Hello everyone,
The following versions of Totara have now been released:
- Release 19.0.1
- Release 18.15
- Release 17.28
- Release 16.34
- Release 15.40
- Release 14.45
- Release 13.53
- Release 12.70
- Release 11.70
- Release 10.72
- Release 9.78
These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.
A big thanks to the following people for their contributions to this release:
- Petter Fogelqvist at Aleido - TL-43481 - Petter Fogelqvist at Aleido
Kind regards Release Team
Release 19.0.1 (28th February 2025):
Important:
TL-43428 Updated the list of countries in lang/en/countries.php as per ISO 3166-1
Source: https://www.iso.org/obp/ui/
The significant changes are:
* North Macedonia
* Eswatini
* Netherlands (Kingdom of the)
* Taiwan (Province of China)
* Holy See
All other changes are formal, such as changing the letter case of the "And" (the
current ISO uses the lower case "and"). Our own existing modifications of the
list (such as having just "United States" and "United Kingdom" instead of the
full long name) were kept.
Security issues:
TL-43048 Improved handling of group access to ensure correct record visibility (CVE-2024-55646)
TL-43202 Added a new warning to the security report if local IP addresses have not been blocked
TL-43204 Fixed an insecure redirect problem
TL-43220 Improved output cleaning of json_editor emoji node
TL-43231 Improved handling of special characters in json_editor renderer
TL-43368 Updated the metadata fetch functionality to use the local CURL system
TL-43607 MSA-25-0010: SQL injection risk in course search module list filter (CVE-2025-26533)
Patch an SQL injection risk that was identified in the moodle module list filter
within course search
TL-43615 Fixed arbitrary file read risk through pdfTeX in TeX filter (CVE-2025-26525)
Performance improvements:
TL-42203 Added an option to reports to disable the visibility check when rendering user profile links
Complex setups can significantly slow down profile visibility checks in reports.
With this change, a new option is now available on the performance tab. If this
option is enabled, the link to the user's profile will be displayed without
checking for a valid relationship. If no relationship exists, clicking on the
profile link will result in a ‘permission denied’ error.
TL-42960 Optimised audience, organisations and positions preloading in course restriction settings
Improvements:
TL-41805 Added information about pathway format to the course format help text
TL-42521 Added total number of Totara goal tasks to product usage data.
TL-42522 Added total number of Totara goal comments to product usage data.
TL-42704 Increased side panel height to match the content
TL-43089 Trigger events for assigning and un-assigning audiences from programs
This change can be opted out by adding {{$CFG->revert_TL_43089_until_t20 =
true;}} in your {{config.php}} file. However it will be enforced for Totara 20.
TL-43212 Improved the error string when the mobile server is not reachable
TL-43528 Added timemodified as properties for hierarchy positions and organisations in GraphQL and the ability to filter records on since_timemodified.
Added {{timemodified}} property to {{hierarchy_position_position}},
{{totara_hierarchy_position}}, {{hierarchy_organisation_organisation}}, and
{{totara_hierarchy_organisation}}. Added {{since_timemodified}} filter to the
{{hierarchy_position_positions}} and {{hierarchy_organisation_organisations}}
queries.
TL-43631 Updated default capabilities of API user archetype to include `totara/hierarchy:vieworganisationframeworks` and `totara/hierarchy:viewpositionframeworks`
Previously, the API user archetype (role) did not include the necessary
capabilities to view the organisation and position frameworks on the position
and organisation return types.
On fresh installs, these capabilities will be automatically added to the API
user archetype. On existing installs, the capabilities will need to be manually
assigned to the archetype. See
[https://totara.help/docs/edit-a-role|https://totara.help/docs/edit-a-role|smart-link]
for more information.
TL-42589 Improved accessibility by adding aria-live attribute to announce results when filtering a report
Bug fixes:
TL-38355 Ensured that guests can view activities on a pathway course
TL-38698 Fixed users being unsubscribed when subscription mode changes from 'Forced subscription' to 'Auto subscription'
TL-39006 Removed whitespace from the bootstrap breadcrumb separator
TL-39906 Fixed some race conditions with localcache when the cache is purged on a busy site
Mustache, htmlpurifier and RequireJS will all check if the cache directory is
writeable, and if not log a message to the debugging logs but otherwise serve
the content.
If you have directly edited the caching files for these libraries in localcache
you may need to check your customisations are still writing content as expected.
TL-40261 Fixed an issue where cohort role category context was not updating after deleting a category
TL-40450 Fixed an issue in the user upload tool that was blocking uploads for users with unique profile fields
TL-41065 Removed HTML tags from 'Element response' column of 'Performance activity response data' report when exporting as CSV or Excel
TL-41331 Fixed bug in audience sync enrolment method due to deleting context in role
TL-41642 Fixed wrong parameter in program due dates report
TL-41771 Fixed an error when the report block was added at the top of the page
TL-41949 Disallowed 'Reset course completion' when the course is part of a program or certification
Previously, after releasing Totara 15.1, the site manager was able to reset
course completion (archived and reset the user course completions) even if a
course is part of a program and/or certification.
This change is reverting the functionality before Totara 15.1 was released. The
change introduces a new configuration
{{$CFG->allow_course_completion_reset_for_program_courses}} which will force a
course completion to archive and reset the user completion records with program
and/or certification assigned.
TL-42086 Fixed a division by zero error in the SCORM save_offline_attempts query for mobile API
TL-42435 Moving activities between course sections is now done in a database transaction to avoid broken sequences if something goes wrong
TL-42497 Updated the border colour of the active pagination button to match its background colour through the use of a variable
TL-42581 Removed tab index wrapping content in a YUI modal
TL-42584 Improved screen reader text of icons when managing courses, programs and certifications
TL-42590 Improved accessibility when filtering seminar sessions
TL-42603 Fixed error when exporting report with tenant filter
TL-42694 Fixed being able to add members to a workspace even if an exception was thrown
TL-42709 Fixed error message while searching for users in comments with mixed context
TL-42800 Fixed application dashboard table column values overlap
Fixed the ‘applicant’ column values overlapping with the ‘submitted on’
column in workflow application dashboard table.
TL-42802 Removed double borders from competency scale action buttons
TL-42810 Fixed toggle switch active disabled state colour
TL-42828 Fixed incorrect aria attribute on competency assignment list rows
TL-42887 Fixed approval workflow application header action buttons height
TL-42898 Removed empty link 'more help' from help icon popover
TL-42934 Fixed the reset button on Seminars 'Upcoming Events' filter not being translatable
TL-42981 Fixed the formatting of seminar descriptions created using Weka when included in iCalendar attachments
TL-43008 Fixed a situation where duplicates could be shown when viewing another user's Library
TL-43357 Fixed string encoding for course activity completion report when export Excel-compatible option used
TL-43481 Fixed Tui build error when --vendor parameter passed
TL-43508 Fixed catalog URL incorrectly parsed when using multiple filters/ordering
TL-43589 Fixed missing entries in thirdpartylibs.xml
Technical changes:
TL-41377 Fixed the get_certiftimebase calculation not using user's current window open date
When a certification was configured to use the expiry date for completion
calculations, when calculating if a user’s completion occurred within the
recertification window, it was incorrectly using the certifications current
window period, rather than the window open date used to open the user’s
recertification window. If a user completed a certification after their
recertification window opened but outside the certification’s
currently-calculated window period, this would cause the completion to be
ignored and the user would need to recertify immediately. This change causes the
user’s window open date to be used in the calculation.
This change includes a change to the function get_certiftimebase. This function
now accepts an additional parameter $timewindowopens. This parameter is optional
in Totara 19.1.0 and below and will default to the original behavior if not
provided, but is required in Totara 20 and above.
The new behavior can be opted out by adding {{$CFG->revert_TL_41377_until_t20 =
true;}} in your {{config.php}} file. However, it will be enforced for Totara 20.
Tui front end framework:
TL-43181 Fixed race condition in useParamState
Fixed a race condition that could occur when calling .push() or .replace()
followed by immediately updating .value, which would cause the second update to
not be reflected in the URL.
Contributions:
* Petter Fogelqvist at Aleido - TL-43481
Release 18.15 (28th February 2025):
Important:
TL-43428 Updated the list of countries in lang/en/countries.php as per ISO 3166-1
Source: https://www.iso.org/obp/ui/
The significant changes are:
* North Macedonia
* Eswatini
* Netherlands (Kingdom of the)
* Taiwan (Province of China)
* Holy See
All other changes are formal, such as changing the letter case of the "And" (the
current ISO uses the lower case "and"). Our own existing modifications of the
list (such as having just "United States" and "United Kingdom" instead of the
full long name) were kept.
Security issues:
TL-43048 Improved handling of group access to ensure correct record visibility (CVE-2024-55646)
TL-43202 Added a new warning to the security report if local IP addresses have not been blocked
TL-43204 Fixed an insecure redirect problem
TL-43220 Improved output cleaning of json_editor emoji node
TL-43231 Improved handling of special characters in json_editor renderer
TL-43368 Updated the metadata fetch functionality to use the local CURL system
TL-43607 MSA-25-0010: SQL injection risk in course search module list filter (CVE-2025-26533)
Patch an SQL injection risk that was identified in the moodle module list filter
within course search
TL-43615 Fixed arbitrary file read risk through pdfTeX in TeX filter (CVE-2025-26525)
Performance improvements:
TL-42203 Added an option to reports to disable the visibility check when rendering user profile links
Complex setups can significantly slow down profile visibility checks in reports.
With this change, a new option is now available on the performance tab. If this
option is enabled, the link to the user's profile will be displayed without
checking for a valid relationship. If no relationship exists, clicking on the
profile link will result in a ‘permission denied’ error.
TL-42960 Optimised audience, organisations and positions preloading in course restriction settings
Improvements:
TL-41805 Added information about pathway format to the course format help text
TL-43089 Trigger events for assigning and un-assigning audiences from programs
This change can be opted out by adding {{$CFG->revert_TL_43089_until_t20 =
true;}} in your {{config.php}} file. However it will be enforced for Totara 20.
TL-42589 Improved accessibility by adding aria-live attribute to announce results when filtering a report
Bug fixes:
TL-37759 Prevented linked review question progress/status changes after the activity has closed for a participant
TL-38355 Ensured that guests can view activities on a pathway course
TL-38698 Fixed users being unsubscribed when subscription mode changes from 'Forced subscription' to 'Auto subscription'
TL-39906 Fixed some race conditions with localcache when the cache is purged on a busy site
Mustache, htmlpurifier and RequireJS will all check if the cache directory is
writeable, and if not log a message to the debugging logs but otherwise serve
the content.
If you have directly edited the caching files for these libraries in localcache
you may need to check your customisations are still writing content as expected.
TL-40261 Fixed an issue where cohort role category context was not updating after deleting a category
TL-40450 Fixed an issue in the user upload tool that was blocking uploads for users with unique profile fields
TL-41065 Removed HTML tags from 'Element response' column of 'Performance activity response data' report when exporting as CSV or Excel
TL-41331 Fixed bug in audience sync enrolment method due to deleting context in role
TL-41642 Fixed wrong parameter in program due dates report
TL-41949 Disallowed 'Reset course completion' when the course is part of a program or certification
Previously, after releasing Totara 15.1, the site manager was able to reset
course completion (archived and reset the user course completions) even if a
course is part of a program and/or certification.
This change is reverting the functionality before Totara 15.1 was released. The
change introduces a new configuration
{{$CFG->allow_course_completion_reset_for_program_courses}} which will force a
course completion to archive and reset the user completion records with program
and/or certification assigned.
TL-42435 Moving activities between course sections is now done in a database transaction to avoid broken sequences if something goes wrong
TL-42581 Removed tab index wrapping content in a YUI modal
TL-42584 Improved screen reader text of icons when managing courses, programs and certifications
TL-42590 Improved accessibility when filtering seminar sessions
TL-42603 Fixed error when exporting report with tenant filter
TL-42694 Fixed being able to add members to a workspace even if an exception was thrown
TL-42828 Fixed incorrect aria attribute on competency assignment list rows
TL-42934 Fixed the reset button on Seminars 'Upcoming Events' filter not being translatable
TL-42981 Fixed the formatting of seminar descriptions created using Weka when included in iCalendar attachments
TL-43357 Fixed string encoding for course activity completion report when export Excel-compatible option used
TL-43589 Fixed missing entries in thirdpartylibs.xml
Technical changes:
TL-41377 Fixed the get_certiftimebase calculation not using user's current window open date
When a certification was configured to use the expiry date for completion
calculations, when calculating if a user’s completion occurred within the
recertification window, it was incorrectly using the certifications current
window period, rather than the window open date used to open the user’s
recertification window. If a user completed a certification after their
recertification window opened but outside the certification’s
currently-calculated window period, this would cause the completion to be
ignored and the user would need to recertify immediately. This change causes the
user’s window open date to be used in the calculation.
This change includes a change to the function get_certiftimebase. This function
now accepts an additional parameter $timewindowopens. This parameter is optional
in Totara 19.1.0 and below and will default to the original behavior if not
provided, but is required in Totara 20 and above.
The new behavior can be opted out by adding {{$CFG->revert_TL_41377_until_t20 =
true;}} in your {{config.php}} file. However, it will be enforced for Totara 20.
Release 17.28 (28th February 2025):
Important:
TL-43428 Updated the list of countries in lang/en/countries.php as per ISO 3166-1
Source: https://www.iso.org/obp/ui/
The significant changes are:
* North Macedonia
* Eswatini
* Netherlands (Kingdom of the)
* Taiwan (Province of China)
* Holy See
All other changes are formal, such as changing the letter case of the "And" (the
current ISO uses the lower case "and"). Our own existing modifications of the
list (such as having just "United States" and "United Kingdom" instead of the
full long name) were kept.
Security issues:
TL-43048 Improved handling of group access to ensure correct record visibility (CVE-2024-55646)
TL-43202 Added a new warning to the security report if local IP addresses have not been blocked
TL-43204 Fixed an insecure redirect problem
TL-43220 Improved output cleaning of json_editor emoji node
TL-43231 Improved handling of special characters in json_editor renderer
TL-43368 Updated the metadata fetch functionality to use the local CURL system
TL-43607 MSA-25-0010: SQL injection risk in course search module list filter (CVE-2025-26533)
Patch an SQL injection risk that was identified in the moodle module list filter
within course search
TL-43615 Fixed arbitrary file read risk through pdfTeX in TeX filter (CVE-2025-26525)
Bug fixes:
TL-37759 Prevented linked review question progress/status changes after the activity has closed for a participant
TL-38698 Fixed users being unsubscribed when subscription mode changes from 'Forced subscription' to 'Auto subscription'
TL-39906 Fixed some race conditions with localcache when the cache is purged on a busy site
Mustache, htmlpurifier and RequireJS will all check if the cache directory is
writeable, and if not log a message to the debugging logs but otherwise serve
the content.
If you have directly edited the caching files for these libraries in localcache
you may need to check your customisations are still writing content as expected.
TL-40450 Fixed an issue in the user upload tool that was blocking uploads for users with unique profile fields
TL-41642 Fixed wrong parameter in program due dates report
TL-41949 Disallowed 'Reset course completion' when the course is part of a program or certification
Previously, after releasing Totara 15.1, the site manager was able to reset
course completion (archived and reset the user course completions) even if a
course is part of a program and/or certification.
This change is reverting the functionality before Totara 15.1 was released. The
change introduces a new configuration
{{$CFG->allow_course_completion_reset_for_program_courses}} which will force a
course completion to archive and reset the user completion records with program
and/or certification assigned.
TL-42694 Fixed being able to add members to a workspace even if an exception was thrown
TL-43357 Fixed string encoding for course activity completion report when export Excel-compatible option used
TL-43589 Fixed missing entries in thirdpartylibs.xml
Technical changes:
TL-41377 Fixed the get_certiftimebase calculation not using user's current window open date
When a certification was configured to use the expiry date for completion
calculations, when calculating if a user’s completion occurred within the
recertification window, it was incorrectly using the certifications current
window period, rather than the window open date used to open the user’s
recertification window. If a user completed a certification after their
recertification window opened but outside the certification’s
currently-calculated window period, this would cause the completion to be
ignored and the user would need to recertify immediately. This change causes the
user’s window open date to be used in the calculation.
This change includes a change to the function get_certiftimebase. This function
now accepts an additional parameter $timewindowopens. This parameter is optional
in Totara 19.1.0 and below and will default to the original behavior if not
provided, but is required in Totara 20 and above.
The new behavior can be opted out by adding {{$CFG->revert_TL_41377_until_t20 =
true;}} in your {{config.php}} file. However, it will be enforced for Totara 20.
Release 16.34 (28th February 2025):
Important:
TL-43428 Updated the list of countries in lang/en/countries.php as per ISO 3166-1
Source: https://www.iso.org/obp/ui/
The significant changes are:
* North Macedonia
* Eswatini
* Netherlands (Kingdom of the)
* Taiwan (Province of China)
* Holy See
All other changes are formal, such as changing the letter case of the "And" (the
current ISO uses the lower case "and"). Our own existing modifications of the
list (such as having just "United States" and "United Kingdom" instead of the
full long name) were kept.
Security issues:
TL-43048 Improved handling of group access to ensure correct record visibility (CVE-2024-55646)
TL-43202 Added a new warning to the security report if local IP addresses have not been blocked
TL-43204 Fixed an insecure redirect problem
TL-43220 Improved output cleaning of json_editor emoji node
TL-43231 Improved handling of special characters in json_editor renderer
TL-43368 Updated the metadata fetch functionality to use the local CURL system
TL-43607 MSA-25-0010: SQL injection risk in course search module list filter (CVE-2025-26533)
Patch an SQL injection risk that was identified in the moodle module list filter
within course search
TL-43615 Fixed arbitrary file read risk through pdfTeX in TeX filter (CVE-2025-26525)
Bug fixes:
TL-39906 Fixed some race conditions with localcache when the cache is purged on a busy site
Mustache, htmlpurifier and RequireJS will all check if the cache directory is
writeable, and if not log a message to the debugging logs but otherwise serve
the content.
If you have directly edited the caching files for these libraries in localcache
you may need to check your customisations are still writing content as expected.
TL-41949 Disallowed 'Reset course completion' when the course is part of a program or certification
Previously, after releasing Totara 15.1, the site manager was able to reset
course completion (archived and reset the user course completions) even if a
course is part of a program and/or certification.
This change is reverting the functionality before Totara 15.1 was released. The
change introduces a new configuration
{{$CFG->allow_course_completion_reset_for_program_courses}} which will force a
course completion to archive and reset the user completion records with program
and/or certification assigned.
TL-42694 Fixed being able to add members to a workspace even if an exception was thrown
TL-43589 Fixed missing entries in thirdpartylibs.xml
Technical changes:
TL-41377 Fixed the get_certiftimebase calculation not using user's current window open date
When a certification was configured to use the expiry date for completion
calculations, when calculating if a user’s completion occurred within the
recertification window, it was incorrectly using the certifications current
window period, rather than the window open date used to open the user’s
recertification window. If a user completed a certification after their
recertification window opened but outside the certification’s
currently-calculated window period, this would cause the completion to be
ignored and the user would need to recertify immediately. This change causes the
user’s window open date to be used in the calculation.
This change includes a change to the function get_certiftimebase. This function
now accepts an additional parameter $timewindowopens. This parameter is optional
in Totara 19.1.0 and below and will default to the original behavior if not
provided, but is required in Totara 20 and above.
The new behavior can be opted out by adding {{$CFG->revert_TL_41377_until_t20 =
true;}} in your {{config.php}} file. However, it will be enforced for Totara 20.
Release 15.40 (28th February 2025):
Important:
TL-43428 Updated the list of countries in lang/en/countries.php as per ISO 3166-1
Source: https://www.iso.org/obp/ui/
The significant changes are:
* North Macedonia
* Eswatini
* Netherlands (Kingdom of the)
* Taiwan (Province of China)
* Holy See
All other changes are formal, such as changing the letter case of the "And" (the
current ISO uses the lower case "and"). Our own existing modifications of the
list (such as having just "United States" and "United Kingdom" instead of the
full long name) were kept.
Security issues:
TL-43048 Improved handling of group access to ensure correct record visibility (CVE-2024-55646)
TL-43202 Added a new warning to the security report if local IP addresses have not been blocked
TL-43204 Fixed an insecure redirect problem
TL-43220 Improved output cleaning of json_editor emoji node
TL-43231 Improved handling of special characters in json_editor renderer
TL-43368 Updated the metadata fetch functionality to use the local CURL system
TL-43607 MSA-25-0010: SQL injection risk in course search module list filter (CVE-2025-26533)
Patch an SQL injection risk that was identified in the moodle module list filter
within course search
TL-43615 Fixed arbitrary file read risk through pdfTeX in TeX filter (CVE-2025-26525)
Bug fixes:
TL-39906 Fixed some race conditions with localcache when the cache is purged on a busy site
Mustache, htmlpurifier and RequireJS will all check if the cache directory is
writeable, and if not log a message to the debugging logs but otherwise serve
the content.
If you have directly edited the caching files for these libraries in localcache
you may need to check your customisations are still writing content as expected.
TL-41949 Disallowed 'Reset course completion' when the course is part of a program or certification
Previously, after releasing Totara 15.1, the site manager was able to reset
course completion (archived and reset the user course completions) even if a
course is part of a program and/or certification.
This change is reverting the functionality before Totara 15.1 was released. The
change introduces a new configuration
{{$CFG->allow_course_completion_reset_for_program_courses}} which will force a
course completion to archive and reset the user completion records with program
and/or certification assigned.
TL-42322 Fixed the Seminar approver selector for sites with tenant isolation enabled
TL-42694 Fixed being able to add members to a workspace even if an exception was thrown
TL-43094 Fixed the format not being applied to Weka content on bold, hashtags, mentions, or placeholders
This is a backport of TL-36168
TL-43589 Fixed missing entries in thirdpartylibs.xml
Release 14.45 (28th February 2025):
Important:
TL-43428 Updated the list of countries in lang/en/countries.php as per ISO 3166-1
Source: https://www.iso.org/obp/ui/
The significant changes are:
* North Macedonia
* Eswatini
* Netherlands (Kingdom of the)
* Taiwan (Province of China)
* Holy See
All other changes are formal, such as changing the letter case of the "And" (the
current ISO uses the lower case "and"). Our own existing modifications of the
list (such as having just "United States" and "United Kingdom" instead of the
full long name) were kept.
Security issues:
TL-43048 Improved handling of group access to ensure correct record visibility (CVE-2024-55646)
TL-43202 Added a new warning to the security report if local IP addresses have not been blocked
TL-43204 Fixed an insecure redirect problem
TL-43220 Improved output cleaning of json_editor emoji node
TL-43231 Improved handling of special characters in json_editor renderer
TL-43368 Updated the metadata fetch functionality to use the local CURL system
TL-43607 MSA-25-0010: SQL injection risk in course search module list filter (CVE-2025-26533)
Patch an SQL injection risk that was identified in the moodle module list filter
within course search
TL-43615 Fixed arbitrary file read risk through pdfTeX in TeX filter (CVE-2025-26525)
Bug fixes:
TL-42694 Fixed being able to add members to a workspace even if an exception was thrown
TL-43589 Fixed missing entries in thirdpartylibs.xml
Release 13.53 (28th February 2025):
Important:
TL-43428 Updated the list of countries in lang/en/countries.php as per ISO 3166-1
Source: https://www.iso.org/obp/ui/
The significant changes are:
* North Macedonia
* Eswatini
* Netherlands (Kingdom of the)
* Taiwan (Province of China)
* Holy See
All other changes are formal, such as changing the letter case of the "And" (the
current ISO uses the lower case "and"). Our own existing modifications of the
list (such as having just "United States" and "United Kingdom" instead of the
full long name) were kept.
Security issues:
TL-43048 Improved handling of group access to ensure correct record visibility (CVE-2024-55646)
TL-43202 Added a new warning to the security report if local IP addresses have not been blocked
TL-43204 Fixed an insecure redirect problem
TL-43220 Improved output cleaning of json_editor emoji node
TL-43231 Improved handling of special characters in json_editor renderer
TL-43368 Updated the metadata fetch functionality to use the local CURL system
TL-43607 MSA-25-0010: SQL injection risk in course search module list filter (CVE-2025-26533)
Patch an SQL injection risk that was identified in the moodle module list filter
within course search
TL-43615 Fixed arbitrary file read risk through pdfTeX in TeX filter (CVE-2025-26525)
Bug fixes:
TL-42694 Fixed being able to add members to a workspace even if an exception was thrown
TL-43589 Fixed missing entries in thirdpartylibs.xml
Release 12.70 (28th February 2025):
Important:
TL-43428 Updated the list of countries in lang/en/countries.php as per ISO 3166-1
Source: https://www.iso.org/obp/ui/
The significant changes are:
* North Macedonia
* Eswatini
* Netherlands (Kingdom of the)
* Taiwan (Province of China)
* Holy See
All other changes are formal, such as changing the letter case of the "And" (the
current ISO uses the lower case "and"). Our own existing modifications of the
list (such as having just "United States" and "United Kingdom" instead of the
full long name) were kept.
Security issues:
TL-43202 Added a new warning to the security report if local IP addresses have not been blocked
TL-43204 Fixed an insecure redirect problem
TL-43615 Fixed arbitrary file read risk through pdfTeX in TeX filter (CVE-2025-26525)
Bug fixes:
TL-43589 Fixed missing entries in thirdpartylibs.xml
Release 11.70 (28th February 2025):
Important:
TL-43428 Updated the list of countries in lang/en/countries.php as per ISO 3166-1
Source: https://www.iso.org/obp/ui/
The significant changes are:
* North Macedonia
* Eswatini
* Netherlands (Kingdom of the)
* Taiwan (Province of China)
* Holy See
All other changes are formal, such as changing the letter case of the "And" (the
current ISO uses the lower case "and"). Our own existing modifications of the
list (such as having just "United States" and "United Kingdom" instead of the
full long name) were kept.
Security issues:
TL-43202 Added a new warning to the security report if local IP addresses have not been blocked
TL-43204 Fixed an insecure redirect problem
TL-43615 Fixed arbitrary file read risk through pdfTeX in TeX filter (CVE-2025-26525)
Release 10.72 (28th February 2025):
Important:
TL-43428 Updated the list of countries in lang/en/countries.php as per ISO 3166-1
Source: https://www.iso.org/obp/ui/
The significant changes are:
* North Macedonia
* Eswatini
* Netherlands (Kingdom of the)
* Taiwan (Province of China)
* Holy See
All other changes are formal, such as changing the letter case of the "And" (the
current ISO uses the lower case "and"). Our own existing modifications of the
list (such as having just "United States" and "United Kingdom" instead of the
full long name) were kept.
Security issues:
TL-43204 Fixed an insecure redirect problem
TL-43615 Fixed arbitrary file read risk through pdfTeX in TeX filter (CVE-2025-26525)
Bug fixes:
TL-43589 Fixed missing entries in thirdpartylibs.xml
Release 9.78 (28th February 2025):
Important:
TL-43428 Updated the list of countries in lang/en/countries.php as per ISO 3166-1
Source: https://www.iso.org/obp/ui/
The significant changes are:
* North Macedonia
* Eswatini
* Netherlands (Kingdom of the)
* Taiwan (Province of China)
* Holy See
All other changes are formal, such as changing the letter case of the "And" (the
current ISO uses the lower case "and"). Our own existing modifications of the
list (such as having just "United States" and "United Kingdom" instead of the
full long name) were kept.
Security issues:
TL-43204 Fixed an insecure redirect problem
TL-43615 Fixed arbitrary file read risk through pdfTeX in TeX filter (CVE-2025-26525)
Bug fixes:
TL-43589 Fixed missing entries in thirdpartylibs.xml