A security vulnerability was recently discovered by Björn Grüning with Galaxy's 
"user impersonation" feature that can expose an administrator's active history 
to users whom they impersonate.  Only Galaxy instances with 
`allow_user_impersonation = True` set in their configurations are affected, and 
only if an administrator makes use of the impersonation feature.  By default, 
user impersonation is disabled.

A fix (id: 9d42f1e32efb) has been provided in the stable branch of Galaxy.  To 
apply the fix, ensure you are on the stable branch and upgrade to the latest 
changeset:

  % hg branch
  stable

  % hg pull -u

For Galaxy installations on relatively old versions that administrators are not 
yet ready to upgrade, there are three workarounds.  First, the patch can be 
downloaded and applied manually:

  % wget -o security.patch 
https://bitbucket.org/galaxy/galaxy-central/commits/9d42f1e32efb654fda1e011dc66a4aa5888717f1/raw/

and then:

  % hg patch security.patch

or:

  % patch -p1 < security.patch

Second, the impersonation feature can be disabled by setting the following 
option in Galaxy's configuration file:

  allow_user_impersonation = False

In all of the above cases, the Galaxy server process(es) must be restarted for 
the change to take effect.

Third, the feature can be left enabled and unpatched, and the vulnerability can 
be worked around by educating administrators who use the feature.  As long as a 
new history is created by the administrator prior to switching to the 
impersonated user, no data will be exposed to the impersonated user.

--nate
Galaxy Team
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

Reply via email to