Hello everyone,
The following versions of Totara have now been released:
- Release 18.10
- Release 17.23
- Release 16.29
- Release 15.35
- Release 14.40
- Release 13.48
- Release 12.67
- Release 11.67
- Release 10.69
- Release 9.75
- Release 2.9.72
- Release 2.7.77
- Release 2.5.93
- Release 2.2.88
These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.
Kind regards,
Release Team
Release 18.10 (24th September 2024):
Security issues:
TL-39799 Fixed parameter validation for forum search (CVE-2024-25979)
TL-41486 Fixed LFI vulnerability when restoring block backups (CVE-2024-43440)
TL-41488 Prevented unintended notification from being sent on the Feedback activity 'Show non-respondents' page (CVE-2024-43438)
TL-41489 Fixed an XSS vulnerability when restoring course backup file (CVE-2024-43437)
TL-41490 Fixed an SQL injection vulnerability with XMLDB editor (CVE-2024-43436)
TL-41491 Fixed creating global glossary without being admin user (CVE-2024-43435)
TL-41492 Fixed feedback non-respondents broken sesskey checks for bulk message lead to CSRF (CVE-2024-43434)
TL-41494 Honoured CURLOPT_UNRESTRICTED_AUTH in emulated redirects (CVE-2024-43432)
TL-41495 Fixed permission check on badge deletion (CVE-2024-43431)
TL-41808 Fixed lesson activity password bypass (CVE-2024-45691)
Improvements:
TL-39743 Allowed email-based self registration notification to include the first name, surname and username placeholders.
TL-41550 Prevented casual use of calculated question types by requiring an additional capability
This patch introduces a new {{moodle/question:managecalculated}} capability as
an add on to the fix in [TL-41526], to mitigate the risk of executing
user-generated PHP code. Only users with this capability will be allowed to
create these types of questions:
* calculated
* calculated multichoice
* calculated (simple)
For existing sites, this capability is given to any users who have the
{{moodle/question:add}} capability. It is recommended that admins review whether
users actually need to use calculated question types, and remove this capability
from any roles that do not. No special capability is required to use existing
calculated questions in a quiz.
For new sites, this capability is not assigned to any roles by default.
Bug fixes:
TL-37842 Fixed program completion start date not being updated if course set completion does not exist
TL-41200 Fixed a problem where users could not login via SAML when the guest user was active
TL-41658 Added cookie information icon to the new login screen
TL-41677 Fixed problems with grade max exceeding database limit
When several activities or manual grade items contained grade maximums close to
the limit of the field, the course grade maximum calculated (usually the sum of
the individual grade items) could exceed the value that could be stored in the
field. The database field size has been increased, while the maximum that any
individual grade item can have has been retained.
TL-41685 Refactored the approval workflows applications dashboard to work more efficiently
TL-41830 Fixed problems with grade exceeding database limit
When several activities or manual grade items contained grades close to the
limit of the field, the course grade calculated (usually the sum of the
individual grades) could exceed the value that could be stored in the field.
Several related database field sizes have been increased.
TL-40751 The text for the add and edit links in the random glossary text field are now required
TL-41702 Fixed the title of the report results table being inconsistent when filtering one record versus multiple
Tui front end framework:
TL-41909 Added a --strict flag to lint command
This will fail the lint if there are any warnings. By default, it only fails on
lint errors.
Usage: npm run tui-style-check -- --strict
Release 17.23 (24th September 2024):
Security issues:
TL-39799 Fixed parameter validation for forum search (CVE-2024-25979)
TL-41486 Fixed LFI vulnerability when restoring block backups (CVE-2024-43440)
TL-41488 Prevented unintended notification from being sent on the Feedback activity 'Show non-respondents' page (CVE-2024-43438)
TL-41489 Fixed an XSS vulnerability when restoring course backup file (CVE-2024-43437)
TL-41490 Fixed an SQL injection vulnerability with XMLDB editor (CVE-2024-43436)
TL-41491 Fixed creating global glossary without being admin user (CVE-2024-43435)
TL-41492 Fixed feedback non-respondents broken sesskey checks for bulk message lead to CSRF (CVE-2024-43434)
TL-41494 Honoured CURLOPT_UNRESTRICTED_AUTH in emulated redirects (CVE-2024-43432)
TL-41495 Fixed permission check on badge deletion (CVE-2024-43431)
TL-41808 Fixed lesson activity password bypass (CVE-2024-45691)
Improvements:
TL-39743 Allowed email-based self registration notification to include the first name, surname and username placeholders.
TL-41550 Prevented casual use of calculated question types by requiring an additional capability
This patch introduces a new {{moodle/question:managecalculated}} capability as
an add on to the fix in [TL-41526], to mitigate the risk of executing
user-generated PHP code. Only users with this capability will be allowed to
create these types of questions:
* calculated
* calculated multichoice
* calculated (simple)
For existing sites, this capability is given to any users who have the
{{moodle/question:add}} capability. It is recommended that admins review whether
users actually need to use calculated question types, and remove this capability
from any roles that do not. No special capability is required to use existing
calculated questions in a quiz.
For new sites, this capability is not assigned to any roles by default.
Bug fixes:
TL-37842 Fixed program completion start date not being updated if course set completion does not exist
TL-40751 The text for the add and edit links in the random glossary text field are now required
Release 16.29 (24th September 2024):
Security issues:
TL-39799 Fixed parameter validation for forum search (CVE-2024-25979)
TL-41486 Fixed LFI vulnerability when restoring block backups (CVE-2024-43440)
TL-41488 Prevented unintended notification from being sent on the Feedback activity 'Show non-respondents' page (CVE-2024-43438)
TL-41489 Fixed an XSS vulnerability when restoring course backup file (CVE-2024-43437)
TL-41490 Fixed an SQL injection vulnerability with XMLDB editor (CVE-2024-43436)
TL-41491 Fixed creating global glossary without being admin user (CVE-2024-43435)
TL-41492 Fixed feedback non-respondents broken sesskey checks for bulk message lead to CSRF (CVE-2024-43434)
TL-41494 Honoured CURLOPT_UNRESTRICTED_AUTH in emulated redirects (CVE-2024-43432)
TL-41495 Fixed permission check on badge deletion (CVE-2024-43431)
TL-41808 Fixed lesson activity password bypass (CVE-2024-45691)
Improvements:
TL-41550 Prevented casual use of calculated question types by requiring an additional capability
This patch introduces a new {{moodle/question:managecalculated}} capability as
an add on to the fix in [TL-41526], to mitigate the risk of executing
user-generated PHP code. Only users with this capability will be allowed to
create these types of questions:
* calculated
* calculated multichoice
* calculated (simple)
For existing sites, this capability is given to any users who have the
{{moodle/question:add}} capability. It is recommended that admins review whether
users actually need to use calculated question types, and remove this capability
from any roles that do not. No special capability is required to use existing
calculated questions in a quiz.
For new sites, this capability is not assigned to any roles by default.
Bug fixes:
TL-37842 Fixed program completion start date not being updated if course set completion does not exist
TL-40344 Fixed placeholder failure in Course Due Date course notification during audience assignment
Release 15.35 (24th September 2024):
Security issues:
TL-39799 Fixed parameter validation for forum search (CVE-2024-25979)
TL-41486 Fixed LFI vulnerability when restoring block backups (CVE-2024-43440)
TL-41488 Prevented unintended notification from being sent on the Feedback activity 'Show non-respondents' page (CVE-2024-43438)
TL-41489 Fixed an XSS vulnerability when restoring course backup file (CVE-2024-43437)
TL-41490 Fixed an SQL injection vulnerability with XMLDB editor (CVE-2024-43436)
TL-41491 Fixed creating global glossary without being admin user (CVE-2024-43435)
TL-41492 Fixed feedback non-respondents broken sesskey checks for bulk message lead to CSRF (CVE-2024-43434)
TL-41494 Honoured CURLOPT_UNRESTRICTED_AUTH in emulated redirects (CVE-2024-43432)
TL-41495 Fixed permission check on badge deletion (CVE-2024-43431)
TL-41808 Fixed lesson activity password bypass (CVE-2024-45691)
Improvements:
TL-41550 Prevented casual use of calculated question types by requiring an additional capability
This patch introduces a new {{moodle/question:managecalculated}} capability as
an add on to the fix in [TL-41526], to mitigate the risk of executing
user-generated PHP code. Only users with this capability will be allowed to
create these types of questions:
* calculated
* calculated multichoice
* calculated (simple)
For existing sites, this capability is given to any users who have the
{{moodle/question:add}} capability. It is recommended that admins review whether
users actually need to use calculated question types, and remove this capability
from any roles that do not. No special capability is required to use existing
calculated questions in a quiz.
For new sites, this capability is not assigned to any roles by default.
Bug fixes:
TL-37842 Fixed program completion start date not being updated if course set completion does not exist
Release 14.40 (24th September 2024):
Security issues:
TL-39799 Fixed parameter validation for forum search (CVE-2024-25979)
TL-41486 Fixed LFI vulnerability when restoring block backups (CVE-2024-43440)
TL-41488 Prevented unintended notification from being sent on the Feedback activity 'Show non-respondents' page (CVE-2024-43438)
TL-41489 Fixed an XSS vulnerability when restoring course backup file (CVE-2024-43437)
TL-41490 Fixed an SQL injection vulnerability with XMLDB editor (CVE-2024-43436)
TL-41491 Fixed creating global glossary without being admin user (CVE-2024-43435)
TL-41492 Fixed feedback non-respondents broken sesskey checks for bulk message lead to CSRF (CVE-2024-43434)
TL-41494 Honoured CURLOPT_UNRESTRICTED_AUTH in emulated redirects (CVE-2024-43432)
TL-41495 Fixed permission check on badge deletion (CVE-2024-43431)
TL-41808 Fixed lesson activity password bypass (CVE-2024-45691)
Improvements:
TL-41550 Prevented casual use of calculated question types by requiring an additional capability
This patch introduces a new {{moodle/question:managecalculated}} capability as
an add on to the fix in [TL-41526], to mitigate the risk of executing
user-generated PHP code. Only users with this capability will be allowed to
create these types of questions:
* calculated
* calculated multichoice
* calculated (simple)
For existing sites, this capability is given to any users who have the
{{moodle/question:add}} capability. It is recommended that admins review whether
users actually need to use calculated question types, and remove this capability
from any roles that do not. No special capability is required to use existing
calculated questions in a quiz.
For new sites, this capability is not assigned to any roles by default.
Bug fixes:
TL-37842 Fixed program completion start date not being updated if course set completion does not exist
Release 13.48 (24th September 2024):
Security issues:
TL-39799 Fixed parameter validation for forum search (CVE-2024-25979)
TL-41486 Fixed LFI vulnerability when restoring block backups (CVE-2024-43440)
TL-41488 Prevented unintended notification from being sent on the Feedback activity 'Show non-respondents' page (CVE-2024-43438)
TL-41489 Fixed an XSS vulnerability when restoring course backup file (CVE-2024-43437)
TL-41490 Fixed an SQL injection vulnerability with XMLDB editor (CVE-2024-43436)
TL-41491 Fixed creating global glossary without being admin user (CVE-2024-43435)
TL-41492 Fixed feedback non-respondents broken sesskey checks for bulk message lead to CSRF (CVE-2024-43434)
TL-41494 Honoured CURLOPT_UNRESTRICTED_AUTH in emulated redirects (CVE-2024-43432)
TL-41495 Fixed permission check on badge deletion (CVE-2024-43431)
TL-41808 Fixed lesson activity password bypass (CVE-2024-45691)
Improvements:
TL-41550 Prevented casual use of calculated question types by requiring an additional capability
This patch introduces a new {{moodle/question:managecalculated}} capability as
an add on to the fix in [TL-41526], to mitigate the risk of executing
user-generated PHP code. Only users with this capability will be allowed to
create these types of questions:
* calculated
* calculated multichoice
* calculated (simple)
For existing sites, this capability is given to any users who have the
{{moodle/question:add}} capability. It is recommended that admins review whether
users actually need to use calculated question types, and remove this capability
from any roles that do not. No special capability is required to use existing
calculated questions in a quiz.
For new sites, this capability is not assigned to any roles by default.
Release 12.67 (24th September 2024):
Security issues:
TL-39799 Fixed parameter validation for forum search (CVE-2024-25979)
TL-41486 Fixed LFI vulnerability when restoring block backups (CVE-2024-43440)
TL-41488 Prevented unintended notification from being sent on the Feedback activity 'Show non-respondents' page (CVE-2024-43438)
TL-41489 Fixed an XSS vulnerability when restoring course backup file (CVE-2024-43437)
TL-41491 Fixed creating global glossary without being admin user (CVE-2024-43435)
TL-41492 Fixed feedback non-respondents broken sesskey checks for bulk message lead to CSRF (CVE-2024-43434)
TL-41808 Fixed lesson activity password bypass (CVE-2024-45691)
Release 11.67 (24th September 2024):
Security issues:
TL-39799 Fixed parameter validation for forum search (CVE-2024-25979)
TL-41486 Fixed LFI vulnerability when restoring block backups (CVE-2024-43440)
TL-41488 Prevented unintended notification from being sent on the Feedback activity 'Show non-respondents' page (CVE-2024-43438)
TL-41489 Fixed an XSS vulnerability when restoring course backup file (CVE-2024-43437)
TL-41491 Fixed creating global glossary without being admin user (CVE-2024-43435)
TL-41492 Fixed feedback non-respondents broken sesskey checks for bulk message lead to CSRF (CVE-2024-43434)
Release 10.69 (24th September 2024):
Security issues:
TL-39799 Fixed parameter validation for forum search (CVE-2024-25979)
TL-41486 Fixed LFI vulnerability when restoring block backups (CVE-2024-43440)
TL-41488 Prevented unintended notification from being sent on the Feedback activity 'Show non-respondents' page (CVE-2024-43438)
TL-41489 Fixed an XSS vulnerability when restoring course backup file (CVE-2024-43437)
TL-41491 Fixed creating global glossary without being admin user (CVE-2024-43435)
TL-41492 Fixed feedback non-respondents broken sesskey checks for bulk message lead to CSRF (CVE-2024-43434)
Release 9.75 (24th September 2024):
Security issues:
TL-39799 Fixed parameter validation for forum search (CVE-2024-25979)
TL-41486 Fixed LFI vulnerability when restoring block backups (CVE-2024-43440)
TL-41488 Prevented unintended notification from being sent on the Feedback activity 'Show non-respondents' page (CVE-2024-43438)
TL-41489 Fixed an XSS vulnerability when restoring course backup file (CVE-2024-43437)
TL-41491 Fixed creating global glossary without being admin user (CVE-2024-43435)
TL-41492 Fixed feedback non-respondents broken sesskey checks for bulk message lead to CSRF (CVE-2024-43434)
Release 2.9.72 (24th September 2024):
Security issues:
TL-39799 Fixed parameter validation for forum search (CVE-2024-25979)
TL-41486 Fixed LFI vulnerability when restoring block backups (CVE-2024-43440)
TL-41488 Prevented unintended notification from being sent on the Feedback activity 'Show non-respondents' page (CVE-2024-43438)
TL-41489 Fixed an XSS vulnerability when restoring course backup file (CVE-2024-43437)
TL-41491 Fixed creating global glossary without being admin user (CVE-2024-43435)
TL-41492 Fixed feedback non-respondents broken sesskey checks for bulk message lead to CSRF (CVE-2024-43434)
Release 2.7.77 (24th September 2024):
Security issues:
TL-39799 Fixed parameter validation for forum search (CVE-2024-25979)
TL-41486 Fixed LFI vulnerability when restoring block backups (CVE-2024-43440)
TL-41488 Prevented unintended notification from being sent on the Feedback activity 'Show non-respondents' page (CVE-2024-43438)
TL-41489 Fixed an XSS vulnerability when restoring course backup file (CVE-2024-43437)
TL-41491 Fixed creating global glossary without being admin user (CVE-2024-43435)
TL-41492 Fixed feedback non-respondents broken sesskey checks for bulk message lead to CSRF (CVE-2024-43434)
Release 2.5.93 (24th September 2024):
Security issues:
TL-39799 Fixed parameter validation for forum search (CVE-2024-25979)
TL-41486 Fixed LFI vulnerability when restoring block backups (CVE-2024-43440)
TL-41488 Prevented unintended notification from being sent on the Feedback activity 'Show non-respondents' page (CVE-2024-43438)
TL-41489 Fixed an XSS vulnerability when restoring course backup file (CVE-2024-43437)
TL-41491 Fixed creating global glossary without being admin user (CVE-2024-43435)
TL-41492 Fixed feedback non-respondents broken sesskey checks for bulk message lead to CSRF (CVE-2024-43434)
Release 2.2.88 (24th September 2024):
Security issues:
TL-39799 Fixed parameter validation for forum search (CVE-2024-25979)
TL-41486 Fixed LFI vulnerability when restoring block backups (CVE-2024-43440)
TL-41488 Prevented unintended notification from being sent on the Feedback activity 'Show non-respondents' page (CVE-2024-43438)
TL-41489 Fixed an XSS vulnerability when restoring course backup file (CVE-2024-43437)
TL-41491 Fixed creating global glossary without being admin user (CVE-2024-43435)
TL-41492 Fixed feedback non-respondents broken sesskey checks for bulk message lead to CSRF (CVE-2024-43434)