Hello everyone,
The following versions of Totara have now been released:
- Release 18.14
- Release 17.27
- Release 16.33
- Release 15.39
- Release 14.44
- Release 13.52
- Release 12.69
- Release 11.69
- Release 10.71
- Release 9.77
These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.
Kind regards Release Team
Release 18.14 (23rd January 2025):
Security issues:
TL-42929 Prevented users from cloning programs and certifications that they cannot see
TL-42991 Prevented catalogue paging parameter from leaking information about the number of hidden items matching a search
TL-43090 Fixed a XSS problem with the TCPDF library (CVE-2024-56527)
TL-43091 Fixed incorrect hashing comparison with the TCPDF library (CVE-2024-56522)
TL-43092 Fixed a missing certificate validation with the TCPDF library (CVE-2024-56521)
TL-43093 Fixed a problem with validating SVGs in the TCPDF library (CVE-2024-56519)
TL-43198 Fixed a sanitisation issue in Totara goals
Bug fixes:
TL-39901 Fixed courses not available for filter selection when 'Disable enforced visibility checks' report option is enabled
TL-42732 Fixed the 'engage_course_add_to_playlist' mutation to only allow valid course ids to be added to playlists
TL-42785 Addressed progress bar accessibility text issue on competency details page
TL-42815 Improved multilang handling of the playlist link in your library
TL-42842 Added additional backend validation for integer and decimal custom fields
TL-42982 Fixed the sco timestarted records for scorm attempts via mobile
TL-43153 Fixed a problem where an audience with a deleted certification would not load
Tui front end framework:
TL-42798 Fixed an accessibility issue on application dashboard
TL-42801 Added missing accessibility role attributes to TUI expandable table rows component
TL-42839 Addressed incorrect aria tag on the Totara goal card
TL-42850 Ensured that contentEditable elements are tabbable while in modals
Release 17.27 (23rd January 2025):
Important:
TL-43105 Added new setting, 'Allow page caching' to the HTTP Security settings page
All sites now by default disable back/forward button caching, which prevents the
page from loading after logout from the cache. To allow pages to take advantage
of back/forward button caching again, the setting ‘Allow page caching’ can
be enabled.
We recommend leaving this off as page caching may expose personal information on
shared devices.
Security issues:
TL-42991 Prevented catalogue paging parameter from leaking information about the number of hidden items matching a search
TL-43090 Fixed a XSS problem with the TCPDF library (CVE-2024-56527)
TL-43091 Fixed incorrect hashing comparison with the TCPDF library (CVE-2024-56522)
TL-43092 Fixed a missing certificate validation with the TCPDF library (CVE-2024-56521)
TL-43093 Fixed a problem with validating SVGs in the TCPDF library (CVE-2024-56519)
Bug fixes:
TL-39901 Fixed courses not available for filter selection when 'Disable enforced visibility checks' report option is enabled
TL-42785 Addressed progress bar accessibility text issue on competency details page
TL-42982 Fixed the sco timestarted records for scorm attempts via mobile
TL-43057 Allowed a OAuth instance to be created when no userinfo endpoint is defined
TL-43153 Fixed a problem where an audience with a deleted certification would not load
Tui front end framework:
TL-42801 Added missing accessibility role attributes to TUI expandable table rows component
TL-42850 Ensured that contentEditable elements are tabbable while in modals
Release 16.33 (23rd January 2025):
Important:
TL-43105 Added new setting, 'Allow page caching' to the HTTP Security settings page
All sites now by default disable back/forward button caching, which prevents the
page from loading after logout from the cache. To allow pages to take advantage
of back/forward button caching again, the setting ‘Allow page caching’ can
be enabled.
We recommend leaving this off as page caching may expose personal information on
shared devices.
Security issues:
TL-42991 Prevented catalogue paging parameter from leaking information about the number of hidden items matching a search
TL-43090 Fixed a XSS problem with the TCPDF library (CVE-2024-56527)
TL-43091 Fixed incorrect hashing comparison with the TCPDF library (CVE-2024-56522)
TL-43092 Fixed a missing certificate validation with the TCPDF library (CVE-2024-56521)
TL-43093 Fixed a problem with validating SVGs in the TCPDF library (CVE-2024-56519)
Bug fixes:
TL-39901 Fixed courses not available for filter selection when 'Disable enforced visibility checks' report option is enabled
TL-42785 Addressed progress bar accessibility text issue on competency details page
TL-42982 Fixed the sco timestarted records for scorm attempts via mobile
TL-43057 Allowed a OAuth instance to be created when no userinfo endpoint is defined
TL-43153 Fixed a problem where an audience with a deleted certification would not load
Tui front end framework:
TL-42801 Added missing accessibility role attributes to TUI expandable table rows component
Release 15.39 (23rd January 2025):
Security issues:
TL-42991 Prevented catalogue paging parameter from leaking information about the number of hidden items matching a search
TL-43090 Fixed a XSS problem with the TCPDF library (CVE-2024-56527)
TL-43091 Fixed incorrect hashing comparison with the TCPDF library (CVE-2024-56522)
TL-43092 Fixed a missing certificate validation with the TCPDF library (CVE-2024-56521)
TL-43093 Fixed a problem with validating SVGs in the TCPDF library (CVE-2024-56519)
Bug fixes:
TL-39901 Fixed courses not available for filter selection when 'Disable enforced visibility checks' report option is enabled
TL-42785 Addressed progress bar accessibility text issue on competency details page
TL-42982 Fixed the sco timestarted records for scorm attempts via mobile
TL-43153 Fixed a problem where an audience with a deleted certification would not load
Tui front end framework:
TL-42801 Added missing accessibility role attributes to TUI expandable table rows component
Release 14.44 (23rd January 2025):
Security issues:
TL-42991 Prevented catalogue paging parameter from leaking information about the number of hidden items matching a search
TL-43090 Fixed a XSS problem with the TCPDF library (CVE-2024-56527)
TL-43091 Fixed incorrect hashing comparison with the TCPDF library (CVE-2024-56522)
TL-43092 Fixed a missing certificate validation with the TCPDF library (CVE-2024-56521)
TL-43093 Fixed a problem with validating SVGs in the TCPDF library (CVE-2024-56519)
Bug fixes:
TL-42785 Addressed progress bar accessibility text issue on competency details page
TL-42982 Fixed the sco timestarted records for scorm attempts via mobile
TL-43153 Fixed a problem where an audience with a deleted certification would not load
Tui front end framework:
TL-42801 Added missing accessibility role attributes to TUI expandable table rows component
Release 13.52 (23rd January 2025):
Security issues:
TL-43090 Fixed a XSS problem with the TCPDF library (CVE-2024-56527)
TL-43091 Fixed incorrect hashing comparison with the TCPDF library (CVE-2024-56522)
TL-43092 Fixed a missing certificate validation with the TCPDF library (CVE-2024-56521)
TL-43093 Fixed a problem with validating SVGs in the TCPDF library (CVE-2024-56519)
Bug fixes:
TL-42785 Addressed progress bar accessibility text issue on competency details page
TL-42982 Fixed the sco timestarted records for scorm attempts via mobile
Release 12.69 (23rd January 2025):
Security issues:
TL-43090 Fixed a XSS problem with the TCPDF library (CVE-2024-56527)
TL-43091 Fixed incorrect hashing comparison with the TCPDF library (CVE-2024-56522)
TL-43092 Fixed a missing certificate validation with the TCPDF library (CVE-2024-56521)
TL-43093 Fixed a problem with validating SVGs in the TCPDF library (CVE-2024-56519)
Release 11.69 (23rd January 2025):
Security issues:
TL-43090 Fixed a XSS problem with the TCPDF library (CVE-2024-56527)
TL-43091 Fixed incorrect hashing comparison with the TCPDF library (CVE-2024-56522)
TL-43092 Fixed a missing certificate validation with the TCPDF library (CVE-2024-56521)
TL-43093 Fixed a problem with validating SVGs in the TCPDF library (CVE-2024-56519)
Release 10.71 (23rd January 2025):
Security issues:
TL-43090 Fixed a XSS problem with the TCPDF library (CVE-2024-56527)
TL-43091 Fixed incorrect hashing comparison with the TCPDF library (CVE-2024-56522)
TL-43092 Fixed a missing certificate validation with the TCPDF library (CVE-2024-56521)
TL-43093 Fixed a problem with validating SVGs in the TCPDF library (CVE-2024-56519)
Release 9.77 (23rd January 2025):
Security issues:
TL-43090 Fixed a XSS problem with the TCPDF library (CVE-2024-56527)
TL-43091 Fixed incorrect hashing comparison with the TCPDF library (CVE-2024-56522)
TL-43092 Fixed a missing certificate validation with the TCPDF library (CVE-2024-56521)
TL-43093 Fixed a problem with validating SVGs in the TCPDF library (CVE-2024-56519)