Security fix in Open OnDemand 1.8.18 and 1.7.19 patch releases now available

We have released 1.8.18 and 1.7.19 patch releases with security fixes:

  • properly escape user input when creating job template in Job Composer app as reported as CVE-2020-27958 (thanks to reporting by Radoslav Bodó and the team at

1.8.18 has some additional changes since 1.8.12 including:

  • by default, set Content Security Policy frame-ancestors to the server name for all requests, which can be changed using the new security_csp_frame_ancestors in the ood_portal.yml #697 and #721
  • by default, set HTTP Strict Transport Security (HSTS) if SSL is in use, which can be disabled setting security_strict_transport: false in the ood_portal.yml #697
  • custom log formatting on apache and nginx access logs [#677] ( (thanks to Pavlos Daoglou)
  • fixed XDMoD queries for staff users in the XDMoD reports #688.
  • make it easier to develop info.html.erb in batch connect apps by gracefully handling crashes and now rendering template from the app root instead of storing a copy of the template in the session #666
  • better handling of Slurm squeue timeouts 209
  • fix Linux Host Adapter race condition in deleteing tmp files 212
  • can load .rb locale files alongside .yml locale files, enabling more dynamic localization #645
  • warn users about job composer links to XDMoD jobs being broken immediately after job completes, since it wouldn’t yet be ingested into XDMoD #676
  • ignore bad cache key values when updating from batch connect form cache #655
  • properly escape characters in Go To dialog in Files app #660
  • force update Files app dependencies using yarn resolutions #661
  • xdmod widgets utilize available space on the dashboard when not displaying the MOTD #676

To upgrade from 1.8.12 to 1.8.18 or 1.7.18 to 1.7.19:

sudo yum update ondemand