Totara Release Notes

Totara TXP 18.12, 17.25, 16.31, 15.37, 14.42 and 13.50 are now available

 
Riana Rossouw
Totara TXP 18.12, 17.25, 16.31, 15.37, 14.42 and 13.50 are now available
par Riana Rossouw, Wednesday 20 November 2024, 20:24
Groupe Totara

Hello everyone,

The following versions of Totara have now been released:

These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.

Kind regards 

Release Team

Release 18.12 (21st November 2024):

Important:

    TL-41969       Updated H5P to support version 1.27.0

                   This update changes the embedded H5P CKEditor from version 4 to version 5, which
                   uses a completely different architecture. We have tested editing v4 activities
                   in v5 and have not seen any issues, but if you have mission-critical H5P
                   activities we recommend backing them up before editing them for the first time
                   with the new version of the plugin.


Security issues:

    TL-39348       Prevented group members seeing users from other groups in live logs when 'Separate groups' is enabled (CVE-2023-6664)
    TL-42125       Fixed logout vulnerability in MS Teams plugin
    TL-42191       Fixed IDOR in edit/delete RSS feed (CVE-2024-48897)

Performance improvements:

    TL-42334       Improved performance of renaming course activities on sites with a lot of categories

                   This patch optimises the performance of category lookup when updating
                   totara_catalog records for courses.


Improvements:

    TL-41775       Improved tab order when editing a course

Bug fixes:

    TL-39966       Fixed a text formatting issue in the 'reason assigned' field for competency assignments
    TL-39967       Fixed multi-language formatting for custom user profile field label in performance activity instance creation drop-down
    TL-40312       Fixed multi-language filtering on program name, course set name, and course names in program administration
    TL-40735       Fixed program enrolment not respecting the global ‘Default role’ or ‘Enrolment period’ settings for new instances
    TL-40918       Fixed filters not working correctly on performance activity response data report
    TL-41759       Gave course section and activity edit buttons unique aria-labels
    TL-41792       Removed ability to change certification/program assignment via audience 'Enrolled learning' when due date has passed
    TL-41811       Fixed ability to enrol in a certification course directly from current learning block when audience visibility is enabled
    TL-41870       Fixed 'next course set operator' change not being saved when editing a program
    TL-41961       Fixed an error on performance activity external participant view when it contains a Perform goal
    TL-42159       Fixed the help text in the file activity to remove references to uploading a mini website
    TL-42291       Fixed editor obscuring images in quiz essay questions
    TL-42310       Fixed a problem where the 'SAML 2.0 (SSO)' plugin was incorrectly validating passwords during login

                   When a user field was set to update on every login, and a user’s field had
                   changed in the Identity Provider, Totara would attempt to validate that their
                   saved password met the security standards (if enabled). Users created by SAML or
                   another auth plugin would not have a valid password set that met these
                   conditions, and so an error was presented and login was prevented.

                   With this patch the SAML 2.0 (SSO) plugin will no longer validate password
                   strength during login.

                   Additionally any changes to the user in session (such as their first or last
                   name) will appear immediately, instead of when they next logged in.

    TL-42371       Added native loading indicator for Teams and upgraded MS Teams SDK version to 1.13.1 to support that
    TL-42380       Fixed a problem with SSO SAML 2.0 using an identity provider with multiple defined signing certificates

                   When an identity provider defined multiple signing certificates (usually when
                   one certificate is replaced with another) Totara was not able to choose the
                   correct certificate, and always chose the first. This meant assertions could not
                   be completed and a user could not log in.
                   
                   With this patch the SSO SAML 2.0 plugin will now try all provided signing
                   certificates when validating an assertion, and will only reject the request when
                   no certificate matches.


Release 17.25 (21st November 2024):

Security issues:

    TL-39348       Prevented group members seeing users from other groups in live logs when 'Separate groups' is enabled (CVE-2023-6664)
    TL-42125       Fixed logout vulnerability in MS Teams plugin
    TL-42191       Fixed IDOR in edit/delete RSS feed (CVE-2024-48897)

Performance improvements:

    TL-42334       Improved performance of renaming course activities on sites with a lot of categories

                   This patch optimises the performance of category lookup when updating
                   totara_catalog records for courses.

    TL-42386       Resolved issue where unnecessary updates were executed for course completion aggregation

                   This is a backport of TL-40865 from Totara 18


Bug fixes:

    TL-39966       Fixed a text formatting issue in the 'reason assigned' field for competency assignments
    TL-39967       Fixed multi-language formatting for custom user profile field label in performance activity instance creation drop-down
    TL-40735       Fixed program enrolment not respecting the global ‘Default role’ or ‘Enrolment period’ settings for new instances
    TL-40918       Fixed filters not working correctly on performance activity response data report
    TL-41792       Removed ability to change certification/program assignment via audience 'Enrolled learning' when due date has passed
    TL-42159       Fixed the help text in the file activity to remove references to uploading a mini website

Release 16.31 (21st November 2024):

Security issues:

    TL-39348       Prevented group members seeing users from other groups in live logs when 'Separate groups' is enabled (CVE-2023-6664)
    TL-42125       Fixed logout vulnerability in MS Teams plugin
    TL-42191       Fixed IDOR in edit/delete RSS feed (CVE-2024-48897)

Performance improvements:

    TL-42334       Improved performance of renaming course activities on sites with a lot of categories

                   This patch optimises the performance of category lookup when updating
                   totara_catalog records for courses.


Bug fixes:

    TL-42159       Fixed the help text in the file activity to remove references to uploading a mini website

Release 15.37 (21st November 2024):

Security issues:

    TL-39348       Prevented group members seeing users from other groups in live logs when 'Separate groups' is enabled (CVE-2023-6664)
    TL-42125       Fixed logout vulnerability in MS Teams plugin
    TL-42191       Fixed IDOR in edit/delete RSS feed (CVE-2024-48897)

Bug fixes:

    TL-42159       Fixed the help text in the file activity to remove references to uploading a mini website

Release 14.42 (21st November 2024):

Security issues:

    TL-39348       Prevented group members seeing users from other groups in live logs when 'Separate groups' is enabled (CVE-2023-6664)
    TL-42125       Fixed logout vulnerability in MS Teams plugin
    TL-42191       Fixed IDOR in edit/delete RSS feed (CVE-2024-48897)

Bug fixes:

    TL-42159       Fixed the help text in the file activity to remove references to uploading a mini website

Release 13.50 (21st November 2024):

Security issues:

    TL-39348       Prevented group members seeing users from other groups in live logs when 'Separate groups' is enabled (CVE-2023-6664)
    TL-42125       Fixed logout vulnerability in MS Teams plugin
    TL-42191       Fixed IDOR in edit/delete RSS feed (CVE-2024-48897)

Bug fixes:

    TL-42159       Fixed the help text in the file activity to remove references to uploading a mini website