[galaxy-announce] Galaxy Tool Shed security vulnerability

classic Classic list List threaded Threaded
1 message Options
| Threaded
Open this post in threaded view
|

[galaxy-announce] Galaxy Tool Shed security vulnerability

Nate Coraor
Please note: This notice affects Galaxy Tool Shed servers only. Galaxy servers are unaffected.

A security vulnerability was recently discovered by Daniel Blankenberg of the Galaxy Team that would allow a malicious person to execute arbitrary code on a Galaxy Tool Shed server. The vulnerability is due to reuse of tool loading code from Galaxy, which executes "code files" defined by Galaxy tool config files. Because the Tool Shed allows any user to create and "load" tools, any user could cause arbitrary code to be executed by the Tool Shed server. In Galaxy, administrators control which tools are loaded, which is why this vulnerability does not affect Galaxy itself.

Although we recommend upgrading to the latest stable version (15.03.2), a fix for this issue has been committed to Galaxy versions from 14.08 and newer. If you are using Mercurial, you can update with (where YY.MM corresponds to the Galaxy release you are currently running):

  % hg pull
  % hg update release_YY.MM


If you are using git, you can update with (assuming your remote upstream is set to https://github.com/galaxyproject/galaxy/):

If you have not yet set up a remote tracking branch for the release you are using:

  % git fetch upstream
  % git checkout -b release_YY.MM upstream/release_YY.MM

Otherwise:

  % git pull upstream release_YY.MM

For the changes to take effect, you must restart all Tool Shed server processes.

Credit for the arbitrary code execution fix also goes to my fellow Galaxy Team member Daniel Blankenberg.

On behalf of the Galaxy Team,
--nate

_______________________________________________
galaxy-announce mailing list
[hidden email]
https://lists.galaxyproject.org/listinfo/galaxy-announce
To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/