Hi, not sure how to report this issue otherwise for this project. Is there a way to report this issue for the ondemand-nginx package? A patch would be nice.
Hi and welcome! We haven’t enabled http/2 in either apache or nginx AFAIK. Of course sites may have enabled it in apache through configurations, but we don’t ship with it enabled.
Hi @Kees
Yes, there is a recommended way to report issues like this. Please see our Security Policy here - ondemand/SECURITY.md at master · OSC/ondemand · GitHub
Full transparency, we are updating the policy this summer to reflect a few changes over the past year. But, overall, please follow the recommendations laid out in that policy. Thanks so much!
Just in case somebody else stumbles on this thread in the future, we also have details on security reporting in our documentation at Security — Open OnDemand 4.2.0 documentation (or Open OnDemand — Open OnDemand 4.2.0 documentation and browse to the Security section)
Thanks Jeff!
If OOD in the future wants to move to HTTP/2, please remember to make it configurable, if it’s at all possible (I think it shouldn’t be too difficult to keep HTTP/1.1 around?). I put a comment on the Github issue over two years ago exactly because of security issues like this one 