Hello everyone,
The following versions of Totara have now been released:
- Release 19.0.4
- Release 18.17
- Release 17.30
- Release 16.36
- Release 15.42
- Release 14.47
- Release 13.55
- Release 12.72
- Release 11.72
- Release 10.74
- Release 9.80
These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.
Kind regards br> Release Team br>
Release 19.0.4 (02nd May 2025):
Important:
TL-44293 Added check for empty keys array to redis and memcached implementation of delete_many
Previous versions of the Redis extension for PHP ignored the missing parameter,
but a recent update caused cache deletion to fail with an exception when asked
to delete nothing.
Without this patch, upgrading PHP (even to the same minor version) on a site
using Redis for caching can prevent users from creating a new course.
Security issues:
TL-42851 Prevented API errors from revealing absolute paths in normal error mode
TL-43031 Added security check related to the CSV report export format
Added a new warning to the security report when a site uses the CSV report
export format. CSV (Optimised for Excel) should be used instead.
TL-43046 Removed 5x multiplier from guest session expiration (CVE-2024-55648)
TL-43912 Fixed a redirect problem with the SSOSAML authentication plugin
TL-44112 Removed hidden grades on some reports for users without permissions (CVE-2025-32045)
TL-44479 Updated TeX filter to prevent remote code execution (CVE-2024-40446)
Performance improvements:
TL-44131 Improved performance when loading tiles in Explore catalog blocks
We improved the queries used to retrieve information needed to display the tiles
in Explore catalog blocks resulting in a reduction in the number of database
queries.
Improvements:
TL-42258 Increased the program 'fullname' database field length to better support multi-language
Increased the program ‘fullname’ database field length from 254 to 1333
characters.
TL-42430 Improved accessibility of notification close buttons
Made notification close buttons more descriptive for screen readers
TL-43887 Added 'Require passing grade' completion option to external tool activity
It is now possible to configure completion of external tool activities to
require a passing grade.
This change can be opted out by adding $CFG->revert_TL_43887_until_t20 = true;
in your config.php file. However it will be enforced for Totara 20.
TL-44018 Added Totara 20.0.0's definition to the environment checks page
TL-43973 Improved accessibility on the multiselect legacy adder
Users using the legacy adder can now remove selected items with keyboard only
and “x” icon is shown on all selected items at all times and not just on
hover.
Bug fixes:
TL-35659 Added user data purging support for active applications in approval workflows
TL-36096 Added aria-expanded to all Tui Dropdown triggers that were missing it
TL-37948 Fixed an error in the 'Self-registration requests' report that occurred when the Tenant Member column was included.
The issue was caused by a missing database join, leading to a DB error when
generating reports containing this column.
TL-39836 Removed site policy consent requirement for external API and legacy web services requests
Previously, site policy consent was required for service users making external
API and legacy web service requests. This caused issues where service users -
used for external calls to Totara APIs, which weren’t designed for user logins
- were forced to log in and consent to the site policy when the site policy was
enabled or updated.
This update removes the site policy consent requirement for requests originating
from GraphQL or legacy web services.
Note: Service users will still need to consent to the site policy if they are
used within the normal user interface.
TL-40189 Fixed forced delivery channels not overriding recipient 'Disable all notifications' setting
When using legacy notifications, it was possible to force delivery of
notifications, even when the recipient had turned on the ‘Disable all
notifications’ setting. In centralised notifications, it was intended that
forcing a delivery channel would have the same result. This has been fixed. This
change also re-enables notifications to be shown in the bell popup, allowing
recipients to see notifications they received in the past or new notifications
sent by forced delivery.
This change can be opted out by adding $CFG->revert_TL_40189_until_T20= true; in
your config.php file. However it will be enforced for Totara 20.
TL-40371 Fixed seminar custom fields not being saved when a job assignment is selected during signup
TL-40682 Added multi-language support for the Oauth2 plugin
TL-40775 Removed extra role assignments when changing assigned roles in enrolment methods for courses
This change can be opted in by adding $CFG->enable_TL_40775_until_T20 = true; in
your config.php file. However it will be enforced for Totara 20.
TL-40871 Fixed the language menu on the legacy login page to display only when the setting is enabled
TL-42160 Fixed a problem where some reports with null values were unable to be exported when using PHP 8.1 or greater
TL-43297 Prevented the autofill of username and password fields when creating a new user
TL-43453 Hid 'Create playlist' option when user has no permission to create playlists
Additionally, the ‘Create new’ button in Your Library has been hidden
altogether if the user does not have permission to create any items.
TL-43519 Fixed console error when user lacks view capability for current learning block
Current learning block js would attempt to run even when the block was not
rendered
TL-43524 Added padding top and bottom to chromeless block content to improve readability
TL-43716 Fixed email HTML header and footer customisations for the Inspire theme
Previously we hard-coded the 'category' setting for testing on the Inspire
settings page, we've removed the hard-coded value so that it falls back to the
default value 'brand' and correctly applies the HTML to emails.
TL-43932 Added multi language support to approval workflows drop-down menu options
TL-43997 Fixed the encrypted key rollover job to skip non-encrypted configuration entries
TL-44020 Fixed an accessibility failure where the dismiss button on a notification toast was accessible via the keyboard even though it's parent element had aria-hidden
TL-44147 Fixed an error when collapsing the Inspire sidebar while the user is logged out
TL-44188 Added title to the 'Create user' page
TL-44190 Fixed a PHP warning that can show when a cURL call is blocked by the IP address blacklist
TL-44295 Fixed Totara Goals not being locked down properly on non-Perform flavours
This change only affects existing sites without Perform flavour.
It makes sure goals features are disabled unless legacy goals were in use on the
site.
TL-44298 Disabled goals choice setting for flavours that do not include Perform features
As a consequence of this patch, sites without Perform features can still keep
legacy goals enabled if currently in use, but cannot re-enable once it’s
turned off in administration settings.
TL-44501 Fixed an error when cache attempts to read a file that is empty
TL-44160 Fixed an accessibility issue on the TreeViewNode component where an aria-controls attribute was referencing an element that didn't exist
Release 18.17 (02nd May 2025):
Important:
TL-44293 Added check for empty keys array to redis and memcached implementation of delete_many
Previous versions of the Redis extension for PHP ignored the missing parameter,
but a recent update caused cache deletion to fail with an exception when asked
to delete nothing.
Without this patch, upgrading PHP (even to the same minor version) on a site
using Redis for caching can prevent users from creating a new course.
Security issues:
TL-42851 Prevented API errors from revealing absolute paths in normal error mode
TL-43031 Added security check related to the CSV report export format
Added a new warning to the security report when a site uses the CSV report
export format. CSV (Optimised for Excel) should be used instead.
TL-43046 Removed 5x multiplier from guest session expiration (CVE-2024-55648)
TL-43912 Fixed a redirect problem with the SSOSAML authentication plugin
TL-44112 Removed hidden grades on some reports for users without permissions (CVE-2025-32045)
TL-44479 Updated TeX filter to prevent remote code execution (CVE-2024-40446)
Improvements:
TL-42430 Improved accessibility of notification close buttons
Made notification close buttons more descriptive for screen readers
TL-43887 Added 'Require passing grade' completion option to external tool activity
It is now possible to configure completion of external tool activities to
require a passing grade.
This change can be opted out by adding $CFG->revert_TL_43887_until_t20 = true;
in your config.php file. However it will be enforced for Totara 20.
TL-44018 Added Totara 20.0.0's definition to the environment checks page
Bug fixes:
TL-35659 Added user data purging support for active applications in approval workflows
TL-37948 Fixed an error in the 'Self-registration requests' report that occurred when the Tenant Member column was included.
The issue was caused by a missing database join, leading to a DB error when
generating reports containing this column.
TL-39836 Removed site policy consent requirement for external API and legacy web services requests
Previously, site policy consent was required for service users making external
API and legacy web service requests. This caused issues where service users -
used for external calls to Totara APIs, which weren’t designed for user logins
- were forced to log in and consent to the site policy when the site policy was
enabled or updated.
This update removes the site policy consent requirement for requests originating
from GraphQL or legacy web services.
Note: Service users will still need to consent to the site policy if they are
used within the normal user interface.
TL-40189 Fixed forced delivery channels not overriding recipient 'Disable all notifications' setting
When using legacy notifications, it was possible to force delivery of
notifications, even when the recipient had turned on the ‘Disable all
notifications’ setting. In centralised notifications, it was intended that
forcing a delivery channel would have the same result. This has been fixed. This
change also re-enables notifications to be shown in the bell popup, allowing
recipients to see notifications they received in the past or new notifications
sent by forced delivery.
This change can be opted out by adding $CFG->revert_TL_40189_until_T20= true; in
your config.php file. However it will be enforced for Totara 20.
TL-40371 Fixed seminar custom fields not being saved when a job assignment is selected during signup
TL-40682 Added multi-language support for the Oauth2 plugin
TL-40775 Removed extra role assignments when changing assigned roles in enrolment methods for courses
This change can be opted in by adding $CFG->enable_TL_40775_until_T20 = true; in
your config.php file. However it will be enforced for Totara 20.
TL-40871 Fixed the language menu on the legacy login page to display only when the setting is enabled
TL-42160 Fixed a problem where some reports with null values were unable to be exported when using PHP 8.1 or greater
TL-43297 Prevented the autofill of username and password fields when creating a new user
TL-43519 Fixed console error when user lacks view capability for current learning block
Current learning block js would attempt to run even when the block was not
rendered
TL-43932 Added multi language support to approval workflows drop-down menu options
TL-43997 Fixed the encrypted key rollover job to skip non-encrypted configuration entries
TL-44020 Fixed an accessibility failure where the dismiss button on a notification toast was accessible via the keyboard even though it's parent element had aria-hidden
TL-44188 Added title to the 'Create user' page
TL-44190 Fixed a PHP warning that can show when a cURL call is blocked by the IP address blacklist
TL-44295 Fixed Totara Goals not being locked down properly on non-Perform flavours
This change only affects existing sites without Perform flavour.
It makes sure goals features are disabled unless legacy goals were in use on the
site.
TL-44298 Disabled goals choice setting for flavours that do not include Perform features
As a consequence of this patch, sites without Perform features can still keep
legacy goals enabled if currently in use, but cannot re-enable once it’s
turned off in administration settings.
TL-44501 Fixed an error when cache attempts to read a file that is empty
Release 17.30 (02nd May 2025):
Important:
TL-44293 Added check for empty keys array to redis and memcached implementation of delete_many
Previous versions of the Redis extension for PHP ignored the missing parameter,
but a recent update caused cache deletion to fail with an exception when asked
to delete nothing.
Without this patch, upgrading PHP (even to the same minor version) on a site
using Redis for caching can prevent users from creating a new course.
Security issues:
TL-42851 Prevented API errors from revealing absolute paths in normal error mode
TL-43046 Removed 5x multiplier from guest session expiration (CVE-2024-55648)
TL-44112 Removed hidden grades on some reports for users without permissions (CVE-2025-32045)
TL-44479 Updated TeX filter to prevent remote code execution (CVE-2024-40446)
Improvements:
TL-44018 Added Totara 20.0.0's definition to the environment checks page
Bug fixes:
TL-37948 Fixed an error in the 'Self-registration requests' report that occurred when the Tenant Member column was included.
The issue was caused by a missing database join, leading to a DB error when
generating reports containing this column.
TL-39836 Removed site policy consent requirement for external API and legacy web services requests
Previously, site policy consent was required for service users making external
API and legacy web service requests. This caused issues where service users -
used for external calls to Totara APIs, which weren’t designed for user logins
- were forced to log in and consent to the site policy when the site policy was
enabled or updated.
This update removes the site policy consent requirement for requests originating
from GraphQL or legacy web services.
Note: Service users will still need to consent to the site policy if they are
used within the normal user interface.
TL-40189 Fixed forced delivery channels not overriding recipient 'Disable all notifications' setting
When using legacy notifications, it was possible to force delivery of
notifications, even when the recipient had turned on the ‘Disable all
notifications’ setting. In centralised notifications, it was intended that
forcing a delivery channel would have the same result. This has been fixed. This
change also re-enables notifications to be shown in the bell popup, allowing
recipients to see notifications they received in the past or new notifications
sent by forced delivery.
This change can be opted out by adding $CFG->revert_TL_40189_until_T20= true; in
your config.php file. However it will be enforced for Totara 20.
TL-40682 Added multi-language support for the Oauth2 plugin
TL-42160 Fixed a problem where some reports with null values were unable to be exported when using PHP 8.1 or greater
TL-44020 Fixed an accessibility failure where the dismiss button on a notification toast was accessible via the keyboard even though it's parent element had aria-hidden
TL-44190 Fixed a PHP warning that can show when a cURL call is blocked by the IP address blacklist
TL-44501 Fixed an error when cache attempts to read a file that is empty
Release 16.36 (02nd May 2025):
Security issues:
TL-43046 Removed 5x multiplier from guest session expiration (CVE-2024-55648)
TL-44112 Removed hidden grades on some reports for users without permissions (CVE-2025-32045)
TL-44479 Updated TeX filter to prevent remote code execution (CVE-2024-40446)
Improvements:
TL-44018 Added Totara 20.0.0's definition to the environment checks page
Bug fixes:
TL-37948 Fixed an error in the 'Self-registration requests' report that occurred when the Tenant Member column was included.
The issue was caused by a missing database join, leading to a DB error when
generating reports containing this column.
TL-44020 Fixed an accessibility failure where the dismiss button on a notification toast was accessible via the keyboard even though it's parent element had aria-hidden
TL-44190 Fixed a PHP warning that can show when a cURL call is blocked by the IP address blacklist
Release 15.42 (02nd May 2025):
Security issues:
TL-43046 Removed 5x multiplier from guest session expiration (CVE-2024-55648)
TL-44112 Removed hidden grades on some reports for users without permissions (CVE-2025-32045)
TL-44479 Updated TeX filter to prevent remote code execution (CVE-2024-40446)
Improvements:
TL-44018 Added Totara 20.0.0's definition to the environment checks page
Bug fixes:
TL-37948 Fixed an error in the 'Self-registration requests' report that occurred when the Tenant Member column was included.
The issue was caused by a missing database join, leading to a DB error when
generating reports containing this column.
TL-44020 Fixed an accessibility failure where the dismiss button on a notification toast was accessible via the keyboard even though it's parent element had aria-hidden
TL-44190 Fixed a PHP warning that can show when a cURL call is blocked by the IP address blacklist
Release 14.47 (02nd May 2025):
Security issues:
TL-43046 Removed 5x multiplier from guest session expiration (CVE-2024-55648)
TL-44112 Removed hidden grades on some reports for users without permissions (CVE-2025-32045)
TL-44479 Updated TeX filter to prevent remote code execution (CVE-2024-40446)
Improvements:
TL-44018 Added Totara 20.0.0's definition to the environment checks page
Bug fixes:
TL-37948 Fixed an error in the 'Self-registration requests' report that occurred when the Tenant Member column was included.
The issue was caused by a missing database join, leading to a DB error when
generating reports containing this column.
TL-44020 Fixed an accessibility failure where the dismiss button on a notification toast was accessible via the keyboard even though it's parent element had aria-hidden
Release 13.55 (02nd May 2025):
Security issues:
TL-43046 Removed 5x multiplier from guest session expiration (CVE-2024-55648)
TL-44112 Removed hidden grades on some reports for users without permissions (CVE-2025-32045)
TL-44479 Updated TeX filter to prevent remote code execution (CVE-2024-40446)
Improvements:
TL-44018 Added Totara 20.0.0's definition to the environment checks page
Bug fixes:
TL-37948 Fixed an error in the 'Self-registration requests' report that occurred when the Tenant Member column was included.
The issue was caused by a missing database join, leading to a DB error when
generating reports containing this column.
TL-44020 Fixed an accessibility failure where the dismiss button on a notification toast was accessible via the keyboard even though it's parent element had aria-hidden
Release 12.72 (02nd May 2025):
Security issues:
TL-43046 Removed 5x multiplier from guest session expiration (CVE-2024-55648)
TL-44112 Removed hidden grades on some reports for users without permissions (CVE-2025-32045)
TL-44479 Updated TeX filter to prevent remote code execution (CVE-2024-40446)
Release 11.72 (02nd May 2025):
Security issues:
TL-44112 Removed hidden grades on some reports for users without permissions (CVE-2025-32045)
TL-44479 Updated TeX filter to prevent remote code execution (CVE-2024-40446)
Release 10.74 (02nd May 2025):
Security issues:
TL-44112 Removed hidden grades on some reports for users without permissions (CVE-2025-32045)
TL-44479 Updated TeX filter to prevent remote code execution (CVE-2024-40446)
Release 9.80 (02nd May 2025):
Security issues:
TL-44112 Removed hidden grades on some reports for users without permissions (CVE-2025-32045)
TL-44479 Updated TeX filter to prevent remote code execution (CVE-2024-40446)