Hello everyone,
The following versions of Totara have now been released:
- Release 19.0.3
- Release 18.16
- Release 17.29
- Release 16.35
- Release 15.41
- Release 14.46
- Release 13.54
- Release 12.71
- Release 11.71
- Release 10.73
- Release 9.79
These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.
A big thanks to the following people for their contributions to this release:
- Dan Marsden at Catalyst - TL-43795
Release Team
Release 19.0.3 (26th March 2025):
Security issues:
TL-43050 Improved validation to restrict users from viewing others with a specified tag (CVE-2024-55644)
TL-43612 Cleaned drop zone label text in ddimageortext question type (CVE-2025-26528)
TL-43614 Fixed that Feedback responses did not always properly respect separate groups modes (CVE-2025-26526)
TL-43788 MSA-25-0008: IDOR in badges allows disabling of arbitrary badges (CVE-2025-26531)
TL-43800 Added a new critical security report that will warn if the setting wkhtml2pdf is enabled
We strongly recommend disabling wkhtml2pdf as an export option and relying on
the regular built in PDF exports. From Totara 20 wkhtmltopdf support is removed.
Performance improvements:
TL-40368 Improved performance for reseting / archiving course completions for courses with lots of users by running actions in bulk
Improvements:
TL-42378 Improved spacing between the user image and a glossary entry
TL-43586 Added Custom script for migrating theme settings from Ventura to Inspire
TL-43709 Added system status check for ephemeral configuration flags
From time to time, Totara bug fixes will include settings that allow system
administrators to temporarily revert to previous behaviour until the next major
release. This check attempts to detect any use of those settings in config.php,
and report them on the system status report, or via the check CLI at `php
server/admin/cli/checks.php`.
Bug fixes:
TL-33788 Fixed an error when trying to update the content of a learning plan containing hidden programs
TL-41329 Improved performance of the "delete_completion_logs" task
Limited delete_completion_logs task to 5 minutes
TL-41793 Fixed Totara goal snapshots not showing up for deleted goals on closed performance activity sections
TL-42588 Updated notification roles from "log" to "status" for better screen reader accessibility
TL-42591 Fixed issue where editing a hierarchy item could incorrectly move it to a different framework
TL-43244 Added exit activity button to SCORM activities
Added an "exit activity" button to SCORM activities so that when activities are
dependent on the SCORM being completed then it can be "exited" which will take
the user to the start page of the activity. This updates the activities and
unlocks any dependent activities that were previously restricted.
TL-43313 Added missing variable in catalog filter results
Added missing {{native}} field to {{mobile_findlearning_filter_catalog}} query.
The lack of this field meant that if you ran a search on the mobile app, then
opened a course it would always assume it was not a mobile friendly course, and
open it via webview instead of natively.
TL-43613 MDL-83941: Fixed issue where users could browse unsearchable tag collections (CVE-2025-26527)
TL-43795 Fixed an upgrade error with block_html instances missing data for custom classes
TL-43796 Fixed debug warnings in catalog when a playlist has limited visibility and not shared with any individuals
Recommendations engine:
TL-43595 Upgraded the nltk library to 3.9.1 (CVE-2024-39705)
TL-43601 Upgraded the Waitress library to 3.0.2 (CVE-2024-49769)
TL-43719 Fixed an error that can appear when not enough interactions are provided with a new connection
This only occurs when running the machine learning service with enough users and
items, but no interactions, which is rare. With this patch, we now provide an
error in the model and healthcheck indicating if the number of interactions is
too few to make recommendations.
Contributions:
* Dan Marsden at Catalyst - TL-43795
Release 18.16 (26th March 2025):
Security issues:
TL-43050 Improved validation to restrict users from viewing others with a specified tag (CVE-2024-55644)
TL-43612 Cleaned drop zone label text in ddimageortext question type (CVE-2025-26528)
TL-43614 Fixed that Feedback responses did not always properly respect separate groups modes (CVE-2025-26526)
TL-43788 MSA-25-0008: IDOR in badges allows disabling of arbitrary badges (CVE-2025-26531)
TL-43800 Added a new critical security report that will warn if the setting wkhtml2pdf is enabled
We strongly recommend disabling wkhtml2pdf as an export option and relying on
the regular built in PDF exports. From Totara 20 wkhtmltopdf support is removed.
Performance improvements:
TL-40368 Improved performance for reseting / archiving course completions for courses with lots of users by running actions in bulk
Improvements:
TL-42378 Improved spacing between the user image and a glossary entry
Bug fixes:
TL-33788 Fixed an error when trying to update the content of a learning plan containing hidden programs
TL-41329 Improved performance of the "delete_completion_logs" task
Limited delete_completion_logs task to 5 minutes
TL-41793 Fixed Totara goal snapshots not showing up for deleted goals on closed performance activity sections
TL-42588 Updated notification roles from "log" to "status" for better screen reader accessibility
TL-43244 Added exit activity button to SCORM activities
Added an "exit activity" button to SCORM activities so that when activities are
dependent on the SCORM being completed then it can be "exited" which will take
the user to the start page of the activity. This updates the activities and
unlocks any dependent activities that were previously restricted.
TL-43313 Added missing variable in catalog filter results
Added missing {{native}} field to {{mobile_findlearning_filter_catalog}} query.
The lack of this field meant that if you ran a search on the mobile app, then
opened a course it would always assume it was not a mobile friendly course, and
open it via webview instead of natively.
Release 17.29 (26th March 2025):
Security issues:
TL-43050 Improved validation to restrict users from viewing others with a specified tag (CVE-2024-55644)
TL-43612 Cleaned drop zone label text in ddimageortext question type (CVE-2025-26528)
TL-43614 Fixed that Feedback responses did not always properly respect separate groups modes (CVE-2025-26526)
TL-43788 MSA-25-0008: IDOR in badges allows disabling of arbitrary badges (CVE-2025-26531)
TL-43800 Added a new critical security report that will warn if the setting wkhtml2pdf is enabled
We strongly recommend disabling wkhtml2pdf as an export option and relying on
the regular built in PDF exports. From Totara 20 wkhtmltopdf support is removed.
Performance improvements:
TL-40368 Improved performance for reseting / archiving course completions for courses with lots of users by running actions in bulk
Bug fixes:
TL-43313 Added missing variable in catalog filter results
Added missing {{native}} field to {{mobile_findlearning_filter_catalog}} query.
The lack of this field meant that if you ran a search on the mobile app, then
opened a course it would always assume it was not a mobile friendly course, and
open it via webview instead of natively.
Release 16.35 (26th March 2025):
Security issues:
TL-43050 Improved validation to restrict users from viewing others with a specified tag (CVE-2024-55644)
TL-43612 Cleaned drop zone label text in ddimageortext question type (CVE-2025-26528)
TL-43614 Fixed that Feedback responses did not always properly respect separate groups modes (CVE-2025-26526)
TL-43788 MSA-25-0008: IDOR in badges allows disabling of arbitrary badges (CVE-2025-26531)
TL-43800 Added a new critical security report that will warn if the setting wkhtml2pdf is enabled
We strongly recommend disabling wkhtml2pdf as an export option and relying on
the regular built in PDF exports. From Totara 20 wkhtmltopdf support is removed.
Bug fixes:
TL-43313 Added missing variable in catalog filter results
Added missing {{native}} field to {{mobile_findlearning_filter_catalog}} query.
The lack of this field meant that if you ran a search on the mobile app, then
opened a course it would always assume it was not a mobile friendly course, and
open it via webview instead of natively.
Release 15.41 (26th March 2025):
Security issues:
TL-43050 Improved validation to restrict users from viewing others with a specified tag (CVE-2024-55644)
TL-43612 Cleaned drop zone label text in ddimageortext question type (CVE-2025-26528)
TL-43614 Fixed that Feedback responses did not always properly respect separate groups modes (CVE-2025-26526)
TL-43788 MSA-25-0008: IDOR in badges allows disabling of arbitrary badges (CVE-2025-26531)
TL-43800 Added a new critical security report that will warn if the setting wkhtml2pdf is enabled
We strongly recommend disabling wkhtml2pdf as an export option and relying on
the regular built in PDF exports. From Totara 20 wkhtmltopdf support is removed.
Release 14.46 (26th March 2025):
Security issues:
TL-43050 Improved validation to restrict users from viewing others with a specified tag (CVE-2024-55644)
TL-43612 Cleaned drop zone label text in ddimageortext question type (CVE-2025-26528)
TL-43614 Fixed that Feedback responses did not always properly respect separate groups modes (CVE-2025-26526)
TL-43788 MSA-25-0008: IDOR in badges allows disabling of arbitrary badges (CVE-2025-26531)
TL-43800 Added a new critical security report that will warn if the setting wkhtml2pdf is enabled
We strongly recommend disabling wkhtml2pdf as an export option and relying on
the regular built in PDF exports. From Totara 20 wkhtmltopdf support is removed.
Release 13.54 (26th March 2025):
Security issues:
TL-43050 Improved validation to restrict users from viewing others with a specified tag (CVE-2024-55644)
TL-43608 Restoring a Glossary form a backup now respects the trust test setting for the user doing the restore (CVE-2025-26532)
TL-43612 Cleaned drop zone label text in ddimageortext question type (CVE-2025-26528)
TL-43614 Fixed that Feedback responses did not always properly respect separate groups modes (CVE-2025-26526)
TL-43788 MSA-25-0008: IDOR in badges allows disabling of arbitrary badges (CVE-2025-26531)
TL-43800 Added a new critical security report that will warn if the setting wkhtml2pdf is enabled
We strongly recommend disabling wkhtml2pdf as an export option and relying on
the regular built in PDF exports. From Totara 20 wkhtmltopdf support is removed.
Release 12.71 (26th March 2025):
Security issues:
TL-43050 Improved validation to restrict users from viewing others with a specified tag (CVE-2024-55644)
TL-43608 Restoring a Glossary form a backup now respects the trust test setting for the user doing the restore (CVE-2025-26532)
TL-43800 Added a new critical security report that will warn if the setting wkhtml2pdf is enabled
We strongly recommend disabling wkhtml2pdf as an export option and relying on
the regular built in PDF exports. From Totara 20 wkhtmltopdf support is removed.
Release 11.71 (26th March 2025):
Security issues:
TL-43050 Improved validation to restrict users from viewing others with a specified tag (CVE-2024-55644)
TL-43608 Restoring a Glossary form a backup now respects the trust test setting for the user doing the restore (CVE-2025-26532)
TL-43800 Added a new critical security report that will warn if the setting wkhtml2pdf is enabled
We strongly recommend disabling wkhtml2pdf as an export option and relying on
the regular built in PDF exports. From Totara 20 wkhtmltopdf support is removed.
Release 10.73 (26th March 2025):
Security issues:
TL-43050 Improved validation to restrict users from viewing others with a specified tag (CVE-2024-55644)
TL-43608 Restoring a Glossary form a backup now respects the trust test setting for the user doing the restore (CVE-2025-26532)
TL-43800 Added a new critical security report that will warn if the setting wkhtml2pdf is enabled
We strongly recommend disabling wkhtml2pdf as an export option and relying on
the regular built in PDF exports. From Totara 20 wkhtmltopdf support is removed.
Release 9.79 (26th March 2025):
Security issues:
TL-43050 Improved validation to restrict users from viewing others with a specified tag (CVE-2024-55644)
TL-43608 Restoring a Glossary form a backup now respects the trust test setting for the user doing the restore (CVE-2025-26532)
TL-43800 Added a new critical security report that will warn if the setting wkhtml2pdf is enabled
We strongly recommend disabling wkhtml2pdf as an export option and relying on
the regular built in PDF exports. From Totara 20 wkhtmltopdf support is removed.