Two high priority security vulnerabilities were recently discovered by Eric Rasche and Manabu Ishii respectively. These vulnerabilities were to cross site scripting and session fixation attacks. Detailed descriptions of these categories of vulnerabilities can be found at: - https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) - https://www.owasp.org/index.php/Session_fixation Per our new security policies (https://github.com/galaxyproject/galaxy/blob/dev/SECURITY_POLICY.md), we have created patches for versions of Galaxy including 16.10, 17.01, and 17.05. **With Git** If you have cloned Galaxy from the official GitHub repository and are on a supported release_branch, you can simply `git pull` to pull in the security patch which has been applied to those branches. **Manual Patching** The 16.10 patch can apply cleanly to 17.01 as well and can be fetched using: wget https://gist.githubusercontent.com/jmchilton/760bf8ba6055b9a47a48529fcc49a49... The 17.05 patch can be fetched using: wget https://gist.githubusercontent.com/jmchilton/2623e37a2ccb1820770278e348dfefe... Once the patch has been downloaded and copied to the root of your Galaxy directory, it can be applied using the following patch command: % patch -p1 < 2017augsecurity_1610.patch -or- % patch -p1 < 2017augsecurity_1705.patch If you are having trouble applying the patch feel free to email galaxy-committers@lists.galaxyproject.org and we will try to help. -Eric (on behalf of the Galaxy Committers) Post script: this mail was intended to go out on Thursday the 24th of August, however I failed to send it then. My apologies to the community, it will be more timely in the future.