[galaxy-dev] Announcing the October 2016 (v16.10) Galaxy Release

[Nate Coraor]

The Galaxy Committers team

is
pleased to announce the *October 2016 (v16.10) release of Galaxy
*.
Security


An arbitrary code execution vulnerability in two tools and an XSS
vulnerability with the upload tool were identified this release cycle and
have been fixed concurrently with the release. In addition, the fixes have
been backported to older releases.

The Galaxy Committers would like to thank David Wyde for disclosing these
vulnerabilities. Details follow:

   1. The vulnerable tools are “Filter GFF data by attribute” and “Filter
   GFF data by feature count”, both of which are provided with and enabled by
   default in the Galaxy server. These two tools share code with each other
   and the more general “Filter data on any column using simple expressions”
   tool. The latter was fixed in a previous security disclosure but these GFF
   variants of the tool were missed when updating the Filter tool. These tools
   use the Python eval and exec functions and do not properly sanitize input
   to these functions. The fix for this issue has been applied to Galaxy
   releases back to v14.10 and can be found in Commit c1e3087
   2. An uploaded file’s name was not properly sanitized, and so a
   specially crafted filename uploaded to the Galaxy server could be used as
   an XSS attack vector. The fix for this issue has been applied to Galaxy
   releases back to v16.07 and can be found in Pull Request 3278.

Highlighted Enhancements


   - Overhaul of charts visualization - more visualizations, more options,
   and better user interface.
   - Paginate contents of large histories.
   - Implement a collection operation tool for merging collections (thanks
   to @Takadonet).
   - Replace reference documentation for tool XML files with automatically
   generated documentation from a now official Galaxy XSD documentation (with
   help from many).
   - Add a password strength evaluation bar (thanks to @benfulton).
   - Implement a GoDocker job runner (thanks to @varunshankar).
   - Support for API batch requests.
   - Allow JSONP to be returned from API endpoints.
   - Add “Save as” as an option in the workflow editor (thanks to
   @tmcgowan).
   - Allow naming input datasets and collections during workflow extraction.
   - Various enhancements for API driven installation of tool shed
   repositories.

Get Galaxy 

The code lives at Github  and you
should have Git  to obtain it.

*To get a new Galaxy repository run:*

$ git clone -b release_16.10 https://github.com/galaxyproject/galaxy.git

*To update an existing Galaxy repository run:*

$ git checkout release_16.10 && git pull --ff-only origin release_16.10

Release Notes


For full details on all of the enhancements and fixes in this release,
please see the full release notes
.


On behalf of the Galaxy Committers

, *Thanks for using Galaxy!*

--nate
___
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

[galaxy-dev] Galaxy Security Vulnerability - Arbitrary code execution

[Nate Coraor]

*DESCRIPTION*

A security vulnerability was recently discovered by David Wyde in two
Galaxy tools that are provided with and enabled by default in the Galaxy
server. These vulnerabilities allow malicious actors to execute arbitrary
code as the user running the Galaxy server.

The vulnerable tools are "Filter GFF data by attribute" and "Filter GFF
data by feature count", two tools which share code with each other and the
more general "Filter data on any column using simple expressions" tool. The
latter was fixed in a previous security disclosure but these GFF variants
of the tool were missed when updating the Filter tool.

These tools use the Python `eval` and `exec` functions and do not properly
sanitize input to these functions.

Additionally, an XSS vulnerability with the upload tool: An uploaded file's
name was not properly sanitized, and so a specially crafted filename
uploaded to the Galaxy server could be used as an XSS attack vector. This
vulnerability has already been fixed in the 16.07 and 16.10 Galaxy releases.

The Galaxy Committers would like to thank David for disclosing these
vulnerabilities. If you discover security vulnerabilities in Galaxy, please
report them to the Galaxy Committers at
galaxy-committ...@lists.galaxyproject.org.

*AFFECTED VERSIONS*

These arbitrary code execution vulnerability is present in all known
releases of Galaxy using the default tool config or a tool config in which
these tools are loaded. To determine if your Galaxy server is affected,
check your tool_conf.xml for the following lines:




If you are unsure, you can also check to see if the tools have loaded by
searching for them in your Galaxy server logs, e.g.:

  % grep gff_filter paster.log
  galaxy.tools.toolbox.base DEBUG 2016-12-08 13:25:16,930 Loaded tool id:
gff_filter_by_attribute, version: 0.1 into tool panel..
  galaxy.tools.toolbox.base DEBUG 2016-12-08 13:25:16,930 Loaded tool id:
gff_filter_by_feature_count, version: 0.1 into tool panel..

*IMPACT*

This vulnerability can be exploited to execute arbitrary code as the user
that runs Galaxy jobs on any system where Galaxy runs those jobs
(potentially a cluster). Such code can be used to provide a remote shell to
an attacker, or read/write/delete files that the Galaxy user has
appropriate permissions on.

*SOLUTION*

Multiple solutions exist for the arbitrary code execution vulnerability:

1. Update your Galaxy code. A fix for the issue has been applied to stable
releases of Galaxy back to version 14.10.

2. Disable the affected tools.

3. Patch the affected tools. Patches to fix the vulnerabilities (depending
on the version of Galaxy that you are running) can be found below.

*INSTRUCTIONS*

1. To apply the fix, first identify your current Galaxy release version
using the `git branch` command. If you are on a 'release_YY.MM' branch, you
can update with:

  % git pull

The process above can also be used to update to the 16.10 release if you
are on the 'master' git branch. If you are on the 'master' branch and wish
to remain on your current Galaxy major release, check the
'lib/galaxy/version.py' file to determine your major release version, then
update to the appropriate branch:

  % git fetch origin
  % git checkout -b release_YY.MM origin/release_YY.MM
  % git pull

2. To disable the tools, locate and remove the following lines from your
tool_conf.xml, then restart Galaxy:




3. To manually patch the tools, use the appropriate patch file below:

For Galaxy releases 16.01 to dev:

  https://depot.galaxyproject.org/patch/filter_security_16_01.patch

For Galaxy releases 15.07 to 15.10:

  https://depot.galaxyproject.org/patch/filter_security_15_07.patch

For Galaxy releases 14.10 to 15.05:

  https://depot.galaxyproject.org/patch/filter_security_14_10.patch

To apply the patch, navigate to the root of your Galaxy directory, then
execute (replacing  with the url above appropriate for your
current Galaxy release):

  % wget -O filter_security.patch 

or:

  % curl -o filter_security.patch 

and then test applying the patch:

  % patch -p1 --dry-run < filter_security.patch
  checking file tools/filters/gff/gff_filter_by_attribute.py
  checking file tools/filters/gff/gff_filter_by_attribute.xml
  checking file tools/filters/gff/gff_filter_by_feature_count.py
  checking file tools/filters/gff/gff_filter_by_feature_count.xml

If this succeeds without error (applying successfully with fuzz/offset is
fine), apply with:

  % patch -p1 < filter_security.patch
  patching file tools/filters/gff/gff_filter_by_attribute.py
  patching file tools/filters/gff/gff_filter_by_attribute.xml
  patching file tools/filters/gff/gff_filter_by_feature_count.py
  patching file tools/filters/gff/gff_filter_by_feature_count.xml

In all cases, for the changes to take effect, *YOU MUST RESTART ALL GALAXY
SERVER PROCESSES*.

On behalf of the Galaxy Committers,
--nate
___
Please keep all replies on the list by 

Re: [galaxy-dev] devteam dropped support for installing tool dependencies from toolshed?

[Björn Grüning]

Hi Peter,

Am 15.12.2016 um 11:28 schrieb Peter Briggs:
> Dear developers
> 
> It looks like some updates to 'devteam'-maintained toolshed tools have
> dropped support for tool_dependencies.xml (e.g. fastqc, freebayes), so
> their dependencies cannot be automatically installed from the toolshed.
> Is this correct? I assume that it's part of the move to enforcing conda
> dependency resolution.

Yes. We really hope we are ready to go for conda, John and Marius have
improved the conda support dramatically in the last months.

Thanks,
Bjoern

> Best wishes
> 
> Peter
> 
___
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

[galaxy-dev] devteam dropped support for installing tool dependencies from toolshed?

[Peter Briggs]

Dear developers

It looks like some updates to 'devteam'-maintained toolshed tools have 
dropped support for tool_dependencies.xml (e.g. fastqc, freebayes), so 
their dependencies cannot be automatically installed from the toolshed. 
Is this correct? I assume that it's part of the move to enforcing conda 
dependency resolution.


Best wishes

Peter

--
Peter Briggs peter.bri...@manchester.ac.uk
Bioinformatics Core Facility University of Manchester
B.1083 Michael Smith Bldg Tel: (0161) 2751482
___
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
 https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
 http://galaxyproject.org/search/mailinglists/