A security vulnerability was recently discovered by Inge Alexander Raknes that would allow a malicious person to execute arbitrary code on a Galaxy server. The vulnerability was in a method that uses Python "pickle" functionality to decode state information from tool forms. Because pickles can be used to instantiate arbitrary Python objects, tool states could be constructed to exploit this vulnerability.
Because this vulnerability allows for arbitrary code execution, administrators are strongly encouraged to apply this fix IMMEDIATELY. We have tried to make it as easy and quick as possible for server administrators to update their Galaxy instances. The fix has been applied to every stable release from 2013.01.13 until the tip, so it is possible to get this fix on older releases without updating to a newer feature release. You can do this by identifying your current release and updating to the `latest_<release_date>` tag corresponding to your release.
For example, if you are running release_2013.11.04 (or a subsequent commit to the stable branch of Galaxy between release_2013.11.04 and release_2014.02.10), you can update with:
% hg pull % hg update latest_2013.11.04
For the changes to take effect, YOU MUST RESTART ALL GALAXY SERVER PROCESSES.
If you do not want to pull any upstream changes, we have also created a standalone patch that fixes this problem, with multiple versions depending on your current Galaxy release:
If you happen to be running a very recent revision on the default branch or the newly created next-stable branch, a pickle-default.patch file exists at the same place.
For older releases or instances with conflicting local modifications, manual application of the patch should not be difficult as it only includes a few small changes. To apply the patch, navigate to the root of your Galaxy directory, then run (replacing <url_to_patch> with the URL above that is correct for your release):