We are pleased to announce the *release of Galaxy 18.09
<https://docs.galaxyproject.org/en/release_18.09/releases/18.09_announce.html>*.
A few release highlights are:
<http://localhost:8095/news/2018-9-galaxy-release/#extensive-workflow-enhanc…>
Extensive Workflow Enhancements
Workflows got a lot of love this time around, with new runtime parameters
for subworkflows, exposed workflow versions, and zoom capability in the
editor, to name a few. There were also a number of usability enhancements
including better labeling, links, overhauled workflow import interfaces,
and many more.
<http://localhost:8095/news/2018-9-galaxy-release/#group-tags> Group Tags
Galaxy now contains powerful new features for multiple factor analysis of
collections of datasets. The concept of group tags has been added to
Galaxy. These are a special class of tags that describe key-value pairs
that can be attached to the contents of a collection during upload or using
collection operation tools. These tags can describe multiple sets of
variables for the contents of a collection. Once set, these tags can be
consumed intelligently by tools that need to divide collections into
multiple overlapping factors or sets of datasets. A special thanks to
@mvdbeek for devising and implementing this approach.
<http://localhost:8095/news/2018-9-galaxy-release/#python-3-beta-support>
Python 3 Beta Support
After almost 3 years of work and more than 100 pull requests, we are proud
to announce the Beta-stage support for running Galaxy under Python 3. Lint,
unit, API, framework, integration and Selenium tests all pass, time for you
to give it a try and report any bug you find!
Please see the full release notes
<https://docs.galaxyproject.org/en/release_18.09/releases/18.09_announce.html>
for more information, including how to upgrade today!
*Thanks for using Galaxy!*
DESCRIPTION
A high severity security vulnerability was recently discovered in
Galaxy 18.05's new upload API by the Galaxy Committers Team. Anyone
with a Galaxy account can exploit this vulnerability to read and write
arbitrary files on the Galaxy host accessible by the system user
Galaxy runs as.
This is possible due to insecure handling of tar file extraction.
This vulnerability has been assigned the disclosure ID GX-2018-0006.
AFFECTED VERSIONS
This vulnerability affects Galaxy version 18.05 only (and the current
development branch).
IMPACT
Administrators of Galaxy 18.05 servers should patch immediately.
Galaxy servers running versions of Galaxy older than 18.05 are
unaffected by this problem.
The fix sanitizes the contents of tar files during upload while extracting them.
INSTRUCTIONS
The fixes are available on the `release_18.05` branch in the Galaxy
GitHub repository[2]. You can simply `git pull` or use your normal
update procedure to get the changes.
For the changes to take effect, YOU MUST RESTART ALL GALAXY SERVER PROCESSES.
--John Chilton (on behalf of the Galaxy Committers)
[1] https://github.com/galaxyproject/galaxy/blob/dev/SECURITY_POLICY.md
[2] https://github.com/galaxyproject/galaxy/