galaxy-announce October 2017

galaxy-announce@lists.galaxyproject.org

2 participants
5 discussions

November News: Blog, pubs, PAG, servers, tools, ...
by Dave Clements 31 Oct '17

31 Oct '17

Hello all, The November 2017 Galaxy News <https://galaxyproject.org/galaxy-updates/2017-11/> is out! - The Galactic Blog takes off <https://galaxyproject.org/galaxy-updates/2017-11/#the-galactic-blog> - Publications <https://galaxyproject.org/galaxy-updates/2017-11/#publications>: - The Galaxy Pub library surpasses 5,000 publications - 110 new pubs added in October, including 5 highlighted pubs - Upcoming events <https://galaxyproject.org/galaxy-updates/2017-11/#events> (9 this month) - Galaxy (and GMOD) at PAG XXVI <https://galaxyproject.org/galaxy-updates/2017-11/#galaxy-and-gmod-at-plant-…> - *PAG Early registration ends today.* - Public Galaxy Server News - 33 pubs in October <https://galaxyproject.org/galaxy-updates/2017-11/#public-servers-in-october…> using, referencing or about public Galaxy servers - Citations section <https://galaxyproject.org/galaxy-updates/2017-11/#citation-sections-added-t…> added to public server list - New public server: BF2I-MAP <https://galaxyproject.org/galaxy-updates/2017-11/#bf2i-map> - And the Language Analysis Portal <https://galaxyproject.org/galaxy-updates/2017-11/#almost-a-public-server-la…> too - ToolShed contributions <https://galaxyproject.org/galaxy-updates/2017-11/#toolshed-contributions> - New releases <https://galaxyproject.org/galaxy-updates/2017-11/#releases> of StarForge and sequence_utils. And Other news <https://galaxyproject.org/galaxy-updates/2017-11/#other-news> too. See the full newsletter <https://galaxyproject.org/galaxy-updates/2017-11/>. Dave C and the Galaxy Team -- https://galaxyproject.org/ https://usegalaxy.org/

1 0

GX-2017-0003: Unauthorized filesystem access via data source tools
by Nate Coraor 23 Oct '17

23 Oct '17

*DESCRIPTION* A medium severity security vulnerability in tools utilizing the Galaxy data source protocol was recently discovered by Dan Blankenberg. This vulnerability allows anyone able to run an external data source tool to add to their history any file that is readable by the user running Galaxy jobs on the host where the job runs. This is due to the Python urllib library's ability to operate on `file://` URLs and a failure to check for such URLs in the tool. This vulnerability has been assigned the disclosure ID GX-2017-0003. *AFFECTED VERSIONS* This vulnerability affects all known versions of Galaxy. *IMPACT* Many such "external data source" tools are provided with the Galaxy distribution and are enabled by default (most tools under the "Get Data" section of the tool panel), meaning that its exploitability is fairly high, as only one such tool needs to be enabled to be vulnerable, including any custom data source tools (any tool that uses `tools/data_source/data_source.py`). What files will be readable depends entirely upon what the job's user has access to read on the host(s) where jobs run. *SOLUTION* Per our security policies[1], we have created fixes for all affected versions of Galaxy. These have been committed to the corresponding `release_YY.MM` (and `dev`) branches in the Galaxy GitHub repository. Releases prior to 16.07 will remain vulnerable and should be updated to a supported release as soon as possible. Eric Rasche recently undertook a hardening of the Galaxy code base against common security mishaps.[2] This included changing most uses of `urllib` to `requests`, which does not operate on `file://` URLs. Although no exploits were identified at that time, we felt this work was of great enough importance to production Galaxy servers that we backported it to releases from 16.07 forward. Because of this, and the GX-2017-0001 and GX-2017-0002 vulnerabilities, administrators are strongly encouraged to update immediately, even if they do not believe their servers are vulnerable. *INSTRUCTIONS* The fixes are available on the `release_16.07` through `release_17.09` and `dev` branches in the Galaxy GitHub repository[3]. You can simply `git pull` or use your normal update procedure to get the changes. For the changes to take effect, *YOU MUST RESTART ALL GALAXY SERVER PROCESSES*. --nate (on behalf of the Galaxy Committers) [1] https://github.com/galaxyproject/galaxy/blob/dev/SECURITY_POLICY.md [2] https://github.com/galaxyproject/galaxy/pull/4604 [3] https://github.com/galaxyproject/galaxy/

1 0

GX-2017-0002: Arbitrary code execution for Galaxy servers with Galaxy Interactive Environments enabled
by Nate Coraor 23 Oct '17

23 Oct '17

*DESCRIPTION* A high severity security vulnerability was recently discovered in Galaxy Interactive Environments (GIEs) by the Galaxy Committers Team. Anyone with a Galaxy account can exploit this vulnerability to execute arbitrary code on the Galaxy server as the user running the Galaxy server process. This is possible due to incorrect quoting of user-provided data passed to a shell execution context for the GIE `docker run` command. This vulnerability has been assigned the disclosure ID GX-2017-0002. *AFFECTED VERSIONS* This vulnerability affects Galaxy version 17.05 and later that have been configured to enable Galaxy Interactive Environments. *IMPACT* The vulnerability only affects Galaxy servers on which Galaxy Interactive Environments are enabled (by setting the `interactive_environment_plugins_directory` option in galaxy.ini). Because the vulnerability can be exploited to execute arbitrary code, the impact for affected servers is severe. Administrators of Galaxy servers where GIEs *are* enabled should update immediately. Administrators of Galaxy servers where GIEs are *not* enabled *should* update their servers to ensure they are not vulnerable should they enable GIEs at a later date, however, it is not critical to do so immediately. *SOLUTION* Per our security policies[1], we have created fixes for all affected versions of Galaxy. These have been committed to the corresponding `release_YY.MM` (and `dev`) branches in the Galaxy GitHub repository. The fix switches from using shell execution to direct execution with exec(3) and therefore is not susceptible to shell escaping exploits *INSTRUCTIONS* The fixes are available on the `release_17.05`, `release_17.09`, and `dev` branches in the Galaxy GitHub repository[2]. You can simply `git pull` or use your normal update procedure to get the changes. For the changes to take effect, *YOU MUST RESTART ALL GALAXY SERVER PROCESSES*. --nate (on behalf of the Galaxy Committers) [1] https://github.com/galaxyproject/galaxy/blob/dev/SECURITY_POLICY.md [2] https://github.com/galaxyproject/galaxy/

1 0

GX-2017-0001: Limited Galaxy Data Library unauthorized filesystem access
by Nate Coraor 23 Oct '17

23 Oct '17

*DESCRIPTION* A medium severity security vulnerability in Galaxy Data Libraries was recently discovered by Jelle Scholtalbers, and in the course of investigating this vulnerability, we discovered multiple related attack vectors. This vulnerability allows the following unauthorized actions: 1. Any user that has been granted the permission to add datasets to a library, library folder, or to modify an existing library dataset (an "authorized user"), is able to import any file on the system that is readable by the user running the Galaxy server. 2. Anyone can create libraries and library folders (but not add datasets to them) This is possible due to incorrect checking of admin privileges and for symbolic links in the user's `user_library_import_dir`. Neither case can be exploited directly through the Galaxy UI, but both can be exploited through the API. Case #1 is not exploitable by any user who is not an "authorized user" or if none of `library_import_dir`, `user_library_import_dir`, and `allow_path_paste` (formerly `allow_library_path_paste`) are set in galaxy.ini. This vulnerability has assigned the disclosure ID GX-2017-0001. *AFFECTED VERSIONS* This vulnerability affects all known versions of Galaxy. *IMPACT* The more severe vulnerability (reading arbitrary files) can only be exploited by users with elevated library privileges, so its exploitability is limited to users whom the Galaxy server admin(s) presumably know and trust. The creation of arbitrary libraries and folders is a nuisance, but not in and of itself a security issue. *SOLUTION* Per our security policies[1], we have implemented fixes for versions of Galaxy from 16.07 through the forthcoming 17.09. These have been committed to the corresponding `release_YY.MM` (and `dev`) branches in the Galaxy GitHub repository. Releases prior to 16.07 will remain vulnerable and should be updated to a supported release as soon as possible. If your user `user_library_import_dir` or any of its parents are symlinks, user library imports will fail. You should put the fully canonicalized absolute path in this galaxy.ini option. Because the fix disallows symlinks in `user_library_import_dir` which point outside the user's particular subdirectory, and because some Galaxy admins may have found this to be a useful ability, we have created a new `user_library_import_symlink_whitelist` option in galaxy.ini that allows admins to configure directories to which symlinks should be allowed. However, please be aware that *any* user with library add/modify privileges and the ability to create symbolic links will be able to import from any whitelisted directory. There is no per-user restriction for whitelisted directories. *INSTRUCTIONS* The fixes are available on the `release_16.07` through `release_17.09` and `dev` branches in the Galaxy GitHub repository[2]. You can simply `git pull` or use your normal update procedure to get the changes. For the changes to take effect, *YOU MUST RESTART ALL GALAXY SERVER PROCESSES*. --nate (on behalf of the Galaxy Committers) [1] https://github.com/galaxyproject/galaxy/blob/dev/SECURITY_POLICY.md [2] https://github.com/galaxyproject/galaxy/

1 0

October News: Hacktoberfest, Pubs and Pub News, Events, Openings, Servers, ....
by Dave Clements 02 Oct '17

02 Oct '17

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

galaxy-announce October 2017