The Galaxy Committers team is pleased to announce the October 2016 (v16.10) release of Galaxy.

Security

An arbitrary code execution vulnerability in two tools and an XSS vulnerability with the upload tool were identified this release cycle and have been fixed concurrently with the release. In addition, the fixes have been backported to older releases.

The Galaxy Committers would like to thank David Wyde for disclosing these vulnerabilities. Details follow:

  1. The vulnerable tools are “Filter GFF data by attribute” and “Filter GFF data by feature count”, both of which are provided with and enabled by default in the Galaxy server. These two tools share code with each other and the more general “Filter data on any column using simple expressions” tool. The latter was fixed in a previous security disclosure but these GFF variants of the tool were missed when updating the Filter tool. These tools use the Python eval and exec functions and do not properly sanitize input to these functions. The fix for this issue has been applied to Galaxy releases back to v14.10 and can be found in Commit c1e3087
  2. An uploaded file’s name was not properly sanitized, and so a specially crafted filename uploaded to the Galaxy server could be used as an XSS attack vector. The fix for this issue has been applied to Galaxy releases back to v16.07 and can be found in Pull Request 3278.

Highlighted Enhancements

Get Galaxy

The code lives at Github and you should have Git to obtain it.

To get a new Galaxy repository run:

$ git clone -b release_16.10 https://github.com/galaxyproject/galaxy.git

To update an existing Galaxy repository run:

$ git checkout release_16.10 && git pull --ff-only origin release_16.10

Release Notes

For full details on all of the enhancements and fixes in this release, please see the full release notes.


On behalf of the Galaxy CommittersThanks for using Galaxy!

--nate