DESCRIPTION A high severity security vulnerability was recently discovered in Galaxy 18.05's new upload API by the Galaxy Committers Team. Anyone with a Galaxy account can exploit this vulnerability to read and write arbitrary files on the Galaxy host accessible by the system user Galaxy runs as. This is possible due to insecure handling of tar file extraction. This vulnerability has been assigned the disclosure ID GX-2018-0006. AFFECTED VERSIONS This vulnerability affects Galaxy version 18.05 only (and the current development branch). IMPACT Administrators of Galaxy 18.05 servers should patch immediately. Galaxy servers running versions of Galaxy older than 18.05 are unaffected by this problem. The fix sanitizes the contents of tar files during upload while extracting them. INSTRUCTIONS The fixes are available on the `release_18.05` branch in the Galaxy GitHub repository[2]. You can simply `git pull` or use your normal update procedure to get the changes. For the changes to take effect, YOU MUST RESTART ALL GALAXY SERVER PROCESSES. --John Chilton (on behalf of the Galaxy Committers) [1] https://github.com/galaxyproject/galaxy/blob/dev/SECURITY_POLICY.md [2] https://github.com/galaxyproject/galaxy/