Open OnDemand 4.2 Release

Open OnDemand version 4.2 is now available as 4.2.2. Thank you to all of the community members who contributed code, suggestions, bug reports, documentation, and other assistance across the project, including the 9 first-time contributors across several core Open OnDemand GitHub repositories.

We’d like to recognize the following folks for their contributions to the 4.2 release:

  • Andrej Čermák, CESNET
  • James Willis, SciNet- University of Toronto
  • Michael Robbert, Colorado School of Mines
  • Robin Karlsson, CSC – IT Center for Science
  • Evan Felix, Pacific Northwest National Laboratory
  • Harshit Soora, University of Maryland
  • Kristen Finch and Carolina Ternero, University of Washington

Please see the Acknowledgements section of the release notes for more details on their contributions.

Release Overview

This release focuses on significant accessibility improvements aligned with the Web Content Accessibility Guidelines (WCAG) 2.1 Level AA standard, in advance of the April 2027 compliance deadline under Title II of the Americans with Disabilities Act. It also includes new OS support, dependency updates, and several behavior changes.

Changes that May Impact Your Site the Most:

  • Support for Ubuntu 22.04 has been removed. Support for Debian 13 and Ubuntu 26.04 has been added.
  • Links now open in the current tab by default . Previous versions opened some links in a new tab.
  • The Active Jobs extended details panel now opens above or beside the table rather than inline to support screen reader navigation.
  • Debian and Ubuntu repository signing has changed from SHA1 to SHA512. If you are not using OnDemand’s release packages, please update your repository configuration to use the new DEB-GPG-KEY-ondemand-SHA512 key. See the release notes for details.

Dependency Updates:

  • Passenger 6.1.2
  • NGINX 1.28.0
  • ondemand-dex 2.45.1

Several Highlights of 4.2:

  • Accessibility improvements. Version 4.2 includes accessibility enhancements across the dashboard and core applications, including additional keyboard navigation support, improved labeling for form items and icons, additional regions and landmarks, improved focus handling on auto-updating pages, contrast improvements for links and buttons, and an improved screen reader alerting experience.
  • Accessibility Conformance Report (ACR). An ACR has been created for version 4.2 documenting Open OnDemand’s conformance with the WCAG 2.1 AA standard. It is available at openondemand.org/accessibility.
  • Software Bill of Materials. Open OnDemand 4.2 includes a Software Bill of Materials (SBOM) in an industry-standard format, outlining OS-level software dependencies. The SBOM is published in a dedicated OSC repository titled open-ondemand-sbom.
  • OOD_WORKFLOW_SYNC_KEY for Project Manager workflows. Launchers within a workflow now receive a unique alphanumeric key per run, which makes it easier to synchronize launchers and safely read and write data without overwriting between runs.
  • Edit links hidden when downloads are disabled. For centers with download_enabled: false, the Files App and Project Directory tables will no longer display edit links. This prevents users from exporting file contents through the editor.
  • Interactive App popovers persist under hover and focus. App preview popovers in the Interactive Apps list now remain open while hover or focus is within the trigger or popover, which allows users to click links inside the popover.
  • PBSPro cluster_info API support. The System Status page now supports PBSPro clusters.

For more detailed information, please see the 4.2 release notes or the commit comparison between version 4.1 and 4.2.

Finally, we recommend testing the upgrade in a development or test environment before deploying to production. Step-by-step upgrade instructions for version 4.2.2 are available in the release notes.

2 Likes

Open OnDemand 4.2.3 is now available. Thank you to all community members who contributed code, suggestions, bug reports, and other assistance across the project.

Release Overview

This release contains security fixes, bug fixes, and dependency updates. For a full list of changes, please see the changelog. To compare versions 4.2.2 and 4.2.3, please see this comparison link.

Special Note

VNC-based interactive desktop apps will once again open in a new tab. Version 4.2.2 introduced a change to open links in the current tab as part of our accessibility improvements to Open OnDemand (OOD). Based on community feedback, this behavior negatively affected the VNC desktop experience, so we have reverted the change for VNC apps specifically. All other links will continue to open in the current tab.

Breaking Changes and Changes That Will Affect Your Site

  • Sites using OIDC authentication must explicitly set oidc_crypto_passphrase in ood_portal.yml before upgrading. As part of the fix for CVE-2026-55171, Open OnDemand no longer provides a default value for OIDCCryptoPassphrase. If this value is not set, Apache will start but will be unable to apply new configurations from ood_portal.yml, meaning the CVE mitigation will not take effect and your site will remain vulnerable. This failure is silent because Apache will continue running on its old configuration without obvious interruption, so check your logs to confirm configurations were applied successfully. If you missed this step before upgrading, you can set the value after the fact and reconfigure.

  • RHEL-based sites not using Puppet to install OOD should update access to /var/log/ondemand-nginx using a filesystem ACL (FACL). As part of the fix for CVE-2026-55169, OOD now changes the ownership of this directory on RHEL systems, which may remove access for staff members who previously had it. Debian packages and Puppet-managed installs already handle this correctly and are not affected. The command to do this is setfacl -m g:groupname:rx /var/log/ondemand-nginx where groupname needs to be replaced with the actual group.

Security

  • Resolved CVE-2026-55171. As mentioned above, the default oidc_crypto_passphrase is predictable and unsafe to use. Therefore, OOD no longer provides the default. httpd/apache2 will start, but the CVE mitigation will not take effect, and your site will remain vulnerable. The decision to include a fix for this security vulnerability in a patch was made in conjunction with the Open OnDemand Technical Governance Committee. Thank you to @kazeruch for reporting this vulnerability.

  • Resolved CVE-2026-55172. The session storage directory now has multiple checks to ensure it is created by the user and owned by the user, falling back to cookies if these checks fail. Previous versions lacked sufficient checks of this directory. Thank you to @irateChiapet for reporting this vulnerability and working with us on the fix.

  • Resolved CVE-2026-55169. Previous versions allowed VNC passwords to be logged in access logs. This release resolves that issue on all systems and hardens that directory on RHEL systems by changing its ownership of `/var/log/ondemand-nginx`. For details and recommended site action, see the third bullet under “Breaking Changes and Changes That May Affect Your Site.” Thank you again to @irateChiapet for reporting this vulnerability and working with us on the fix.

Bug Fixes

  • Filenames with spaces now correctly link to the File Editor fixing previous behavior of broken links.

  • Fixed dynamic batch connect fields containing underscores. Fields using underscores in their token names were not being normalized correctly and failed to function as expected.

  • Fixed job hash not being saved in Project Manager workflows. A backend fallback now ensures the job hash is saved correctly, so data is not lost between runs.

  • Fixed interactive app menu border hover styling.

  • Navigation bar menus work correctly on MacOS/Safari previously fixing rendering behavior where links couldn’t be selected.

  • Display settings in Recently Used Apps now escape HTML.

Dependency Updates

  • We made many Ruby and NodeJS package updates in this patch. Please see the change log for details.

  • The ondemand-selinux package no longer requires a specific selinux-policy version, which improves compatibility across supported RHEL operating systems.

TLDR;

  • OIDC sites need to provide oidc_crypto_passphrase in ood_portal.yml

  • /var/log/ondemand-nginx is no longer accessible by regular users.

  • VNC applications opening in new tabs are back.