A security vulnerability was recently discovered by Inge Alexander Raknes that 
would allow a malicious person to execute arbitrary code on a Galaxy server. 
The vulnerability was in a method that uses Python "pickle" functionality to 
decode state information from tool forms. Because pickles can be used to 
instantiate arbitrary Python objects, tool states could be constructed to 
exploit this vulnerability.

Because this vulnerability allows for arbitrary code execution, administrators 
are strongly encouraged to apply this fix IMMEDIATELY. We have tried to make it 
as easy and quick as possible for server administrators to update their Galaxy 
instances. The fix has been applied to every stable release from 2013.01.13 
until the tip, so it is possible to get this fix on older releases without 
updating to a newer feature release. You can do this by identifying your 
current release and updating to the `latest_<release_date>` tag corresponding 
to your release.

For example, if you are running release_2013.11.04 (or a subsequent commit to 
the stable branch of Galaxy between release_2013.11.04 and release_2014.02.10), 
you can update with:

 % hg pull
 % hg update latest_2013.11.04


If you do not want to pull any upstream changes, we have also created a 
standalone patch that fixes this problem, with multiple versions depending on 
your current Galaxy release:

 - pickle-2013.11.04.patch - This patch should apply cleanly (with offset/fuzz) 
to releases from 2013.11.04 up to the current stable tip. Available at: 

 - pickle-2013.01.13.patch - This patch should apply cleanly (with offset/fuzz) 
to releases from 2013.01.13 up to 2013.08.12, and possibly older versions of 
Galaxy as well. Available at: 

 If you happen to be running a very recent revision on the default branch or 
the newly created next-stable branch, a pickle-default.patch file exists at the 
same place.

For older releases or instances with conflicting local modifications, manual 
application of the patch should not be difficult as it only includes a few 
small changes. To apply the patch, navigate to the root of your Galaxy 
directory, then run (replacing <url_to_patch> with the URL above that is 
correct for your release):

 % wget -O pickle.patch <url_to_patch>


 % curl -o pickle.patch <url_to_patch>

and then:

 % patch -p1 < pickle.patch
 patching file lib/galaxy/util/__init__.py
 Hunk #1 succeeded at 575 with fuzz 2 (offset -113 lines).
 patching file lib/galaxy/webapps/galaxy/controllers/ucsc_proxy.py

Again, for the changes to take effect, YOU MUST RESTART ALL GALAXY SERVER 

The Galaxy Team would like to extend special thanks to Inge Alexander Raknes 
and colleagues, who privately disclosed the vulnerability, with a full analysis 
and proof of concept.

Credit for the fix and subsequent testing goes to my fellow Galaxy Team members 
John Chilton and Dannon Baker.

On behalf of the Galaxy Team,
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

To search Galaxy mailing lists use the unified search at:

Reply via email to