A number of security vulnerabilities were recently discovered by Bartlomiej Balcerek and colleagues at the Wroclaw Centre for Networking and Supercomputing, which have been fixed in the current stable Galaxy release (2014.10.06). We have simultaneously created a new stable release (2015.01.13) today which includes these fixes as well as new features. Galaxy server administrators are STRONGLY encouraged to update their Galaxy servers to one of these releases immediately. The first vulnerability identified would allow a malicious person to execute arbitrary code on a Galaxy server. The vulnerability is due to gaps in Galaxy's command line template parameter sanitization. Although all form fields were sanitized for shell metacharacters, some other parameters that might be provided to tools on the command line (such as the input dataset name) were not. Because of this, dataset names and other fields could be constructed to exploit this vulnerability. Due to the severity of this specific vulnerability, the fix for it has been applied back to previous releases beginning with the January 13, 2013 release. The fix can be obtained by executing `hg pull && hg update latest_<YYYY>.<MM>.<DD>`, replacing the date with the date of the release currently in use. In addition to the code execution exploit, a number of cross-site scripting (XSS) vulnerabilities were identified by Bartlomiej which we have fixed in our new and previous stable releases. We only backport fixes for exploits that we believe allow an attacker to readily gain access to the Galaxy server to previous stable releases - nonetheless we consider these XSS vulnerabilities to be serious and would strongly recommend that public servers upgrade to at least the previous stable release, using the latest_2014.10.06 tag, to address them. The Galaxy Team also performed an audit to locate and fix any additional XSS vulnerabilities that might exist. Additional details on issues found and resolved can be found in the January 13, 2015 Galaxy Distribution News Brief at: https://wiki.galaxyproject.org/DevNewsBriefs/2015_01_13 To get the changes, for example, if you are running release_2014.10.06 (or a subsequent commit to the stable branch of Galaxy between release_2014.10.06 and release_2015.01.13), you can update with: % hg pull % hg update latest_2014.10.06 For the changes to take effect, YOU MUST RESTART ALL GALAXY SERVER PROCESSES. The Galaxy Team would like to extend special thanks to Bartlomiej Balcerek and colleagues, who privately disclosed the arbitrary code execution and XSS vulnerabilities, with a full report and proof of concepts. Credit for the arbitrary code execution fix goes to my fellow Galaxy Team member Daniel Blankenberg. The entire team worked to resolve the identified XSS issues and conduct the larger code audit. On behalf of the Galaxy Team, --nate