We have released 1.8.18 and 1.7.19 patch releases with security fixes:
- properly escape user input when creating job template in Job Composer app as reported as CVE-2020-27958 (thanks to reporting by Radoslav Bodó and the team at flab.cesnet.cz)
1.8.18 has some additional changes since 1.8.12 including:
- by default, set Content Security Policy frame-ancestors to the server name for all requests, which can be changed using the new security_csp_frame_ancestors in the ood_portal.yml #697 and #721
- by default, set HTTP Strict Transport Security (HSTS) if SSL is in use, which can be disabled setting security_strict_transport: false in the ood_portal.yml #697
- custom log formatting on apache and nginx access logs [#677] (https://github.com/OSC/ondemand/pull/677) (thanks to Pavlos Daoglou)
- fixed XDMoD queries for staff users in the XDMoD reports #688.
- make it easier to develop info.html.erb in batch connect apps by gracefully handling crashes and now rendering template from the app root instead of storing a copy of the template in the session #666
- better handling of Slurm squeue timeouts 209
- fix Linux Host Adapter race condition in deleteing tmp files 212
- can load .rb locale files alongside .yml locale files, enabling more dynamic localization #645
- warn users about job composer links to XDMoD jobs being broken immediately after job completes, since it wouldn’t yet be ingested into XDMoD #676
- ignore bad cache key values when updating from batch connect form cache #655
- properly escape characters in Go To dialog in Files app #660
- force update Files app dependencies using yarn resolutions #661
- xdmod widgets utilize available space on the dashboard when not displaying the MOTD #676
To upgrade from 1.8.12 to 1.8.18 or 1.7.18 to 1.7.19:
sudo yum update ondemand