Does this apply to all past galaxy installs? I have an older galaxy site I've been wanting to phase out rather than upgrade. For now I'd like to use a patch but site version (parent: 7148:17d57db9a7c0 ) predates any of the tags. I presume I'd have to just implement the patch by hand? Regards, Damion Message: 7 Date: Thu, 31 Jul 2014 14:55:57 -0400 From: Nate Coraor <nate@bx.psu.edu> To: Galaxy Development <galaxy-dev@lists.bx.psu.edu>, galaxy-announce@lists.bx.psu.edu Subject: [galaxy-dev] Galaxy Security Vulnerability Message-ID: <D482333D-384E-49C8-8DD8-C752E4B0AF76@bx.psu.edu> Content-Type: text/plain; charset="us-ascii" A security vulnerability was recently discovered by Inge Alexander Raknes that would allow a malicious person to execute arbitrary code on a Galaxy server. The vulnerability was in a method that uses Python "pickle" functionality to decode state information from tool forms. Because pickles can be used to instantiate arbitrary Python objects, tool states could be constructed to exploit this vulnerability. ... - pickle-2013.01.13.patch - This patch should apply cleanly (with offset/fuzz) to releases from 2013.01.13 up to 2013.08.12, and possibly older versions of Galaxy as well. Available at: https://depot.galaxyproject.org/patch/pickle-2013.01.13.patch