[galaxy-announce] Galaxy Security Vulnerability - Authentication framework with LDAP

classic Classic list List threaded Threaded
1 message Options
| Threaded
Open this post in threaded view
|

[galaxy-announce] Galaxy Security Vulnerability - Authentication framework with LDAP

Nate Coraor
DESCRIPTION

A security vulnerability was recently discovered by Nicola Soranzo at The Genome Analysis Centre that would allow unauthorized access to Galaxy accounts on Galaxy servers using the LDAP authentication framework plugin. This is due to the fact that LDAP may be configured to allow anonymous binds, and the LDAP plugin does not check that binding with the provided username/password was not anonymous.

AFFECTED VERSIONS

The authentication framework is a new feature as of the 15.05 Galaxy release, so earlier versions are not affected. In versions 15.05 and later, the LDAP plugin is not used by default, so only Galaxy servers which have been configured to use this new functionality are affected. Galaxy servers using upstream delegated authentication (where authentication is performed by the proxy server, e.g. Apache or nginx) are not affected.

IMPACT

Administrators of affected servers are STRONGLY encouraged to update immediately, as the vulnerability allows unauthorized access to Galaxy accounts.

INSTRUCTIONS

To apply the fix, first identify your current Galaxy release version using the `git branch` or `hg branch` commands. If you are on a 'release_YY.MM' branch, you can update with:

  % git pull

or:

  % hg pull -u

The process above can also be used to update to the 15.07 release if you are on the 'master' git branch or the 'stable' hg branch. If you are on the 'master'/'stable' branch and wish to remain on your current Galaxy major release, check the 'lib/galaxy/version.py' file to determine your major release version, then update to the appropriate branch:

  % git checkout -b release_YY.MM origin/release_YY.MM
  % git pull

or:

  % hg pull
  % hg update release_YY.MM

For the changes to take effect, YOU MUST RESTART ALL GALAXY SERVER PROCESSES.

On behalf of the Galaxy Committers,
--nate

_______________________________________________
galaxy-announce mailing list
[hidden email]
https://lists.galaxyproject.org/listinfo/galaxy-announce
To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/