subject:"Re\: \[galaxy\-dev\] Galaxy Security Vulnerability"

Re: [galaxy-dev] Galaxy Security Vulnerability

2014-08-05 Thread John Chilton

This bug predates Galaxy's transition to mercurial - so I would
definitely encourage applying the patch by hand and restarting Galaxy.

-John

On Tue, Aug 5, 2014 at 9:13 PM, Dooley, Damion  wrote:
> Does this apply to all past galaxy installs?  I have an older galaxy site 
> I've been wanting to phase out rather than upgrade. For now I'd like to use a 
> patch but site version (parent: 7148:17d57db9a7c0 ) predates any of the tags. 
>  I presume I'd have to just implement the patch by hand?
>
> Regards,
>
> Damion
>
>
>
> Message: 7
> Date: Thu, 31 Jul 2014 14:55:57 -0400
> From: Nate Coraor 
> To: Galaxy Development ,
> galaxy-annou...@lists.bx.psu.edu
> Subject: [galaxy-dev] Galaxy Security Vulnerability
> Message-ID: 
> Content-Type: text/plain; charset="us-ascii"
>
> A security vulnerability was recently discovered by Inge Alexander Raknes 
> that would allow a malicious person to execute arbitrary code on a Galaxy 
> server. The vulnerability was in a method that uses Python "pickle" 
> functionality to decode state information from tool forms. Because pickles 
> can be used to instantiate arbitrary Python objects, tool states could be 
> constructed to exploit this vulnerability.
> ...
>
>  - pickle-2013.01.13.patch - This patch should apply cleanly (with 
> offset/fuzz) to releases from 2013.01.13 up to 2013.08.12, and possibly older 
> versions of Galaxy as well. Available at: 
> https://depot.galaxyproject.org/patch/pickle-2013.01.13.patch
>
>
> ___
> Please keep all replies on the list by using "reply all"
> in your mail client.  To manage your subscriptions to this
> and other Galaxy lists, please use the interface at:
>   http://lists.bx.psu.edu/
>
> To search Galaxy mailing lists use the unified search at:
>   http://galaxyproject.org/search/mailinglists/

___
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

Re: [galaxy-dev] Galaxy Security Vulnerability

2014-08-05 Thread Dooley, Damion

Does this apply to all past galaxy installs?  I have an older galaxy site I've 
been wanting to phase out rather than upgrade. For now I'd like to use a patch 
but site version (parent: 7148:17d57db9a7c0 ) predates any of the tags.  I 
presume I'd have to just implement the patch by hand?

Regards,

Damion



Message: 7
Date: Thu, 31 Jul 2014 14:55:57 -0400
From: Nate Coraor 
To: Galaxy Development ,
galaxy-annou...@lists.bx.psu.edu
Subject: [galaxy-dev] Galaxy Security Vulnerability
Message-ID: 
Content-Type: text/plain; charset="us-ascii"

A security vulnerability was recently discovered by Inge Alexander Raknes that 
would allow a malicious person to execute arbitrary code on a Galaxy server. 
The vulnerability was in a method that uses Python "pickle" functionality to 
decode state information from tool forms. Because pickles can be used to 
instantiate arbitrary Python objects, tool states could be constructed to 
exploit this vulnerability.
...

 - pickle-2013.01.13.patch - This patch should apply cleanly (with offset/fuzz) 
to releases from 2013.01.13 up to 2013.08.12, and possibly older versions of 
Galaxy as well. Available at: 
https://depot.galaxyproject.org/patch/pickle-2013.01.13.patch


___
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

Re: [galaxy-dev] Galaxy Security Vulnerability

Re: [galaxy-dev] Galaxy Security Vulnerability

2 matches

Site Navigation

Mail list logo

Footer information