Totara Release Notes

Totara TXP 18.10, 17.23, 16.29, 15.35, 14.40, 13.48, 12.67, 11.67, 10.69, 9.75, 2.9.72, 2.7.77, 2.5.93 and 2.2.88 are now available

 
David Curry (Core Developer)
Totara TXP 18.10, 17.23, 16.29, 15.35, 14.40, 13.48, 12.67, 11.67, 10.69, 9.75, 2.9.72, 2.7.77, 2.5.93 and 2.2.88 are now available
door David Curry (Core Developer) - Monday, 23 September 2024, 20:45 PM
Groep Totara

Hello everyone,

The following versions of Totara have now been released:

These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.

Kind regards,
Release Team

Release 18.10 (24th September 2024):

Security issues:

    TL-39799       Fixed parameter validation for forum search (CVE-2024-25979)
    TL-41486       Fixed LFI vulnerability when restoring block backups (CVE-2024-43440)
    TL-41488       Prevented unintended notification from being sent on the Feedback activity 'Show non-respondents' page (CVE-2024-43438)
    TL-41489       Fixed an XSS vulnerability when restoring course backup file (CVE-2024-43437)
    TL-41490       Fixed an SQL injection vulnerability with XMLDB editor (CVE-2024-43436)
    TL-41491       Fixed creating global glossary without being admin user (CVE-2024-43435)
    TL-41492       Fixed feedback non-respondents broken sesskey checks for bulk message lead to CSRF (CVE-2024-43434)
    TL-41494       Honoured CURLOPT_UNRESTRICTED_AUTH in emulated redirects (CVE-2024-43432)
    TL-41495       Fixed permission check on badge deletion (CVE-2024-43431)
    TL-41808       Fixed lesson activity password bypass (CVE-2024-45691)

Improvements:

    TL-39743       Allowed email-based self registration notification to include the first name, surname and username placeholders.
    TL-41550       Prevented casual use of calculated question types by requiring an additional capability

                   This patch introduces a new {{moodle/question:managecalculated}} capability as
                   an add on to the fix in [TL-41526], to mitigate the risk of executing
                   user-generated PHP code. Only users with this capability will be allowed to
                   create these types of questions:

                   * calculated
                   * calculated multichoice
                   * calculated (simple)

                   For existing sites, this capability is given to any users who have the
                   {{moodle/question:add}} capability. It is recommended that admins review whether
                   users actually need to use calculated question types, and remove this capability
                   from any roles that do not. No special capability is required to use existing
                   calculated questions in a quiz.

                   For new sites, this capability is not assigned to any roles by default.


Bug fixes:

    TL-37842       Fixed program completion start date not being updated if course set completion does not exist
    TL-41200       Fixed a problem where users could not login via SAML when the guest user was active
    TL-41658       Added cookie information icon to the new login screen
    TL-41677       Fixed problems with grade max exceeding database limit

                   When several activities or manual grade items contained grade maximums close to
                   the limit of the field, the course grade maximum calculated (usually the sum of
                   the individual grade items) could exceed the value that could be stored in the
                   field. The database field size has been increased, while the maximum that any
                   individual grade item can have has been retained.

    TL-41685       Refactored the approval workflows applications dashboard to work more efficiently
    TL-41830       Fixed problems with grade exceeding database limit

                   When several activities or manual grade items contained grades close to the
                   limit of the field, the course grade calculated (usually the sum of the
                   individual grades) could exceed the value that could be stored in the field.
                   Several related database field sizes have been increased.

    TL-40751       The text for the add and edit links in the random glossary text field are now required
    TL-41702       Fixed the title of the report results table being inconsistent when filtering one record versus multiple

Tui front end framework:

    TL-41909       Added a --strict flag to lint command

                   This will fail the lint if there are any warnings. By default, it only fails on
                   lint errors.
                   Usage: npm run tui-style-check -- --strict


Release 17.23 (24th September 2024):

Security issues:

    TL-39799       Fixed parameter validation for forum search (CVE-2024-25979)
    TL-41486       Fixed LFI vulnerability when restoring block backups (CVE-2024-43440)
    TL-41488       Prevented unintended notification from being sent on the Feedback activity 'Show non-respondents' page (CVE-2024-43438)
    TL-41489       Fixed an XSS vulnerability when restoring course backup file (CVE-2024-43437)
    TL-41490       Fixed an SQL injection vulnerability with XMLDB editor (CVE-2024-43436)
    TL-41491       Fixed creating global glossary without being admin user (CVE-2024-43435)
    TL-41492       Fixed feedback non-respondents broken sesskey checks for bulk message lead to CSRF (CVE-2024-43434)
    TL-41494       Honoured CURLOPT_UNRESTRICTED_AUTH in emulated redirects (CVE-2024-43432)
    TL-41495       Fixed permission check on badge deletion (CVE-2024-43431)
    TL-41808       Fixed lesson activity password bypass (CVE-2024-45691)

Improvements:

    TL-39743       Allowed email-based self registration notification to include the first name, surname and username placeholders.
    TL-41550       Prevented casual use of calculated question types by requiring an additional capability

                   This patch introduces a new {{moodle/question:managecalculated}} capability as
                   an add on to the fix in [TL-41526], to mitigate the risk of executing
                   user-generated PHP code. Only users with this capability will be allowed to
                   create these types of questions:

                   * calculated
                   * calculated multichoice
                   * calculated (simple)

                   For existing sites, this capability is given to any users who have the
                   {{moodle/question:add}} capability. It is recommended that admins review whether
                   users actually need to use calculated question types, and remove this capability
                   from any roles that do not. No special capability is required to use existing
                   calculated questions in a quiz.

                   For new sites, this capability is not assigned to any roles by default.


Bug fixes:

    TL-37842       Fixed program completion start date not being updated if course set completion does not exist
    TL-40751       The text for the add and edit links in the random glossary text field are now required

Release 16.29 (24th September 2024):

Security issues:

    TL-39799       Fixed parameter validation for forum search (CVE-2024-25979)
    TL-41486       Fixed LFI vulnerability when restoring block backups (CVE-2024-43440)
    TL-41488       Prevented unintended notification from being sent on the Feedback activity 'Show non-respondents' page (CVE-2024-43438)
    TL-41489       Fixed an XSS vulnerability when restoring course backup file (CVE-2024-43437)
    TL-41490       Fixed an SQL injection vulnerability with XMLDB editor (CVE-2024-43436)
    TL-41491       Fixed creating global glossary without being admin user (CVE-2024-43435)
    TL-41492       Fixed feedback non-respondents broken sesskey checks for bulk message lead to CSRF (CVE-2024-43434)
    TL-41494       Honoured CURLOPT_UNRESTRICTED_AUTH in emulated redirects (CVE-2024-43432)
    TL-41495       Fixed permission check on badge deletion (CVE-2024-43431)
    TL-41808       Fixed lesson activity password bypass (CVE-2024-45691)

Improvements:

    TL-41550       Prevented casual use of calculated question types by requiring an additional capability

                   This patch introduces a new {{moodle/question:managecalculated}} capability as
                   an add on to the fix in [TL-41526], to mitigate the risk of executing
                   user-generated PHP code. Only users with this capability will be allowed to
                   create these types of questions:

                   * calculated
                   * calculated multichoice
                   * calculated (simple)

                   For existing sites, this capability is given to any users who have the
                   {{moodle/question:add}} capability. It is recommended that admins review whether
                   users actually need to use calculated question types, and remove this capability
                   from any roles that do not. No special capability is required to use existing
                   calculated questions in a quiz.

                   For new sites, this capability is not assigned to any roles by default.


Bug fixes:

    TL-37842       Fixed program completion start date not being updated if course set completion does not exist
    TL-40344       Fixed placeholder failure in Course Due Date course notification during audience assignment

Release 15.35 (24th September 2024):

Security issues:

    TL-39799       Fixed parameter validation for forum search (CVE-2024-25979)
    TL-41486       Fixed LFI vulnerability when restoring block backups (CVE-2024-43440)
    TL-41488       Prevented unintended notification from being sent on the Feedback activity 'Show non-respondents' page (CVE-2024-43438)
    TL-41489       Fixed an XSS vulnerability when restoring course backup file (CVE-2024-43437)
    TL-41490       Fixed an SQL injection vulnerability with XMLDB editor (CVE-2024-43436)
    TL-41491       Fixed creating global glossary without being admin user (CVE-2024-43435)
    TL-41492       Fixed feedback non-respondents broken sesskey checks for bulk message lead to CSRF (CVE-2024-43434)
    TL-41494       Honoured CURLOPT_UNRESTRICTED_AUTH in emulated redirects (CVE-2024-43432)
    TL-41495       Fixed permission check on badge deletion (CVE-2024-43431)
    TL-41808       Fixed lesson activity password bypass (CVE-2024-45691)

Improvements:

    TL-41550       Prevented casual use of calculated question types by requiring an additional capability

                   This patch introduces a new {{moodle/question:managecalculated}} capability as
                   an add on to the fix in [TL-41526], to mitigate the risk of executing
                   user-generated PHP code. Only users with this capability will be allowed to
                   create these types of questions:

                   * calculated
                   * calculated multichoice
                   * calculated (simple)

                   For existing sites, this capability is given to any users who have the
                   {{moodle/question:add}} capability. It is recommended that admins review whether
                   users actually need to use calculated question types, and remove this capability
                   from any roles that do not. No special capability is required to use existing
                   calculated questions in a quiz.

                   For new sites, this capability is not assigned to any roles by default.


Bug fixes:

    TL-37842       Fixed program completion start date not being updated if course set completion does not exist

Release 14.40 (24th September 2024):

Security issues:

    TL-39799       Fixed parameter validation for forum search (CVE-2024-25979)
    TL-41486       Fixed LFI vulnerability when restoring block backups (CVE-2024-43440)
    TL-41488       Prevented unintended notification from being sent on the Feedback activity 'Show non-respondents' page (CVE-2024-43438)
    TL-41489       Fixed an XSS vulnerability when restoring course backup file (CVE-2024-43437)
    TL-41490       Fixed an SQL injection vulnerability with XMLDB editor (CVE-2024-43436)
    TL-41491       Fixed creating global glossary without being admin user (CVE-2024-43435)
    TL-41492       Fixed feedback non-respondents broken sesskey checks for bulk message lead to CSRF (CVE-2024-43434)
    TL-41494       Honoured CURLOPT_UNRESTRICTED_AUTH in emulated redirects (CVE-2024-43432)
    TL-41495       Fixed permission check on badge deletion (CVE-2024-43431)
    TL-41808       Fixed lesson activity password bypass (CVE-2024-45691)

Improvements:

    TL-41550       Prevented casual use of calculated question types by requiring an additional capability

                   This patch introduces a new {{moodle/question:managecalculated}} capability as
                   an add on to the fix in [TL-41526], to mitigate the risk of executing
                   user-generated PHP code. Only users with this capability will be allowed to
                   create these types of questions:

                   * calculated
                   * calculated multichoice
                   * calculated (simple)

                   For existing sites, this capability is given to any users who have the
                   {{moodle/question:add}} capability. It is recommended that admins review whether
                   users actually need to use calculated question types, and remove this capability
                   from any roles that do not. No special capability is required to use existing
                   calculated questions in a quiz.

                   For new sites, this capability is not assigned to any roles by default.


Bug fixes:

    TL-37842       Fixed program completion start date not being updated if course set completion does not exist

Release 13.48 (24th September 2024):

Security issues:

    TL-39799       Fixed parameter validation for forum search (CVE-2024-25979)
    TL-41486       Fixed LFI vulnerability when restoring block backups (CVE-2024-43440)
    TL-41488       Prevented unintended notification from being sent on the Feedback activity 'Show non-respondents' page (CVE-2024-43438)
    TL-41489       Fixed an XSS vulnerability when restoring course backup file (CVE-2024-43437)
    TL-41490       Fixed an SQL injection vulnerability with XMLDB editor (CVE-2024-43436)
    TL-41491       Fixed creating global glossary without being admin user (CVE-2024-43435)
    TL-41492       Fixed feedback non-respondents broken sesskey checks for bulk message lead to CSRF (CVE-2024-43434)
    TL-41494       Honoured CURLOPT_UNRESTRICTED_AUTH in emulated redirects (CVE-2024-43432)
    TL-41495       Fixed permission check on badge deletion (CVE-2024-43431)
    TL-41808       Fixed lesson activity password bypass (CVE-2024-45691)

Improvements:

    TL-41550       Prevented casual use of calculated question types by requiring an additional capability

                   This patch introduces a new {{moodle/question:managecalculated}} capability as
                   an add on to the fix in [TL-41526], to mitigate the risk of executing
                   user-generated PHP code. Only users with this capability will be allowed to
                   create these types of questions:

                   * calculated
                   * calculated multichoice
                   * calculated (simple)

                   For existing sites, this capability is given to any users who have the
                   {{moodle/question:add}} capability. It is recommended that admins review whether
                   users actually need to use calculated question types, and remove this capability
                   from any roles that do not. No special capability is required to use existing
                   calculated questions in a quiz.

                   For new sites, this capability is not assigned to any roles by default.


Release 12.67 (24th September 2024):

Security issues:

    TL-39799       Fixed parameter validation for forum search (CVE-2024-25979)
    TL-41486       Fixed LFI vulnerability when restoring block backups (CVE-2024-43440)
    TL-41488       Prevented unintended notification from being sent on the Feedback activity 'Show non-respondents' page (CVE-2024-43438)
    TL-41489       Fixed an XSS vulnerability when restoring course backup file (CVE-2024-43437)
    TL-41491       Fixed creating global glossary without being admin user (CVE-2024-43435)
    TL-41492       Fixed feedback non-respondents broken sesskey checks for bulk message lead to CSRF (CVE-2024-43434)
    TL-41808       Fixed lesson activity password bypass (CVE-2024-45691)

Release 11.67 (24th September 2024):

Security issues:

    TL-39799       Fixed parameter validation for forum search (CVE-2024-25979)
    TL-41486       Fixed LFI vulnerability when restoring block backups (CVE-2024-43440)
    TL-41488       Prevented unintended notification from being sent on the Feedback activity 'Show non-respondents' page (CVE-2024-43438)
    TL-41489       Fixed an XSS vulnerability when restoring course backup file (CVE-2024-43437)
    TL-41491       Fixed creating global glossary without being admin user (CVE-2024-43435)
    TL-41492       Fixed feedback non-respondents broken sesskey checks for bulk message lead to CSRF (CVE-2024-43434)

Release 10.69 (24th September 2024):

Security issues:

    TL-39799       Fixed parameter validation for forum search (CVE-2024-25979)
    TL-41486       Fixed LFI vulnerability when restoring block backups (CVE-2024-43440)
    TL-41488       Prevented unintended notification from being sent on the Feedback activity 'Show non-respondents' page (CVE-2024-43438)
    TL-41489       Fixed an XSS vulnerability when restoring course backup file (CVE-2024-43437)
    TL-41491       Fixed creating global glossary without being admin user (CVE-2024-43435)
    TL-41492       Fixed feedback non-respondents broken sesskey checks for bulk message lead to CSRF (CVE-2024-43434)

Release 9.75 (24th September 2024):

Security issues:

    TL-39799       Fixed parameter validation for forum search (CVE-2024-25979)
    TL-41486       Fixed LFI vulnerability when restoring block backups (CVE-2024-43440)
    TL-41488       Prevented unintended notification from being sent on the Feedback activity 'Show non-respondents' page (CVE-2024-43438)
    TL-41489       Fixed an XSS vulnerability when restoring course backup file (CVE-2024-43437)
    TL-41491       Fixed creating global glossary without being admin user (CVE-2024-43435)
    TL-41492       Fixed feedback non-respondents broken sesskey checks for bulk message lead to CSRF (CVE-2024-43434)

Release 2.9.72 (24th September 2024):

Security issues:

    TL-39799       Fixed parameter validation for forum search (CVE-2024-25979)
    TL-41486       Fixed LFI vulnerability when restoring block backups (CVE-2024-43440)
    TL-41488       Prevented unintended notification from being sent on the Feedback activity 'Show non-respondents' page (CVE-2024-43438)
    TL-41489       Fixed an XSS vulnerability when restoring course backup file (CVE-2024-43437)
    TL-41491       Fixed creating global glossary without being admin user (CVE-2024-43435)
    TL-41492       Fixed feedback non-respondents broken sesskey checks for bulk message lead to CSRF (CVE-2024-43434)

Release 2.7.77 (24th September 2024):

Security issues:

    TL-39799       Fixed parameter validation for forum search (CVE-2024-25979)
    TL-41486       Fixed LFI vulnerability when restoring block backups (CVE-2024-43440)
    TL-41488       Prevented unintended notification from being sent on the Feedback activity 'Show non-respondents' page (CVE-2024-43438)
    TL-41489       Fixed an XSS vulnerability when restoring course backup file (CVE-2024-43437)
    TL-41491       Fixed creating global glossary without being admin user (CVE-2024-43435)
    TL-41492       Fixed feedback non-respondents broken sesskey checks for bulk message lead to CSRF (CVE-2024-43434)

Release 2.5.93 (24th September 2024):

Security issues:

    TL-39799       Fixed parameter validation for forum search (CVE-2024-25979)
    TL-41486       Fixed LFI vulnerability when restoring block backups (CVE-2024-43440)
    TL-41488       Prevented unintended notification from being sent on the Feedback activity 'Show non-respondents' page (CVE-2024-43438)
    TL-41489       Fixed an XSS vulnerability when restoring course backup file (CVE-2024-43437)
    TL-41491       Fixed creating global glossary without being admin user (CVE-2024-43435)
    TL-41492       Fixed feedback non-respondents broken sesskey checks for bulk message lead to CSRF (CVE-2024-43434)

Release 2.2.88 (24th September 2024):

Security issues:

    TL-39799       Fixed parameter validation for forum search (CVE-2024-25979)
    TL-41486       Fixed LFI vulnerability when restoring block backups (CVE-2024-43440)
    TL-41488       Prevented unintended notification from being sent on the Feedback activity 'Show non-respondents' page (CVE-2024-43438)
    TL-41489       Fixed an XSS vulnerability when restoring course backup file (CVE-2024-43437)
    TL-41491       Fixed creating global glossary without being admin user (CVE-2024-43435)
    TL-41492       Fixed feedback non-respondents broken sesskey checks for bulk message lead to CSRF (CVE-2024-43434)