A medium severity security vulnerability in Galaxy data libraries has been
discovered. This vulnerability allows anyone able to access Galaxy's API to
add to their history any data library dataset that they know an id of.
This vulnerability has been assigned the disclosure ID GX-2017-0005.
This vulnerability affects all versions of Galaxy released since at least
Given the ids of library datasets are presented encoded it is not easy to
exploit this vulnerability in a targeted manner. However all Galaxy objects
are enumerated incrementally so there are means to generate and/or guess
valid ids of existing library datasets and read them.
Per our security policies, we have created fixes for versions of Galaxy
starting with 16.07. These have been committed to the corresponding
`release_YY.MM` (and `dev`) branches in the Galaxy GitHub repository.
Releases prior to 16.07 will remain vulnerable and should be updated to a
supported release as soon as possible.
The fixes are available on the `release_16.07` through `release_17.09` and
`dev` branches in the Galaxy GitHub repository. You can simply `git
pull` or use your normal update procedure to get the changes.
For the changes to take effect, *YOU MUST RESTART ALL GALAXY SERVER
Martin (on behalf of the Galaxy Committers)
Dear Galaxy Fans,
The release* of Galaxy **17.09* is out. Thanks to the #usegalaxy committers
and you, our community!
* notes: *
*Singularity - *Tool execution using the HPC-friendly container technology
Singularity is now supported. Custom containers can be specified by the
Galaxy admin on a per job destination basis or standardized containers
corresponding to Conda requirements can be built or downloaded
automatically using the mulled toolkit built into Galaxy (just like is
possible for Docker). For more information checkout presentation at
the 2017 Galaxy Community Conference.
*Download entire collection - *Downloading whole colections is now possible
from the history interface. Thanks to @mvdbeek.
*Switch tool versions in workflows - *You can now select exactly what
version of tool you want to use when building workflows.Thanks to @mvdbeek.
*Thanks for using Galaxy!*