Hello everyone,
The following versions of Totara have now been released:
These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.
Kind regards
Release Team
Release 18.12 (21st November 2024):
Important:
TL-41969 Updated H5P to support version 1.27.0
This update changes the embedded H5P CKEditor from version 4 to version 5, which
uses a completely different architecture. We have tested editing v4 activities
in v5 and have not seen any issues, but if you have mission-critical H5P
activities we recommend backing them up before editing them for the first time
with the new version of the plugin.
Security issues:
TL-39348 Prevented group members seeing users from other groups in live logs when 'Separate groups' is enabled (CVE-2023-6664)
TL-42125 Fixed logout vulnerability in MS Teams plugin
TL-42191 Fixed IDOR in edit/delete RSS feed (CVE-2024-48897)
Performance improvements:
TL-42334 Improved performance of renaming course activities on sites with a lot of categories
This patch optimises the performance of category lookup when updating
totara_catalog records for courses.
Improvements:
TL-41775 Improved tab order when editing a course
Bug fixes:
TL-39966 Fixed a text formatting issue in the 'reason assigned' field for competency assignments
TL-39967 Fixed multi-language formatting for custom user profile field label in performance activity instance creation drop-down
TL-40312 Fixed multi-language filtering on program name, course set name, and course names in program administration
TL-40735 Fixed program enrolment not respecting the global ‘Default role’ or ‘Enrolment period’ settings for new instances
TL-40918 Fixed filters not working correctly on performance activity response data report
TL-41759 Gave course section and activity edit buttons unique aria-labels
TL-41792 Removed ability to change certification/program assignment via audience 'Enrolled learning' when due date has passed
TL-41811 Fixed ability to enrol in a certification course directly from current learning block when audience visibility is enabled
TL-41870 Fixed 'next course set operator' change not being saved when editing a program
TL-41961 Fixed an error on performance activity external participant view when it contains a Perform goal
TL-42159 Fixed the help text in the file activity to remove references to uploading a mini website
TL-42291 Fixed editor obscuring images in quiz essay questions
TL-42310 Fixed a problem where the 'SAML 2.0 (SSO)' plugin was incorrectly validating passwords during login
When a user field was set to update on every login, and a user’s field had
changed in the Identity Provider, Totara would attempt to validate that their
saved password met the security standards (if enabled). Users created by SAML or
another auth plugin would not have a valid password set that met these
conditions, and so an error was presented and login was prevented.
With this patch the SAML 2.0 (SSO) plugin will no longer validate password
strength during login.
Additionally any changes to the user in session (such as their first or last
name) will appear immediately, instead of when they next logged in.
TL-42371 Added native loading indicator for Teams and upgraded MS Teams SDK version to 1.13.1 to support that
TL-42380 Fixed a problem with SSO SAML 2.0 using an identity provider with multiple defined signing certificates
When an identity provider defined multiple signing certificates (usually when
one certificate is replaced with another) Totara was not able to choose the
correct certificate, and always chose the first. This meant assertions could not
be completed and a user could not log in.
With this patch the SSO SAML 2.0 plugin will now try all provided signing
certificates when validating an assertion, and will only reject the request when
no certificate matches.
Release 17.25 (21st November 2024):
Security issues:
TL-39348 Prevented group members seeing users from other groups in live logs when 'Separate groups' is enabled (CVE-2023-6664)
TL-42125 Fixed logout vulnerability in MS Teams plugin
TL-42191 Fixed IDOR in edit/delete RSS feed (CVE-2024-48897)
Performance improvements:
TL-42334 Improved performance of renaming course activities on sites with a lot of categories
This patch optimises the performance of category lookup when updating
totara_catalog records for courses.
TL-42386 Resolved issue where unnecessary updates were executed for course completion aggregation
This is a backport of TL-40865 from Totara 18
Bug fixes:
TL-39966 Fixed a text formatting issue in the 'reason assigned' field for competency assignments
TL-39967 Fixed multi-language formatting for custom user profile field label in performance activity instance creation drop-down
TL-40735 Fixed program enrolment not respecting the global ‘Default role’ or ‘Enrolment period’ settings for new instances
TL-40918 Fixed filters not working correctly on performance activity response data report
TL-41792 Removed ability to change certification/program assignment via audience 'Enrolled learning' when due date has passed
TL-42159 Fixed the help text in the file activity to remove references to uploading a mini website
Release 16.31 (21st November 2024):
Security issues:
TL-39348 Prevented group members seeing users from other groups in live logs when 'Separate groups' is enabled (CVE-2023-6664)
TL-42125 Fixed logout vulnerability in MS Teams plugin
TL-42191 Fixed IDOR in edit/delete RSS feed (CVE-2024-48897)
Performance improvements:
TL-42334 Improved performance of renaming course activities on sites with a lot of categories
This patch optimises the performance of category lookup when updating
totara_catalog records for courses.
Bug fixes:
TL-42159 Fixed the help text in the file activity to remove references to uploading a mini website
Release 15.37 (21st November 2024):
Security issues:
TL-39348 Prevented group members seeing users from other groups in live logs when 'Separate groups' is enabled (CVE-2023-6664)
TL-42125 Fixed logout vulnerability in MS Teams plugin
TL-42191 Fixed IDOR in edit/delete RSS feed (CVE-2024-48897)
Bug fixes:
TL-42159 Fixed the help text in the file activity to remove references to uploading a mini website
Release 14.42 (21st November 2024):
Security issues:
TL-39348 Prevented group members seeing users from other groups in live logs when 'Separate groups' is enabled (CVE-2023-6664)
TL-42125 Fixed logout vulnerability in MS Teams plugin
TL-42191 Fixed IDOR in edit/delete RSS feed (CVE-2024-48897)
Bug fixes:
TL-42159 Fixed the help text in the file activity to remove references to uploading a mini website
Release 13.50 (21st November 2024):
Security issues:
TL-39348 Prevented group members seeing users from other groups in live logs when 'Separate groups' is enabled (CVE-2023-6664)
TL-42125 Fixed logout vulnerability in MS Teams plugin
TL-42191 Fixed IDOR in edit/delete RSS feed (CVE-2024-48897)
Bug fixes:
TL-42159 Fixed the help text in the file activity to remove references to uploading a mini website