This bug predates Galaxy's transition to mercurial - so I would
definitely encourage applying the patch by hand and restarting Galaxy.
On Tue, Aug 5, 2014 at 9:13 PM, Dooley, Damion <damion.doo...@bccdc.ca> wrote:
> Does this apply to all past galaxy installs? I have an older galaxy site
> I've been wanting to phase out rather than upgrade. For now I'd like to use a
> patch but site version (parent: 7148:17d57db9a7c0 ) predates any of the tags.
> I presume I'd have to just implement the patch by hand?
> Message: 7
> Date: Thu, 31 Jul 2014 14:55:57 -0400
> From: Nate Coraor <n...@bx.psu.edu>
> To: Galaxy Development <firstname.lastname@example.org>,
> Subject: [galaxy-dev] Galaxy Security Vulnerability
> Message-ID: <d482333d-384e-49c8-8dd8-c752e4b0a...@bx.psu.edu>
> Content-Type: text/plain; charset="us-ascii"
> A security vulnerability was recently discovered by Inge Alexander Raknes
> that would allow a malicious person to execute arbitrary code on a Galaxy
> server. The vulnerability was in a method that uses Python "pickle"
> functionality to decode state information from tool forms. Because pickles
> can be used to instantiate arbitrary Python objects, tool states could be
> constructed to exploit this vulnerability.
> - pickle-2013.01.13.patch - This patch should apply cleanly (with
> offset/fuzz) to releases from 2013.01.13 up to 2013.08.12, and possibly older
> versions of Galaxy as well. Available at:
> Please keep all replies on the list by using "reply all"
> in your mail client. To manage your subscriptions to this
> and other Galaxy lists, please use the interface at:
> To search Galaxy mailing lists use the unified search at:
Please keep all replies on the list by using "reply all"
in your mail client. To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
To search Galaxy mailing lists use the unified search at: