A security vulnerability was recently discovered by Scott B. Szakonyi at
The Center for Research Computing at the University of Notre Dame that
would allow a malicious actor to exploit the workflow import form to cause
a user's browser to execute javascript not originating from within Galaxy.
This could allow the malicious actor to gain unauthorized access to Galaxy
accounts or client data.


This issue affects all known versions of Galaxy.

In early 2015, the Galaxy Team performed a large XSS audit, the results of
which were applied to versions 14.10 and later. Using Galaxy versions
earlier than 14.10 is not advisable.


Exploitation of reflected XSS vulnerabilities typically requires some
coordination, but the consequences of exploitation can result in data or
account exposure, so the risk of leaving the issue unfixed is moderate.
Administrators of affected servers are encouraged to update immediately.


To apply the fix, first identify your current Galaxy release version using
the `git branch` or `hg branch` commands. If you are on a 'release_YY.MM'
branch, you can update with:

  % git pull


  % hg pull -u

The process above can also be used to update to the 15.07 release if you
are on the 'master' git branch or the 'stable' hg branch. If you are on the
'master'/'stable' branch and wish to remain on your current Galaxy major
release, check the 'lib/galaxy/version.py' file to determine your major
release version, then update to the appropriate branch:

  % git checkout -b release_YY.MM origin/release_YY.MM
  % git pull


  % hg pull
  % hg update release_YY.MM

For the changes to take effect, YOU MUST RESTART ALL GALAXY SERVER

On behalf of the Galaxy Committers,
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

To search Galaxy mailing lists use the unified search at:

Reply via email to