[galaxy-announce] April 8, 2013 Galaxy Security Release

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[galaxy-announce] April 8, 2013 Galaxy Security Release

Nate Coraor
A security vulnerability was recently discovered that would allow a malicious person to delete the contents of a history that does not belong to them.  The vulnerability was in a method designed to allow users to switch between histories as a convenience from certain messages and is not used for most normal history switching operations.  A fix has been provided in the stable branch of the Galaxy distribution and tagged as security_2013.04.08.  Administrators are strongly encouraged to upgrade to at least the listed tag or to implement one of the provided workarounds. This changeset *is not* included in the most recent (April 1, 2013) stable release.

To upgrade:

  % hg pull
  % hg update security_2013.04.08

For Galaxy installations on relatively old versions that administrators are not yet ready to upgrade, there are two workarounds.  First, the patch can be downloaded and applied manually:

  % wget -o history.patch https://bitbucket.org/galaxy/galaxy-central/commits/883216b2eaf2ff05b7771f4ed2541be2ef1ed92f/raw/

and then:

  % hg patch history.patch

or:

  % patch -p1 < history.patch

In this case, the Galaxy server process(es) must be restarted for the change to take effect.

Second, access to this method via the upstream proxy server can be denied.  Note that anyone with the ability to bypass the proxy server via directly connecting to the Galaxy application's web port(s) would still be able to call this method.  This is possible for anyone with direct login access to the server, or even remotely if the Galaxy application binds to all addresses (instead of just localhost) unless restricted by other means (e.g. a firewall).

For Apache:

<Location ~ "/history/switch_to_history.*">
   Deny from all
</Location>

For nginx:

location ~ /history/switch_to_history.* {
   deny all;
}

If using a proxy prefix (e.g. "/galaxy"), that prefix should be prepended to "/history".

--nate
Galaxy Team
_______________________________________________
galaxy-announce mailing list
[hidden email]
http://lists.bx.psu.edu/listinfo/galaxy-announce
To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/