Totara Release Notes

Totara TXP 18.9, 17.22, 16.28, 15.34, 14.39, 13.47, 12.66, 11.66, 10.68, 9.74, 2.9.71, 2.7.76, 2.5.92 and 2.2.87 are now available

 
David Curry (Core Developer)
Totara TXP 18.9, 17.22, 16.28, 15.34, 14.39, 13.47, 12.66, 11.66, 10.68, 9.74, 2.9.71, 2.7.76, 2.5.92 and 2.2.87 are now available
על ידי David Curry (Core Developer) בתאריך 1/09/2024, 23:48
קבוצה Totara

Hello everyone,

The following versions of Totara have now been released:

These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.

Kind regards,

Release Team

Release 18.9 (02nd September 2024):

Security issues:

    TL-39800       Fixed denial of service risk in file picker unzip functionality (CVE-2024-25978)
    TL-40873       Fixed some cases where the CSRF token was not correctly validated (CVE-2024-38276)
    TL-40874       Fixed a problem with authorization headers and emulated redirects (CVE-2024-38275)
    TL-41520       Fixed cache poisoning via injection into storage (CVE-2024-43428)
    TL-41522       Fixed arbitrary file read risk through pdfTex in MathJax filter (CVE-2024-43426)
    TL-41526       Fixed remote code execution vulnerability in calculated question types (CVE-2024-43425)

                   There is a slight possibility that this fix breaks existing calculated
                   questions, if they have been created with special characters in the formula's
                   'wildcard' placeholder variables that are now invalid. A PHP error will be shown
                   when viewing an affected question. An invalid question can be manually fixed by
                   changing the placeholders to valid names.


New features:

    TL-33266       Added a diagnostic plugin to assist with troubleshooting

                   A new plugin has been created to generate diagnostic information for Totara
                   support. When triggered by an admin, it collects non-sensitive data about the
                   Totara installation and allows it to be downloaded as a zip file. The tool is
                   accessible via the command line (CLI) or through the "Diagnostic for support"
                   option under "System information".

                   Admins can export the diagnostic data and attach it to support tickets if
                   requested by Totara Support. This information will help investigate reported
                   issues more efficiently.

                   For further details, please refer to the inline help within the tool and the
                   end-user documentation on totara.help.


Performance improvements:

    TL-39818       Fixed error on MSSQL when exporting the Program overdue report

Improvements:

    TL-38097       Improved the formatting of the seminar room notification placeholder
    TL-39844       Added Approvers recipient to Seminar booking notification triggers

                   Seminar booking notifications can now be configured to be sent to the
                   appropriate approvers.

    TL-40350       Updated default security settings to align with best practices.

                   The "Account lockout threshold" now defaults to 5 attempts, while both the
                   "Account lockout observation window" and "Account lockout duration" now default
                   to 1 hour.

                   These changes do not affect existing environments, but we strongly recommend
                   reviewing and updating these settings on current sites to enhance security.


Bug fixes:

    TL-37545       Fixed debugging message shown when creating an audience with no alert options selected
    TL-38584       Fixed multilang filter for Seminar room custom field in the calendar
    TL-38726       Fixed an issue with temporary managers viewing other user's profiles

                   Job assignments automatically confer user profile visibility, such that managers
                   and appraisers on the same job assignment can see each other’s user profiles.
                   Temporary managers were not included in the database query that resolves this
                   relationship-based visibility.

                   This has been fixed. It is now possible for the temporary manager on a job
                   assignment to view the user profile of the manager and/or appraiser on the same
                   job assignment.

    TL-38858       Updated help text for "showuseridentity" setting
    TL-39173       Learning plan priority scales now display the in correct language.
    TL-39829       Resolved the issue on the course enrollment page where the user tour throws a requireloginerror exception
    TL-40080       Corrected the read only check in backend actions of legacy appraisals
    TL-40099       Fixed orphaned enrolment instances remaining in the database after course deletion.

                   Previously, enrolment instances were marked as deleted but still left in the
                   database, causing them to become orphaned when a course was deleted. This led to
                   errors when processing user assignments. With this update, these records are now
                   properly deleted along with the course, and additional measures have been
                   implemented to prevent errors from any existing orphaned records.

    TL-40164       Implemented error handling for the send_participant_instance_creation_notifications_task to ensure task completion

                   This update ensures that the
                   send_participant_instance_creation_notifications_task can complete successfully,
                   even if an error occurs during execution. It prevents duplicate emails from
                   being sent to performance activity participants, which can happen if the task
                   fails to finish.

    TL-40172       Fixed booking end date notifications not being sent immediately

                   To apply this fix, the 'Send non-immediate scheduled notifications' task can now
                   be configured to run more frequently, such as every 5 minutes. This adjustment
                   ensures that booking end date notifications, along with other scheduled
                   notifications, are sent closer to the intended time, rather than at a single
                   time each day as was previously the case.

    TL-40252       Prevented adding suspended attendees to Seminars via CSV upload or list of IDs
    TL-40280       Fixed the company goal adder list to exclude deleted goal assignments
    TL-40756       Resolved the exception thrown when displaying the "recently viewed" block at the top of main region and the first item is a course
    TL-40959       Fixed Engage database error when $CFG->disable_visibility_maps is enabled
    TL-41021       Fixed an error for report builder export when using the column 'User Fullname (with links to learning components)'
    TL-41039       Fixed issue where adding more competencies to a learning plan removed previously added competencies
    TL-41129       Fixed search boxes in workspaces and resources displaying rounded edges on iOS
    TL-41163       Fixed an issue where guest auto login with an auth plugin redirected users to the home page instead of their previous page
    TL-41302       Fixed the locking mechanism in the approval workflows role map regenerate scheduled task

                   Also added a user interface for admins to run the task immediately if
                   applications are not showing as expected on the applications dashboard.

    TL-41323       Fixed an error on the application activity tab
    TL-41325       Fixed an error with approval workflow reports with an incorrect alias

Technical changes:

    TL-41007       Updated the embedded certificate file used by Windows servers to the latest version (2 July 2024)
    TL-41440       Updated the MySQL reserved words list

                   Added the following words to the reserved list:

                   * INTERSECT 
                   * MANUAL
                   * PARALLEL
                   * QUALIFY
                   * TABLESAMPLE


Recommendations engine:

    TL-41090       Upgraded libraries used by Machine Learning Service (CVE-2024-3651)

                   Upgraded idna to 3.7 (CVE-2024-3651)
                   Upgraded tqdm to 4.66.4 (CVE-2024-34062)

                   Python 3.6 is no longer supported due to unavailable required libraries. We
                   recommend upgrading to a newer version or using the provided Docker image.


Library updates:

    TL-40367       Upgraded JQuery UI version in the lib folder to 1.13.2
    TL-40907       Updated the H5P plugin to allow compatibility with newer versions of the content types

Release 17.22 (02nd September 2024):

Security issues:

    TL-39800       Fixed denial of service risk in file picker unzip functionality (CVE-2024-25978)
    TL-40873       Fixed some cases where the CSRF token was not correctly validated (CVE-2024-38276)
    TL-40874       Fixed a problem with authorization headers and emulated redirects (CVE-2024-38275)
    TL-41520       Fixed cache poisoning via injection into storage (CVE-2024-43428)
    TL-41522       Fixed arbitrary file read risk through pdfTex in MathJax filter (CVE-2024-43426)
    TL-41526       Fixed remote code execution vulnerability in calculated question types (CVE-2024-43425)

                   There is a slight possibility that this fix breaks existing calculated
                   questions, if they have been created with special characters in the formula's
                   'wildcard' placeholder variables that are now invalid. A PHP error will be shown
                   when viewing an affected question. An invalid question can be manually fixed by
                   changing the placeholders to valid names.


New features:

    TL-33266       Added a diagnostic plugin to assist with troubleshooting

                   A new plugin has been created to generate diagnostic information for Totara
                   support. When triggered by an admin, it collects non-sensitive data about the
                   Totara installation and allows it to be downloaded as a zip file. The tool is
                   accessible via the command line (CLI) or through the "Diagnostic for support"
                   option under "System information".

                   Admins can export the diagnostic data and attach it to support tickets if
                   requested by Totara Support. This information will help investigate reported
                   issues more efficiently.

                   For further details, please refer to the inline help within the tool and the
                   end-user documentation on totara.help.


Performance improvements:

    TL-39818       Fixed error on MSSQL when exporting the Program overdue report

Improvements:

    TL-38097       Improved the formatting of the seminar room notification placeholder
    TL-39844       Added Approvers recipient to Seminar booking notification triggers

                   Seminar booking notifications can now be configured to be sent to the
                   appropriate approvers.


Bug fixes:

    TL-37545       Fixed debugging message shown when creating an audience with no alert options selected
    TL-38584       Fixed multilang filter for Seminar room custom field in the calendar
    TL-38726       Fixed an issue with temporary managers viewing other user's profiles

                   Job assignments automatically confer user profile visibility, such that managers
                   and appraisers on the same job assignment can see each other’s user profiles.
                   Temporary managers were not included in the database query that resolves this
                   relationship-based visibility.

                   This has been fixed. It is now possible for the temporary manager on a job
                   assignment to view the user profile of the manager and/or appraiser on the same
                   job assignment.

    TL-38858       Updated help text for "showuseridentity" setting
    TL-39173       Learning plan priority scales now display the in correct language.
    TL-39829       Resolved the issue on the course enrollment page where the user tour throws a requireloginerror exception
    TL-40099       Fixed orphaned enrolment instances remaining in the database after course deletion.

                   Previously, enrolment instances were marked as deleted but still left in the
                   database, causing them to become orphaned when a course was deleted. This led to
                   errors when processing user assignments. With this update, these records are now
                   properly deleted along with the course, and additional measures have been
                   implemented to prevent errors from any existing orphaned records.

    TL-40164       Implemented error handling for the send_participant_instance_creation_notifications_task to ensure task completion

                   This update ensures that the
                   send_participant_instance_creation_notifications_task can complete successfully,
                   even if an error occurs during execution. It prevents duplicate emails from
                   being sent to performance activity participants, which can happen if the task
                   fails to finish.

    TL-40172       Fixed booking end date notifications not being sent immediately

                   To apply this fix, the 'Send non-immediate scheduled notifications' task can now
                   be configured to run more frequently, such as every 5 minutes. This adjustment
                   ensures that booking end date notifications, along with other scheduled
                   notifications, are sent closer to the intended time, rather than at a single
                   time each day as was previously the case.

    TL-40252       Prevented adding suspended attendees to Seminars via CSV upload or list of IDs
    TL-40280       Fixed the company goal adder list to exclude deleted goal assignments
    TL-41039       Fixed issue where adding more competencies to a learning plan removed previously added competencies

Technical changes:

    TL-41007       Updated the embedded certificate file used by Windows servers to the latest version (2 July 2024)

Recommendations engine:

    TL-41090       Upgraded libraries used by Machine Learning Service (CVE-2024-3651)

                   Upgraded idna to 3.7 (CVE-2024-3651)
                   Upgraded tqdm to 4.66.4 (CVE-2024-34062)

                   Python 3.6 is no longer supported due to unavailable required libraries. We
                   recommend upgrading to a newer version or using the provided Docker image.


Library updates:

    TL-40367       Upgraded JQuery UI version in the lib folder to 1.13.2

Release 16.28 (02nd September 2024):

Security issues:

    TL-39800       Fixed denial of service risk in file picker unzip functionality (CVE-2024-25978)
    TL-40873       Fixed some cases where the CSRF token was not correctly validated (CVE-2024-38276)
    TL-40874       Fixed a problem with authorization headers and emulated redirects (CVE-2024-38275)
    TL-41520       Fixed cache poisoning via injection into storage (CVE-2024-43428)
    TL-41522       Fixed arbitrary file read risk through pdfTex in MathJax filter (CVE-2024-43426)
    TL-41526       Fixed remote code execution vulnerability in calculated question types (CVE-2024-43425)

                   There is a slight possibility that this fix breaks existing calculated
                   questions, if they have been created with special characters in the formula's
                   'wildcard' placeholder variables that are now invalid. A PHP error will be shown
                   when viewing an affected question. An invalid question can be manually fixed by
                   changing the placeholders to valid names.


New features:

    TL-33266       Added a diagnostic plugin to assist with troubleshooting

                   A new plugin has been created to generate diagnostic information for Totara
                   support. When triggered by an admin, it collects non-sensitive data about the
                   Totara installation and allows it to be downloaded as a zip file. The tool is
                   accessible via the command line (CLI) or through the "Diagnostic for support"
                   option under "System information".

                   Admins can export the diagnostic data and attach it to support tickets if
                   requested by Totara Support. This information will help investigate reported
                   issues more efficiently.

                   For further details, please refer to the inline help within the tool and the
                   end-user documentation on totara.help.


Improvements:

    TL-38097       Improved the formatting of the seminar room notification placeholder

Bug fixes:

    TL-37545       Fixed debugging message shown when creating an audience with no alert options selected
    TL-40099       Fixed orphaned enrolment instances remaining in the database after course deletion.

                   Previously, enrolment instances were marked as deleted but still left in the
                   database, causing them to become orphaned when a course was deleted. This led to
                   errors when processing user assignments. With this update, these records are now
                   properly deleted along with the course, and additional measures have been
                   implemented to prevent errors from any existing orphaned records.

    TL-40252       Prevented adding suspended attendees to Seminars via CSV upload or list of IDs
    TL-41039       Fixed issue where adding more competencies to a learning plan removed previously added competencies

Technical changes:

    TL-41007       Updated the embedded certificate file used by Windows servers to the latest version (2 July 2024)

Recommendations engine:

    TL-41090       Upgraded libraries used by Machine Learning Service (CVE-2024-3651)

                   Upgraded idna to 3.7 (CVE-2024-3651)
                   Upgraded tqdm to 4.66.4 (CVE-2024-34062)

                   Python 3.6 is no longer supported due to unavailable required libraries. We
                   recommend upgrading to a newer version or using the provided Docker image.


Library updates:

    TL-40367       Upgraded JQuery UI version in the lib folder to 1.13.2

Release 15.34 (02nd September 2024):

Security issues:

    TL-39800       Fixed denial of service risk in file picker unzip functionality (CVE-2024-25978)
    TL-40873       Fixed some cases where the CSRF token was not correctly validated (CVE-2024-38276)
    TL-40874       Fixed a problem with authorization headers and emulated redirects (CVE-2024-38275)
    TL-41520       Fixed cache poisoning via injection into storage (CVE-2024-43428)
    TL-41522       Fixed arbitrary file read risk through pdfTex in MathJax filter (CVE-2024-43426)
    TL-41526       Fixed remote code execution vulnerability in calculated question types (CVE-2024-43425)

                   There is a slight possibility that this fix breaks existing calculated
                   questions, if they have been created with special characters in the formula's
                   'wildcard' placeholder variables that are now invalid. A PHP error will be shown
                   when viewing an affected question. An invalid question can be manually fixed by
                   changing the placeholders to valid names.


New features:

    TL-33266       Added a diagnostic plugin to assist with troubleshooting

                   A new plugin has been created to generate diagnostic information for Totara
                   support. When triggered by an admin, it collects non-sensitive data about the
                   Totara installation and allows it to be downloaded as a zip file. The tool is
                   accessible via the command line (CLI) or through the "Diagnostic for support"
                   option under "System information".

                   Admins can export the diagnostic data and attach it to support tickets if
                   requested by Totara Support. This information will help investigate reported
                   issues more efficiently.

                   For further details, please refer to the inline help within the tool and the
                   end-user documentation on totara.help.


Bug fixes:

    TL-37545       Fixed debugging message shown when creating an audience with no alert options selected
    TL-40252       Prevented adding suspended attendees to Seminars via CSV upload or list of IDs
    TL-41039       Fixed issue where adding more competencies to a learning plan removed previously added competencies

Technical changes:

    TL-41007       Updated the embedded certificate file used by Windows servers to the latest version (2 July 2024)

Recommendations engine:

    TL-41090       Upgraded libraries used by Machine Learning Service (CVE-2024-3651)

                   Upgraded idna to 3.7 (CVE-2024-3651)
                   Upgraded tqdm to 4.66.4 (CVE-2024-34062)

                   Python 3.6 is no longer supported due to unavailable required libraries. We
                   recommend upgrading to a newer version or using the provided Docker image.


Library updates:

    TL-40367       Upgraded JQuery UI version in the lib folder to 1.13.2

Release 14.39 (02nd September 2024):

Security issues:

    TL-39800       Fixed denial of service risk in file picker unzip functionality (CVE-2024-25978)
    TL-40873       Fixed some cases where the CSRF token was not correctly validated (CVE-2024-38276)
    TL-40874       Fixed a problem with authorization headers and emulated redirects (CVE-2024-38275)
    TL-41520       Fixed cache poisoning via injection into storage (CVE-2024-43428)
    TL-41522       Fixed arbitrary file read risk through pdfTex in MathJax filter (CVE-2024-43426)
    TL-41526       Fixed remote code execution vulnerability in calculated question types (CVE-2024-43425)

                   There is a slight possibility that this fix breaks existing calculated
                   questions, if they have been created with special characters in the formula's
                   'wildcard' placeholder variables that are now invalid. A PHP error will be shown
                   when viewing an affected question. An invalid question can be manually fixed by
                   changing the placeholders to valid names.


Bug fixes:

    TL-40252       Prevented adding suspended attendees to Seminars via CSV upload or list of IDs
    TL-41039       Fixed issue where adding more competencies to a learning plan removed previously added competencies

Technical changes:

    TL-41007       Updated the embedded certificate file used by Windows servers to the latest version (2 July 2024)

Library updates:

    TL-40367       Upgraded JQuery UI version in the lib folder to 1.13.2

Release 13.47 (02nd September 2024):

Security issues:

    TL-39800       Fixed denial of service risk in file picker unzip functionality (CVE-2024-25978)
    TL-40873       Fixed some cases where the CSRF token was not correctly validated (CVE-2024-38276)
    TL-40874       Fixed a problem with authorization headers and emulated redirects (CVE-2024-38275)
    TL-41520       Fixed cache poisoning via injection into storage (CVE-2024-43428)
    TL-41522       Fixed arbitrary file read risk through pdfTex in MathJax filter (CVE-2024-43426)
    TL-41526       Fixed remote code execution vulnerability in calculated question types (CVE-2024-43425)

                   There is a slight possibility that this fix breaks existing calculated
                   questions, if they have been created with special characters in the formula's
                   'wildcard' placeholder variables that are now invalid. A PHP error will be shown
                   when viewing an affected question. An invalid question can be manually fixed by
                   changing the placeholders to valid names.


Bug fixes:

    TL-41039       Fixed issue where adding more competencies to a learning plan removed previously added competencies

Technical changes:

    TL-41007       Updated the embedded certificate file used by Windows servers to the latest version (2 July 2024)

Library updates:

    TL-40367       Upgraded JQuery UI version in the lib folder to 1.13.2

Release 12.66 (02nd September 2024):

Security issues:

    TL-39800       Fixed denial of service risk in file picker unzip functionality (CVE-2024-25978)
    TL-41520       Fixed cache poisoning via injection into storage (CVE-2024-43428)
    TL-41522       Fixed arbitrary file read risk through pdfTex in MathJax filter (CVE-2024-43426)
    TL-41526       Fixed remote code execution vulnerability in calculated question types (CVE-2024-43425)

                   There is a slight possibility that this fix breaks existing calculated
                   questions, if they have been created with special characters in the formula's
                   'wildcard' placeholder variables that are now invalid. A PHP error will be shown
                   when viewing an affected question. An invalid question can be manually fixed by
                   changing the placeholders to valid names.


Release 11.66 (02nd September 2024):

Security issues:

    TL-39800       Fixed denial of service risk in file picker unzip functionality (CVE-2024-25978)
    TL-41520       Fixed cache poisoning via injection into storage (CVE-2024-43428)
    TL-41522       Fixed arbitrary file read risk through pdfTex in MathJax filter (CVE-2024-43426)
    TL-41526       Fixed remote code execution vulnerability in calculated question types (CVE-2024-43425)

                   There is a slight possibility that this fix breaks existing calculated
                   questions, if they have been created with special characters in the formula's
                   'wildcard' placeholder variables that are now invalid. A PHP error will be shown
                   when viewing an affected question. An invalid question can be manually fixed by
                   changing the placeholders to valid names.


Release 10.68 (02nd September 2024):

Security issues:

    TL-39800       Fixed denial of service risk in file picker unzip functionality (CVE-2024-25978)
    TL-41520       Fixed cache poisoning via injection into storage (CVE-2024-43428)
    TL-41522       Fixed arbitrary file read risk through pdfTex in MathJax filter (CVE-2024-43426)
    TL-41526       Fixed remote code execution vulnerability in calculated question types (CVE-2024-43425)

                   There is a slight possibility that this fix breaks existing calculated
                   questions, if they have been created with special characters in the formula's
                   'wildcard' placeholder variables that are now invalid. A PHP error will be shown
                   when viewing an affected question. An invalid question can be manually fixed by
                   changing the placeholders to valid names.


Release 9.74 (02nd September 2024):

Security issues:

    TL-39800       Fixed denial of service risk in file picker unzip functionality (CVE-2024-25978)
    TL-41520       Fixed cache poisoning via injection into storage (CVE-2024-43428)
    TL-41522       Fixed arbitrary file read risk through pdfTex in MathJax filter (CVE-2024-43426)
    TL-41526       Fixed remote code execution vulnerability in calculated question types (CVE-2024-43425)

                   There is a slight possibility that this fix breaks existing calculated
                   questions, if they have been created with special characters in the formula's
                   'wildcard' placeholder variables that are now invalid. A PHP error will be shown
                   when viewing an affected question. An invalid question can be manually fixed by
                   changing the placeholders to valid names.


Release 2.9.71 (02nd September 2024):

Security issues:

    TL-39800       Fixed denial of service risk in file picker unzip functionality (CVE-2024-25978)
    TL-41520       Fixed cache poisoning via injection into storage (CVE-2024-43428)
    TL-41522       Fixed arbitrary file read risk through pdfTex in MathJax filter (CVE-2024-43426)
    TL-41526       Fixed remote code execution vulnerability in calculated question types (CVE-2024-43425)

                   There is a slight possibility that this fix breaks existing calculated
                   questions, if they have been created with special characters in the formula's
                   'wildcard' placeholder variables that are now invalid. A PHP error will be shown
                   when viewing an affected question. An invalid question can be manually fixed by
                   changing the placeholders to valid names.


Release 2.7.76 (02nd September 2024):

Security issues:

    TL-39800       Fixed denial of service risk in file picker unzip functionality (CVE-2024-25978)
    TL-41522       Fixed arbitrary file read risk through pdfTex in MathJax filter (CVE-2024-43426)
    TL-41526       Fixed remote code execution vulnerability in calculated question types (CVE-2024-43425)

                   There is a slight possibility that this fix breaks existing calculated
                   questions, if they have been created with special characters in the formula's
                   'wildcard' placeholder variables that are now invalid. A PHP error will be shown
                   when viewing an affected question. An invalid question can be manually fixed by
                   changing the placeholders to valid names.


Release 2.5.92 (02nd September 2024):

Security issues:

    TL-39800       Fixed denial of service risk in file picker unzip functionality (CVE-2024-25978)
    TL-41522       Fixed arbitrary file read risk through pdfTex in MathJax filter (CVE-2024-43426)
    TL-41526       Fixed remote code execution vulnerability in calculated question types (CVE-2024-43425)

                   There is a slight possibility that this fix breaks existing calculated
                   questions, if they have been created with special characters in the formula's
                   'wildcard' placeholder variables that are now invalid. A PHP error will be shown
                   when viewing an affected question. An invalid question can be manually fixed by
                   changing the placeholders to valid names.


Release 2.2.87 (02nd September 2024):

Security issues:

    TL-39800       Fixed denial of service risk in file picker unzip functionality (CVE-2024-25978)
    TL-41522       Fixed arbitrary file read risk through pdfTex in MathJax filter (CVE-2024-43426)
    TL-41526       Fixed remote code execution vulnerability in calculated question types (CVE-2024-43425)

                   There is a slight possibility that this fix breaks existing calculated
                   questions, if they have been created with special characters in the formula's
                   'wildcard' placeholder variables that are now invalid. A PHP error will be shown
                   when viewing an affected question. An invalid question can be manually fixed by
                   changing the placeholders to valid names.