[galaxy-announce] Galaxy Security Notification

classic Classic list List threaded Threaded
1 message Options
| Threaded
Open this post in threaded view
|

[galaxy-announce] Galaxy Security Notification

Nate Coraor
A security vulnerability was recently discovered by Björn Grüning with Galaxy's "user impersonation" feature that can expose an administrator's active history to users whom they impersonate.  Only Galaxy instances with `allow_user_impersonation = True` set in their configurations are affected, and only if an administrator makes use of the impersonation feature.  By default, user impersonation is disabled.

A fix (id: 9d42f1e32efb) has been provided in the stable branch of Galaxy.  To apply the fix, ensure you are on the stable branch and upgrade to the latest changeset:

  % hg branch
  stable

  % hg pull -u

For Galaxy installations on relatively old versions that administrators are not yet ready to upgrade, there are three workarounds.  First, the patch can be downloaded and applied manually:

  % wget -o security.patch https://bitbucket.org/galaxy/galaxy-central/commits/9d42f1e32efb654fda1e011dc66a4aa5888717f1/raw/

and then:

  % hg patch security.patch

or:

  % patch -p1 < security.patch

Second, the impersonation feature can be disabled by setting the following option in Galaxy's configuration file:

  allow_user_impersonation = False

In all of the above cases, the Galaxy server process(es) must be restarted for the change to take effect.

Third, the feature can be left enabled and unpatched, and the vulnerability can be worked around by educating administrators who use the feature.  As long as a new history is created by the administrator prior to switching to the impersonated user, no data will be exposed to the impersonated user.

--nate
Galaxy Team
_______________________________________________
galaxy-announce mailing list
[hidden email]
http://lists.bx.psu.edu/listinfo/galaxy-announce
To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/