Galaxy 16.01 Release
by Nate Coraor
The Galaxy Committers team is pleased to announce the January 2016 (v16.01)
release of Galaxy. Galaxy administrators should also be aware of the
security announcements that I am posting simultaneously with this release
announcement. The release notes follow.
From: https://docs.galaxyproject.org/en/master/releases/16.01_announce.html
January 2016 Galaxy Release (v 16.01)
Highlights
*Interactive Tours*
The interactive tours framework allows developers and deployers to build
interactive tutorials for users superimposed on the actual Galaxy web front
end. Unlike video tutorials, these will not become stale and are truly
interactive (allowing users to actually navigate and interact with Galaxy).
Galaxy 16.01 ships with two example tours and new ones can easily be added
by creating a small YAML file describing the tour. Try the Galaxy UI tour
on Main.
*Wheels*
Galaxy’s Python dependencies have traditionally been distributed as eggs
using custom dependency management code to enable Galaxy to distribute
binary dependencies (enabling quick downloads and minimal system
requirements). With this release all of that infrastructure has been
replaced with a modern Python infrastructure based on pip and wheels. Work
done as part of this to enable binary dependencies on Linux has been
included with the recently released pip 8.
Detailed documentation on these changes and their impact under a variety of
Galaxy deployment scenarios can be found in the Galaxy Framework
Dependencies section of the Admin documentation.
*Nested Workflows*
Workflows may now run other workflows as a single abstract step in the
parent workflow. This allows for reusing or subworkflows in your analyses.
Github
*New*
% git clone -b master https://github.com/galaxyproject/galaxy.git
*Update to latest stable release*
% git checkout master && pull --ff-only origin master
*Update to exact version*
% git checkout v16.01
BitBucket
*Upgrade*
% hg pull
% hg update latest_16.01
See our wiki for additional details regarding the source code locations.
Deprecation Notices
Barring a strong outcry from deployers, 16.01 will be the last release of
Galaxy to support Python 2.6. For more information, see Galaxy Github Issue
#1596.
3 years, 11 months
Galaxy Security Vulnerability - Read/write arbitrary filesystem paths, arbitrary code execution
by Nate Coraor
*DESCRIPTION*
Multiple security vulnerabilities were recently discovered in Galaxy that
allow malicious actors to read and write files on the Galaxy server.
Additionally, Galaxy servers on which a rarely used feature has been
enabled are vulnerable to an arbitrary code execution exploit.
1. A write vulnerability exists in the history import mechanism. It is
possible to create a history tar archive that contains files with parent
directory components in the file path (e.g. "foo/../../bar" would extract
to "../bar"), and these archive members would be written if the user
running the Galaxy server had write permission to the given path.
2. A read vulnerability exists in the object store path composition code.
Galaxy allows clients to add elements to the end of a path to "extra" files
associated with a dataset (as is the case with composite datatypes). These
elements were not being checked to ensure they did not contain relative
parent references ('..') or did not start with an absolute path character
('/'). Because of this, the dataset display methods could be manipulated to
return the contents of any files for which the Galaxy server user had read
permission.
3. An arbitrary code execution vulnerability exists in the Galaxy sample
tracking system. The sample tracking system included a feature which
allowed administrators to browse remote "external services" (such as
sequencers) to choose files to transfer to the Galaxy server. This browsing
code used a shell invocation which did not sanitize user input. However,
this code is only reachable if at least one external service has ever been
defined.
The Galaxy Committers would like to thank Youri Hoogstrate at the Erasmus
MC, Rotterdam, who initially reported a similar vulnerability in the Tool
Shed. Through additional auditing based on this attack vector, we
discovered the other vulnerabilities.
*AFFECTED VERSIONS*
This issue affects all known releases of Galaxy in at least the last 3
years.
*IMPACT*
The read and write vulnerabilities can be exploited to write to any path on
the Galaxy server writable by the Galaxy user, which can be potentially
destructive to Galaxy configuration files and data.
Additionally, they can be used to read any file available on the system
that is readable by the user running the Galaxy server, including Galaxy
config files, data, system config files, contents of /proc, etc.
As such, Galaxy administrators are strongly encouraged to update
immediately.
The arbitrary code execution vulnerability can be exploited to execute any
shell command as the Galaxy user, which is also very dangerous. If your
Galaxy instance has had an external service configured at any point in the
past, you are strongly encouraged to update immediately.
*SOLUTION*
Fixes for these vulnerabilities have been applied to the 14.10 and newer
release branches in the public GitHub and Bitbucket repositories. Galaxy
versions older than 14.10 should upgrade (preferably to 16.01). To apply
the fix, first identify your current Galaxy release version using the `git
branch` or `hg branch` commands. If you are on a 'release_YY.MM' branch,
you can update with:
% git pull
or:
% hg pull -u
The process above can also be used to update to the 16.01 release if you
are on the 'master' git branch or the 'stable' hg branch. If you are on the
'master'/'stable' branch and wish to remain on your current Galaxy major
release, check the 'lib/galaxy/version.py' file to determine your major
release version, then update to the appropriate branch:
% git checkout -b release_YY.MM origin/release_YY.MM
% git pull
or:
% hg pull
% hg update release_YY.MM
For the changes to take effect, *YOU MUST RESTART ALL GALAXY SERVER
PROCESSES*.
On behalf of the Galaxy Committers,
--nate
3 years, 11 months
Galaxy/Tool Shed Security Vulnerability - Read/write arbitrary filesystem paths
by Nate Coraor
*DESCRIPTION*
Multiple security vulnerabilities were recently discovered in the Tool Shed
that allow malicious actors to read and write files on the Tool Shed server
outside of normal Tool Shed repository directories.
1. A write vulnerability exists in the Tool Shed tarball and capsule upload
functionality. It is possible to create a tar archive that contains files
with parent directory components in the file path (e.g. "foo/../../bar"
would extract to "../bar"), and these archive members would be written if
the user running the Tool Shed had write permission to the given path. The
Tool Shed tarball handling code checked for invalid characters ('/' or
'..') at the beginning of the path but not for '..' in the middle of a path.
2. A read vulnerability exists in multiple places. The first is in the (now
deprecated) `hg push` functionality for updating Tool Shed repositories.
This method allows malicious actors to push symlinks whose targets are
outside the repository (either via an absolute or relative path). The
contents of the targets would then be visible in the Tool Shed repository
contents viewer, if the Tool Shed user has read permission on the target.
3. A second read vulnerability exists in the Tool Shed repository contents
viewer. The viewer would allow a malicious actor to specify a path outside
the repository, and if the Tool Shed system user had read permissions on
that path, it would be displayed. The viewer also did not check to ensure
that the targets of symlinks in a repository did not point outside the
repository.
The repository contents viewer read vulnerability also exists in Galaxy,
but is only reachable/exploitable by admin users.
The Galaxy Committers would like to thank Youri Hoogstrate at the Erasmus
MC, Rotterdam, who initially reported the `hg push` vulnerability. Through
additional auditing based on this attack vector, we discovered the other
vulnerabilities.
*AFFECTED VERSIONS*
These issues affect all known releases of the Tool Shed and Galaxy in at
least the last 3 years.
*IMPACT*
This vulnerability can be exploited to read any file available on the
system that is readable by the user running the Tool Shed or Galaxy server,
including Galaxy/Tool Shed config files, data, system config files,
contents of /proc, etc. As such, Tool Shed administrators are strongly
encouraged to update immediately. For Galaxy administrators, the impact is
not as great, unless Galaxy administrators do not have access to the Galaxy
server command line.
*SOLUTION*
Fixes for these vulnerabilities have been applied to the 15.01 and newer
(14.10 in the case of the portion of the vulnerability affecting Galaxy)
release branches in the public GitHub and Bitbucket repositories. Tool Shed
versions older than 15.01 should upgrade (preferably to 16.01). To apply
the fix, first identify your current Galaxy release version using the `git
branch` or `hg branch` commands. If you are on a 'release_YY.MM' branch,
you can update with:
% git pull
or:
% hg pull -u
The process above can also be used to update to the 16.01 release if you
are on the 'master' git branch or the 'stable' hg branch. If you are on the
'master'/'stable' branch and wish to remain on your current Galaxy major
release, check the 'lib/galaxy/version.py' file to determine your major
release version, then update to the appropriate branch:
% git checkout -b release_YY.MM origin/release_YY.MM
% git pull
or:
% hg pull
% hg update release_YY.MM
For the changes to take effect, *YOU MUST RESTART ALL GALAXY SERVER
PROCESSES*.
On behalf of the Galaxy Committers,
--nate
3 years, 11 months
