[galaxy-announce] Galaxy Tool Shed Security Vulnerability - Repository uploads

classic Classic list List threaded Threaded
1 message Options
| Threaded
Open this post in threaded view
|

[galaxy-announce] Galaxy Tool Shed Security Vulnerability - Repository uploads

Nate Coraor
DESCRIPTION

A security vulnerability was recently discovered by Peter Cock at the James Hutton Institute that would allow a malicious actor to upload new versions to repositories on which they have not been granted access.

AFFECTED VERSIONS

This issue affects versions of the Tool Shed beginning with 15.01. Earlier versions are not affected.

IMPACT

Because the Tool Shed is used to install software in Galaxy, if exploited, the impact could result in arbitrary code execution on Galaxy servers if a malicious tool is uploaded to a previously trusted repository, and that compromised version is subsequently installed by a Galaxy administrator. As such, Tool Shed administrators are strongly encouraged to update immediately.

INSTRUCTIONS

To apply the fix, first identify your current Galaxy release version using the `git branch` or `hg branch` commands. If you are on a 'release_YY.MM' branch, you can update with:

  % git pull

or:

  % hg pull -u

The process above can also be used to update to the 15.07 release if you are on the 'master' git branch or the 'stable' hg branch. If you are on the 'master'/'stable' branch and wish to remain on your current Galaxy major release, check the 'lib/galaxy/version.py' file to determine your major release version, then update to the appropriate branch:

  % git checkout -b release_YY.MM origin/release_YY.MM
  % git pull

or:

  % hg pull
  % hg update release_YY.MM

For the changes to take effect, YOU MUST RESTART ALL TOOL SHED SERVER PROCESSES.

On behalf of the Galaxy Committers,
--nate

_______________________________________________
galaxy-announce mailing list
[hidden email]
https://lists.galaxyproject.org/listinfo/galaxy-announce
To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/