVE-2024-25978)
TL-40873 Fixed some cases where the CSRF token was not correctly validated (CVE-2024-38276)
TL-40874 Fixed a problem with authorization headers and emulated redirects (CVE-2024-38275)
TL-41520 Fixed cache poisoning via injection into storage (CVE-2024-43428)
TL-41522 Fixed arbitrary file read risk through pdfTex in MathJax filter (CVE-2024-43426)
TL-41526 Fixed remote code execution vulnerability in calculated question types (CVE-2024-43425)
There is a slight possibility that this fix breaks existing calculated
questions, if they have been created with special characters in the formula's
'wildcard' placeholder variables that are now invalid. A PHP error will be shown
when viewing an affected question. An invalid question can be manually fixed by
changing the placeholders to valid names.
New features:
TL-33266 Added a diagnostic plugin to assist with troubleshooting
A new plugin has been created to generate diagnostic information for Totara
support. When triggered by an admin, it collects non-sensitive data about the
Totara installation and allows it to be downloaded as a zip file. The tool is
accessible via the command line (CLI) or through the "Diagnostic for support"
option under "System information".
Admins can export the diagnostic data and attach it to support tickets if
requested by Totara Support. This information will help investigate reported
issues more efficiently.
For further details, please refer to the inline help within the tool and the
end-user documentation on totara.help.
Performance improvements:
TL-39818 Fixed error on MSSQL when exporting the Program overdue report
Improvements:
TL-38097 Improved the formatting of the seminar room notification placeholder
TL-39844 Added Approvers recipient to Seminar booking notification triggers
Seminar booking notifications can now be configured to be sent to the
appropriate approvers.
TL-40350 Updated default security settings to align with best practices.
The "Account lockout threshold" now defaults to 5 attempts, while both the
"Account lockout observation window" and "Account lockout duration" now default
to 1 hour.
These changes do not affect existing environments, but we strongly recommend
reviewing and updating these settings on current sites to enhance security.
Bug fixes:
TL-37545 Fixed debugging message shown when creating an audience with no alert options selected
TL-38584 Fixed multilang filter for Seminar room custom field in the calendar
TL-38726 Fixed an issue with temporary managers viewing other user's profiles
Job assignments automatically confer user profile visibility, such that managers
and appraisers on the same job assignment can see each other’s user profiles.
Temporary managers were not included in the database query that resolves this
relationship-based visibility.
This has been fixed. It is now possible for the temporary manager on a job
assignment to view the user profile of the manager and/or appraiser on the same
job assignment.
TL-38858 Updated help text for "showuseridentity" setting
TL-39173 Learning plan priority scales now display the in correct language.
TL-39829 Resolved the issue on the course enrollment page where the user tour throws a requireloginerror exception
TL-40080 Corrected the read only check in backend actions of legacy appraisals
TL-40099 Fixed orphaned enrolment instances remaining in the database after course deletion.
Previously, enrolment instances were marked as deleted but still left in the
database, causing them to become orphaned when a course was deleted. This led to
errors when processing user assignments. With this update, these records are now
properly deleted along with the course, and additional measures have been
implemented to prevent errors from any existing orphaned records.
TL-40164 Implemented error handling for the send_participant_instance_creation_notifications_task to ensure task completion
This update ensures that the
send_participant_instance_creation_notifications_task can complete successfully,
even if an error occurs during execution. It prevents duplicate emails from
being sent to performance activity participants, which can happen if the task
fails to finish.
TL-40172 Fixed booking end date notifications not being sent immediately
To apply this fix, the 'Send non-immediate scheduled notifications' task can now
be configured to run more frequently, such as every 5 minutes. This adjustment
ensures that booking end date notifications, along with other scheduled
notifications, are sent closer to the intended time, rather than at a single
time each day as was previously the case.
TL-40252 Prevented adding suspended attendees to Seminars via CSV upload or list of IDs
TL-40280 Fixed the company goal adder list to exclude deleted goal assignments
TL-40756 Resolved the exception thrown when displaying the "recently viewed" block at the top of main region and the first item is a course
TL-40959 Fixed Engage database error when $CFG->disable_visibility_maps is enabled
TL-41021 Fixed an error for report builder export when using the column 'User Fullname (with links to learning components)'
TL-41039 Fixed issue where adding more competencies to a learning plan removed previously added competencies
TL-41129 Fixed search boxes in workspaces and resources displaying rounded edges on iOS
TL-41163 Fixed an issue where guest auto login with an auth plugin redirected users to the home page instead of their previous page
TL-41302 Fixed the locking mechanism in the approval workflows role map regenerate scheduled task
Also added a user interface for admins to run the task immediately if
applications are not showing as expected on the applications dashboard.
TL-41323 Fixed an error on the application activity tab
TL-41325 Fixed an error with approval workflow reports with an incorrect alias
Technical changes:
TL-41007 Updated the embedded certificate file used by Windows servers to the latest version (2 July 2024)
TL-41440 Updated the MySQL reserved words list
Added the following words to the reserved list:
* INTERSECT
* MANUAL
* PARALLEL
* QUALIFY
* TABLESAMPLE
Recommendations engine:
TL-41090 Upgraded libraries used by Machine Learning Service (CVE-2024-3651)
Upgraded idna to 3.7 (CVE-2024-3651)
Upgraded tqdm to 4.66.4 (CVE-2024-34062)
Python 3.6 is no longer supported due to unavailable required libraries. We
recommend upgrading to a newer version or using the provided Docker image.
Library updates:
TL-40367 Upgraded JQuery UI version in the lib folder to 1.13.2
TL-40907 Updated the H5P plugin to allow compatibility with newer versions of the content types
Release 17.22 (02nd September 2024):
Security issues:
TL-39800 Fixed denial of service risk in file picker unzip functionality (CVE-2024-25978)
TL-40873 Fixed some cases where the CSRF token was not correctly validated (CVE-2024-38276)
TL-40874 Fixed a problem with authorization headers and emulated redirects (CVE-2024-38275)
TL-41520 Fixed cache poisoning via injection into storage (CVE-2024-43428)
TL-41522 Fixed arbitrary file read risk through pdfTex in MathJax filter (CVE-2024-43426)
TL-41526 Fixed remote code execution vulnerability in calculated question types (CVE-2024-43425)
There is a slight possibility that this fix breaks existing calculated
questions, if they have been created with special characters in the formula's
'wildcard' placeholder variables that are now invalid. A PHP error will be shown
when viewing an affected question. An invalid question can be manually fixed by
changing the placeholders to valid names.
New features:
TL-33266 Added a diagnostic plugin to assist with troubleshooting
A new plugin has been created to generate diagnostic information for Totara
support. When triggered by an admin, it collects non-sensitive data about the
Totara installation and allows it to be downloaded as a zip file. The tool is
accessible via the command line (CLI) or through the "Diagnostic for support"
option under "System information".
Admins can export the diagnostic data and attach it to support tickets if
requested by Totara Support. This information will help investigate reported
issues more efficiently.
For further details, please refer to the inline help within the tool and the
end-user documentation on totara.help.
Performance improvements:
TL-39818 Fixed error on MSSQL when exporting the Program overdue report
Improvements:
TL-38097 Improved the formatting of the seminar room notification placeholder
TL-39844 Added Approvers recipient to Seminar booking notification triggers
Seminar booking notifications can now be configured to be sent to the
appropriate approvers.
Bug fixes:
TL-37545 Fixed debugging message shown when creating an audience with no alert options selected
TL-38584 Fixed multilang filter for Seminar room custom field in the calendar
TL-38726 Fixed an issue with temporary managers viewing other user's profiles
Job assignments automatically confer user profile visibility, such that managers
and appraisers on the same job assignment can see each other’s user profiles.
Temporary managers were not included in the database query that resolves this
relationship-based visibility.
This has been fixed. It is now possible for the temporary manager on a job
assignment to view the user profile of the manager and/or appraiser on the same
job assignment.
TL-38858 Updated help text for "showuseridentity" setting
TL-39173 Learning plan priority scales now display the in correct language.
TL-39829 Resolved the issue on the course enrollment page where the user tour throws a requireloginerror exception
TL-40099 Fixed orphaned enrolment instances remaining in the database after course deletion.
Previously, enrolment instances were marked as deleted but still left in the
database, causing them to become orphaned when a course was deleted. This led to
errors when processing user assignments. With this update, these records are now
properly deleted along with the course, and additional measures have been
implemented to prevent errors from any existing orphaned records.
TL-40164 Implemented error handling for the send_participant_instance_creation_notifications_task to ensure task completion
This update ensures that the
send_participant_instance_creation_notifications_task can complete successfully,
even if an error occurs during execution. It prevents duplicate emails from
being sent to performance activity participants, which can happen if the task
fails to finish.
TL-40172 Fixed booking end date notifications not being sent immediately
To apply this fix, the 'Send non-immediate scheduled notifications' task can now
be configured to run more frequently, such as every 5 minutes. This adjustment
ensures that booking end date notifications, along with other scheduled
notifications, are sent closer to the intended time, rather than at a single
time each day as was previously the case.
TL-40252 Prevented adding suspended attendees to Seminars via CSV upload or list of IDs
TL-40280 Fixed the company goal adder list to exclude deleted goal assignments
TL-41039 Fixed issue where adding more competencies to a learning plan removed previously added competencies
Technical changes:
TL-41007 Updated the embedded certificate file used by Windows servers to the latest version (2 July 2024)
Recommendations engine:
TL-41090 Upgraded libraries used by Machine Learning Service (CVE-2024-3651)
Upgraded idna to 3.7 (CVE-2024-3651)
Upgraded tqdm to 4.66.4 (CVE-2024-34062)
Python 3.6 is no longer supported due to unavailable required libraries. We
recommend upgrading to a newer version or using the provided Docker image.
Library updates:
TL-40367 Upgraded JQuery UI version in the lib folder to 1.13.2
Release 16.28 (02nd September 2024):
Security issues:
TL-39800 Fixed denial of service risk in file picker unzip functionality (CVE-2024-25978)
TL-40873 Fixed some cases where the CSRF token was not correctly validated (CVE-2024-38276)
TL-40874 Fixed a problem with authorization headers and emulated redirects (CVE-2024-38275)
TL-41520 Fixed cache poisoning via injection into storage (CVE-2024-43428)
TL-41522 Fixed arbitrary file read risk through pdfTex in MathJax filter (CVE-2024-43426)
TL-41526 Fixed remote code execution vulnerability in calculated question types (CVE-2024-43425)
There is a slight possibility that this fix breaks existing calculated
questions, if they have been created with special characters in the formula's
'wildcard' placeholder variables that are now invalid. A PHP error will be shown
when viewing an affected question. An invalid question can be manually fixed by
changing the placeholders to valid names.
New features:
TL-33266 Added a diagnostic plugin to assist with troubleshooting
A new plugin has been created to generate diagnostic information for Totara
support. When triggered by an admin, it collects non-sensitive data about the
Totara installation and allows it to be downloaded as a zip file. The tool is
accessible via the command line (CLI) or through the "Diagnostic for support"
option under "System information".
Admins can export the diagnostic data and attach it to support tickets if
requested by Totara Support. This information will help investigate reported
issues more efficiently.
For further details, please refer to the inline help within the tool and the
end-user documentation on totara.help.
Improvements:
TL-38097 Improved the formatting of the seminar room notification placeholder
Bug fixes:
TL-37545 Fixed debugging message shown when creating an audience with no alert options selected
TL-40099 Fixed orphaned enrolment instances remaining in the database after course deletion.
Previously, enrolment instances were marked as deleted but still left in the
database, causing them to become orphaned when a course was deleted. This led to
errors when processing user assignments. With this update, these records are now
properly deleted along with the course, and additional measures have been
implemented to prevent errors from any existing orphaned records.
TL-40252 Prevented adding suspended attendees to Seminars via CSV upload or list of IDs
TL-41039 Fixed issue where adding more competencies to a learning plan removed previously added competencies
Technical changes:
TL-41007 Updated the embedded certificate file used by Windows servers to the latest version (2 July 2024)
Recommendations engine:
TL-41090 Upgraded libraries used by Machine Learning Service (CVE-2024-3651)
Upgraded idna to 3.7 (CVE-2024-3651)
Upgraded tqdm to 4.66.4 (CVE-2024-34062)
Python 3.6 is no longer supported due to unavailable required libraries. We
recommend upgrading to a newer version or using the provided Docker image.
Library updates:
TL-40367 Upgraded JQuery UI version in the lib folder to 1.13.2
Release 15.34 (02nd September 2024):
Security issues:
TL-39800 Fixed denial of service risk in file picker unzip functionality (CVE-2024-25978)
TL-40873 Fixed some cases where the CSRF token was not correctly validated (CVE-2024-38276)
TL-40874 Fixed a problem with authorization headers and emulated redirects (CVE-2024-38275)
TL-41520 Fixed cache poisoning via injection into storage (CVE-2024-43428)
TL-41522 Fixed arbitrary file read risk through pdfTex in MathJax filter (CVE-2024-43426)
TL-41526 Fixed remote code execution vulnerability in calculated question types (CVE-2024-43425)
There is a slight possibility that this fix breaks existing calculated
questions, if they have been created with special characters in the formula's
'wildcard' placeholder variables that are now invalid. A PHP error will be shown
when viewing an affected question. An invalid question can be manually fixed by
changing the placeholders to valid names.
New features:
TL-33266 Added a diagnostic plugin to assist with troubleshooting
A new plugin has been created to generate diagnostic information for Totara
support. When triggered by an admin, it collects non-sensitive data about the
Totara installation and allows it to be downloaded as a zip file. The tool is
accessible via the command line (CLI) or through the "Diagnostic for support"
option under "System information".
Admins can export the diagnostic data and attach it to support tickets if
requested by Totara Support. This information will help investigate reported
issues more efficiently.
For further details, please refer to the inline help within the tool and the
end-user documentation on totara.help.
Bug fixes:
TL-37545 Fixed debugging message shown when creating an audience with no alert options selected
TL-40252 Prevented adding suspended attendees to Seminars via CSV upload or list of IDs
TL-41039 Fixed issue where adding more competencies to a learning plan removed previously added competencies
Technical changes:
TL-41007 Updated the embedded certificate file used by Windows servers to the latest version (2 July 2024)
Recommendations engine:
TL-41090 Upgraded libraries used by Machine Learning Service (CVE-2024-3651)
Upgraded idna to 3.7 (CVE-2024-3651)
Upgraded tqdm to 4.66.4 (CVE-2024-34062)
Python 3.6 is no longer supported due to unavailable required libraries. We
recommend upgrading to a newer version or using the provided Docker image.
Library updates:
TL-40367 Upgraded JQuery UI version in the lib folder to 1.13.2
Release 14.39 (02nd September 2024):
Security issues:
TL-39800 Fixed denial of service risk in file picker unzip functionality (CVE-2024-25978)
TL-40873 Fixed some cases where the CSRF token was not correctly validated (CVE-2024-38276)
TL-40874 Fixed a problem with authorization headers and emulated redirects (CVE-2024-38275)
TL-41520 Fixed cache poisoning via injection into storage (CVE-2024-43428)
TL-41522 Fixed arbitrary file read risk through pdfTex in MathJax filter (CVE-2024-43426)
TL-41526 Fixed remote code execution vulnerability in calculated question types (CVE-2024-43425)
There is a slight possibility that this fix breaks existing calculated
questions, if they have been created with special characters in the formula's
'wildcard' placeholder variables that are now invalid. A PHP error will be shown
when viewing an affected question. An invalid question can be manually fixed by
changing the placeholders to valid names.
Bug fixes:
TL-40252 Prevented adding suspended attendees to Seminars via CSV upload or list of IDs
TL-41039 Fixed issue where adding more competencies to a learning plan removed previously added competencies
Technical changes:
TL-41007 Updated the embedded certificate file used by Windows servers to the latest version (2 July 2024)
Library updates:
TL-40367 Upgraded JQuery UI version in the lib folder to 1.13.2
Release 13.47 (02nd September 2024):
Security issues:
TL-39800 Fixed denial of service risk in file picker unzip functionality (CVE-2024-25978)
TL-40873 Fixed some cases where the CSRF token was not correctly validated (CVE-2024-38276)
TL-40874 Fixed a problem with authorization headers and emulated redirects (CVE-2024-38275)
TL-41520 Fixed cache poisoning via injection into storage (CVE-2024-43428)
TL-41522 Fixed arbitrary file read risk through pdfTex in MathJax filter (CVE-2024-43426)
TL-41526 Fixed remote code execution vulnerability in calculated question types (CVE-2024-43425)
There is a slight possibility that this fix breaks existing calculated
questions, if they have been created with special characters in the formula's
'wildcard' placeholder variables that are now invalid. A PHP error will be shown
when viewing an affected question. An invalid question can be manually fixed by
changing the placeholders to valid names.
Bug fixes:
TL-41039 Fixed issue where adding more competencies to a learning plan removed previously added competencies
Technical changes:
TL-41007 Updated the embedded certificate file used by Windows servers to the latest version (2 July 2024)
Library updates:
TL-40367 Upgraded JQuery UI version in the lib folder to 1.13.2
Release 12.66 (02nd September 2024):
Security issues:
TL-39800 Fixed denial of service risk in file picker unzip functionality (CVE-2024-25978)
TL-41520 Fixed cache poisoning via injection into storage (CVE-2024-43428)
TL-41522 Fixed arbitrary file read risk through pdfTex in MathJax filter (CVE-2024-43426)
TL-41526 Fixed remote code execution vulnerability in calculated question types (CVE-2024-43425)
There is a slight possibility that this fix breaks existing calculated
questions, if they have been created with special characters in the formula's
'wildcard' placeholder variables that are now invalid. A PHP error will be shown
when viewing an affected question. An invalid question can be manually fixed by
changing the placeholders to valid names.
Release 11.66 (02nd September 2024):
Security issues:
TL-39800 Fixed denial of service risk in file picker unzip functionality (CVE-2024-25978)
TL-41520 Fixed cache poisoning via injection into storage (CVE-2024-43428)
TL-41522 Fixed arbitrary file read risk through pdfTex in MathJax filter (CVE-2024-43426)
TL-41526 Fixed remote code execution vulnerability in calculated question types (CVE-2024-43425)
There is a slight possibility that this fix breaks existing calculated
questions, if they have been created with special characters in the formula's
'wildcard' placeholder variables that are now invalid. A PHP error will be shown
when viewing an affected question. An invalid question can be manually fixed by
changing the placeholders to valid names.
Release 10.68 (02nd September 2024):
Security issues:
TL-39800 Fixed denial of service risk in file picker unzip functionality (CVE-2024-25978)
TL-41520 Fixed cache poisoning via injection into storage (CVE-2024-43428)
TL-41522 Fixed arbitrary file read risk through pdfTex in MathJax filter (CVE-2024-43426)
TL-41526 Fixed remote code execution vulnerability in calculated question types (CVE-2024-43425)
There is a slight possibility that this fix breaks existing calculated
questions, if they have been created with special characters in the formula's
'wildcard' placeholder variables that are now invalid. A PHP error will be shown
when viewing an affected question. An invalid question can be manually fixed by
changing the placeholders to valid names.
Release 9.74 (02nd September 2024):
Security issues:
TL-39800 Fixed denial of service risk in file picker unzip functionality (CVE-2024-25978)
TL-41520 Fixed cache poisoning via injection into storage (CVE-2024-43428)
TL-41522 Fixed arbitrary file read risk through pdfTex in MathJax filter (CVE-2024-43426)
TL-41526 Fixed remote code execution vulnerability in calculated question types (CVE-2024-43425)
There is a slight possibility that this fix breaks existing calculated
questions, if they have been created with special characters in the formula's
'wildcard' placeholder variables that are now invalid. A PHP error will be shown
when viewing an affected question. An invalid question can be manually fixed by
changing the placeholders to valid names.
Release 2.9.71 (02nd September 2024):
Security issues:
TL-39800 Fixed denial of service risk in file picker unzip functionality (CVE-2024-25978)
TL-41520 Fixed cache poisoning via injection into storage (CVE-2024-43428)
TL-41522 Fixed arbitrary file read risk through pdfTex in MathJax filter (CVE-2024-43426)
TL-41526 Fixed remote code execution vulnerability in calculated question types (CVE-2024-43425)
There is a slight possibility that this fix breaks existing calculated
questions, if they have been created with special characters in the formula's
'wildcard' placeholder variables that are now invalid. A PHP error will be shown
when viewing an affected question. An invalid question can be manually fixed by
changing the placeholders to valid names.
Release 2.7.76 (02nd September 2024):
Security issues:
TL-39800 Fixed denial of service risk in file picker unzip functionality (CVE-2024-25978)
TL-41522 Fixed arbitrary file read risk through pdfTex in MathJax filter (CVE-2024-43426)
TL-41526 Fixed remote code execution vulnerability in calculated question types (CVE-2024-43425)
There is a slight possibility that this fix breaks existing calculated
questions, if they have been created with special characters in the formula's
'wildcard' placeholder variables that are now invalid. A PHP error will be shown
when viewing an affected question. An invalid question can be manually fixed by
changing the placeholders to valid names.
Release 2.5.92 (02nd September 2024):
Security issues:
TL-39800 Fixed denial of service risk in file picker unzip functionality (CVE-2024-25978)
TL-41522 Fixed arbitrary file read risk through pdfTex in MathJax filter (CVE-2024-43426)
TL-41526 Fixed remote code execution vulnerability in calculated question types (CVE-2024-43425)
There is a slight possibility that this fix breaks existing calculated
questions, if they have been created with special characters in the formula's
'wildcard' placeholder variables that are now invalid. A PHP error will be shown
when viewing an affected question. An invalid question can be manually fixed by
changing the placeholders to valid names.
Release 2.2.87 (02nd September 2024):
Security issues:
TL-39800 Fixed denial of service risk in file picker unzip functionality (CVE-2024-25978)
TL-41522 Fixed arbitrary file read risk through pdfTex in MathJax filter (CVE-2024-43426)
TL-41526 Fixed remote code execution vulnerability in calculated question types (CVE-2024-43425)
There is a slight possibility that this fix breaks existing calculated
questions, if they have been created with special characters in the formula's
'wildcard' placeholder variables that are now invalid. A PHP error will be shown
when viewing an affected question. An invalid question can be manually fixed by
changing the placeholders to valid names.